Tải bản đầy đủ (.pdf) (16 trang)

Tài liệu Optimizing Your Network on a Budget pptx

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (191.15 KB, 16 trang )

Optimizing Your
Network on a Budget
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
The purpose of this paper is to define the issues related to optimizing an enterprise network, identify several
new network technologies related to networking, and draw some conclusions on how best to satisfy the
requirements defined. The paper uses the following format:
1. Definition of roles and examples of the relationship of corporate objectives and goals to network tech-
nology and optimization
2. Mission-critical network technology examples
3. Importance of staffing and technical certifications in network optimization, compared to out-sourcing,
and use of consultants for each technology example
4. Role of a training provider in network optimization for an enterprise with a limited training budget
The role of an Information Technology (IT) Manager in an enterprise is to implement and maintain systems
and procedures to support the operational processes and strategic initiatives of the enterprise. One of the
most important (and costly) of the managed systems is the enterprise network, including the enterprise cam-
pus network, the enterprise edge
, the service provider edge, and all the equipment and topologies that define
the network infrastructure. There are several forces that drive the process:
1. The enterprise develops new strategic initiatives that require the implementation of new technology
2. New technology is developed that offers an opportunity to lower costs, increase efficiency, or develop
new strategic initiatives
3. Growth, sometimes complicated by acquisitions, may occur
4.
Changes in operational processes (such as manufacturing or accounting) may require a change in IT
technology or networking
5. Network solutions provided by network equipment and service providers change and evolve. For exam-
ple, Service-Oriented Network Architectures (SONA) is one of the latest approaches
If numbers one and two look a bit like the classic "chicken and egg" dilemma, they are. It is never certain


whether a business strategy drove a technology, or a technology drove a new business strategy. Luckily, the IT
Raymond B. Dooley, CEO, International Communications Management, Inc.,
CCNP, CCDP, and CCSI
Optimizing Your Network on a Budget
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 2
m
anager does not have to solve this problem; instead, he implements the requirements and solutions created
by the new development.
All of this involves
network optimization. Network optimization is implementing technology and service to
provide the most efficient network service to all users, meet all the organizational goals of the enterprise, and
minimize costs. It is much easier to define than implement. It has numerous components:
1. Create and update a comprehensive network plan and design, starting with an accurate baseline of
existing systems.
2. Implement new systems to meet new strategic initiatives without any network outages before, during,
or after implementation.
3. Evaluate new technologies and network architectures (solutions), such as SONA, to determine if they
will contribute to network optimization.
4. Utilize all available features of network equipment and services to support high availability networking,
security, network management, and quality of service.
5. Prevent network outages. This will include a network design for high availability and a comprehensive
network management system. Insure that the operating systems and other software for all network
devices are installed and maintained based on a compatibility standard to avoid costly version and fea-
ture mismatches.
6.
Provide network security for the enterprise.
7. Recruit and train a staff to implement steps 1 – 6,
troubleshoot, and maintain the optimized network.

Use of outsourcing, consultants, and the technical level of the network staff must be analyzed and com-
pared based on networking objectives versus cost.
A CEO of a Fortune 100 Company once said (paraphrased), "I consider Information Technology to be a weapon
in the battle to win global market share." While a firm believer in corporate missions and vision statements, the
CEO thought that an enterprise achieved success by following no more than four simply stated strategic initia-
tives. An IT or network manager in the various corporate divisions was required to understand these initiatives,
how to implement the systems to support them,
and how to optimize the network for them.
T
his had to be done
at the lowest possible cost,
because lowering costs was always one of the initiatives. Using various methods,
most enterprises work the same way. All CEOs may not be as successful in articulating the requirements as this
one was, but the idea is the same: creating identical challenges for IT and network managers.
T
he implementation of
Automatic
T
eller Machines (A
TMs) in the banking industry is a classic example of the
impact of a new strategy on technology
,
and it provides a lead-in to a description of new network technolo
-
gies and the importance of network optimization. In the early 1970s, a bank or banker (no one knows who
had the idea first) visualized a machine that would provide banking services separate from a teller window.
The vision included machines in non-traditional locations, 24-hour banking, and added services. Of course,
these are things taken for granted today.
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.

Page 3
T
he challenge to implementing the new idea was that none of the requirements already defined for the IT and
network managers in the previous paragraphs were met.
1. The banking industry could not agree on the location and contents of the magnetic stripe on the bank
card.
2. There were no technology or network standards for ATMs; it was all vendor-driven.
3. The networks were optimized for IBM mainframe-to-terminal communications. The network managers
were not consulted about the idea of ATMs and how to attach them to the corporate network.
4. The ATM machines contained a mini-computer that could only be networked with low-speed asynchro-
nous communications protocols, which were incompatible with the mainframe and the existing net-
work. However, the mainframe had to "talk" to the ATMs for them to work properly.
T
his is not a short story, but a saga, greatly shortened. During five years of trial and error, costing millions of
dollars and countless man-hours, the ATM strategy was a total loser. The cost to implement, maintain, and net-
work the machines was far greater than the revenue. The Return on Investment (ROI) was a large negative
number
. One banking executive w
as quoted,
"If I could, I would take every ATM machine out, but I cannot
because the other banks will leave them in, and I won't be competitive." This statement sums up why the
banks continued to pour millions of dollars into this project. The war for market share dictated it.
Not surprisingly, the vision and strategy was valid. Once the banking customers accepted the ATMs and actual-
ly began to prefer them over going into the bank during banking hours, the banks were able to cut the teller
force up to 70 percent and the ROI shot up dramatically
.
If today’s managers were able to go back and use modern IT and network management techniques for the
project, most of the errors and much of the cost could have been avoided by proper planning and deployment
of IT and network technology. However, this is a smug view. The author was involved in the implementation of
ATM machines and will verify that all of the techniques available at the time were utilized. From today's view,

