HOUR 9
Planning for the Network
What You’ll Learn in This Hour:
• The concept of best practices
• The steps used to create and maintain a network
• Best practices for security
By now, I trust we agree that building or upgrading a network, even a small one, requires an understanding of networking concepts. Adding a new condiment to the networking stew, it also requires planning. For even a small enterprise, a computer network cannot be successfully implemented with an ad hoc approach. In addition, the design must factor in immediate needs while considering longer-term issues.
Planning and building an enterprise network is a challenge for even the seasoned professional. Nonetheless, the tasks involved to bring up a network can be facilitated by using the concept of best practices. This model provides a framework and an associated checklist for completing these tasks. Best practices help the designer remain focused and organized—essential ingredients for effectively networking computers and other devices, such as servers and routers.
In this hour, we examine the concept of best practices and their role in creating a new network and enhancing an existing system.
Best Practices and Building Computer Networks
We humans have learned there are smart and not-so-smart ways to go about solving a problem. For example, a solution does not always lend itself to reliance on past experiences. In this situation, we need to take ad hoc, off-the-cuff actions.
But for many situations, it comes down to, “Why reinvent the wheel?” In our modern world, we’ve learned some basic best practices to employ to, say, manage a mortgage firm, conduct counter-insurgency wars, or build a computer network. For the former two, we can only say that the best practices associated with these endeavors are often ignored. But for the last operation, building a computer network, we’ll use this hour to make sure these practices are “front and center.”
The term best practices was coined by consultants in the 1980s to describe the institutional behaviors that had become ingrained and codified into effective standard operating procedures. From these experiences, it was concluded the use of best practices could provide an organization with a sensible, flexible set of rules to aid