those techniques seem archaic and costly. The question any IT or network manager must consider is, "Are the
techniques and technologies in place for the network suitable to handle a completely new corporate strategic
initiative?" In other words, is there an ATM-like project in the future for this enterprise? And if so, can it be
implemented and optimized at the lowest possible cost?
T
he previous example is a description of actual events. Several years from now, similar business cases will be
written about network technologies that are emerging now, such as IP telephony, wireless, and virtual private
networks (VPNs) related to new developments such as medical multi-media, and virtualization of business and
technology functions (SONA). Modern solutions are based on the idea that hardware, software, and network
applications are
“built-in”
to network technologies and can then be implemented (turned on) as needed.
It is
important for IT and network managers of today to avoid the technology traps shown by the banking example
.
One point becomes paramount from the information presented so far. Optimization and cost are two of the
most important items for a network manager to consider. Before any conclusions are made about the best
ways to meet optimization and cost requirements, several new and important network technologies must be
described. Each of these technologies could have an impact on optimization,
costs
, or both. The first issue is
determining if the technology is appropriate to meet the objectives of the enterprise
, and the second is having
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 4
t
he expertise to properly plan, design, and implement the new technology into the existing network. The fol-
lowing technologies will be considered:
1. Security

2. Virtual Private Networks (VPNs)
3. IP telephony and Quality of Service (QoS)
4. Wireless networking
5. IP Multicasting and IPv6
Many additional technologies such as high-availability networking, content networking, and storage network-
ing could also be included, but this paper would become a textbook—much too long.
Security
If the CEO of Boeing Company were asked what the financial loss associated with Airbus obtaining the design
plans for Boeing's newest airplane would be, he would respond with a number in the billions of dollars, proba-
bly over $100 billion.
The next issue would be the odds of such a break-in: 1,000 to 1; 10,000 to 1; 100,000 to 1; or 1,000,000 to 1?
The amount of corporate resources and budget allocated to security should be directly related to the value of
the loss and the probability. If it is not, the corporate security policy is lacking.
There is consensus that the one best practice in designing and implementing network security is first to define
a security policy. This is based on the idea that money allocated for security in the network will be wasted if
the system is not optimized. This will be explored further in the certification and training section. There are sev-
eral parts to a security policy:
1. Corporate Information
a. Identify assets
b. Assess risk
c. Identify areas of protection
d. Define responsibilities
2. Network Access Control Policy
3. Acceptable Use Policy
4. Security Management Policy
5.
Incident-Handling Policy
Cisco’
s Security
Architecture for Enterprise (SAFE) defines four steps in their security wheel after the security

policy has been defined:
1.
Secure
2. Monitor
3. Test
4.
Improve
Two elements of network security will be explored: firewalls and intrusion detection/prevention. Neither of
these is new
, but there are new features and capabilities being introduced regularly.
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 5
The first step of the network implementation consists of four parts: user and data authentication; encryption;
vulnerability patching; and firewalling. Firewalling includes three primary functions: user authentication, denial
of service (DoS) prevention, and packet filtering. A good number of firewalling solutions offload the user
authentication to specialized servers called Authentication, Authorization, and Accounting (AAA). The DoS pre-
vention is offloaded to specialized solutions for Intrusion Detection Service (IDS) or Intrusion Prevention
Service (IPS). Firewall devices then specialize in filtering network traffic to allow only valid packets to cross
firewall interfaces.
The firewall hardware is located between the outside filter (the router connected to the Internet) and the
inside filter (the router connected to the enterprise campus). One type of firewall interface is untrusted (a De-
militarized Zone - DMZ), connected to such devices as web servers, DNS servers, E-mail servers, VPN concentra-
tors, or access servers (for dial-up users), and the connection to the Internet. Trusted interfaces are connected
either to the enterprise campus, or with application and database servers associated with the web servers on
the non-trusted interface. In a network design, the systems described in this paragraph are called the Internet
Connectivity Module and the E-Commerce Module. A firewall system should support:
1. Packet filtering (main job)
2. Network Address Translation
3. Fail-over and hot standby

4. AAA—Authentication, Authorization, and Accounting (usually offloaded)
5. Virtual Private Networks—VPNs may terminate on the firewall as one option)
One major security vendor, Cisco Systems, has offered the Private Exchange (PIX) firewall system for many
years. It includes:
1. Finesse operating system
2. Adaptive security algorithm
3. Cut-through proxy operation
4. Stateful fail-over and hot standby
5. Translations
6. Access control
7. Object grouping
8. Attack guards and intrusion detection
9. AAA
10.
VPNs
11. PIX device manager
The cost of firewalls varies widely, depending on the size and complexity of the design, and the speed and
number of firewall interfaces required and the size of the network. In addition, the cost must be weighed
against the cost of a major break-in. As a manager is optimizing the network for an enterprise, he should be
aw
are of the present level of network security threats
,
have a v
alid security policy, and implement the latest
solutions. As a philosopher once said, “The devil is in the details,” and it has never been more accurate than
when trying to keep up with “the latest solutions.”
Cisco Systems has recently announced the Adaptive Security Appliance 5500 (ASA 5500), which has the ability
to replace the existing PIX firew
all,
the

VPN concentrator
,
the AAA server, and, perhaps, the Intrusion
Prevention System.
T
he ASA 5500 has the following abilities:
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 6

×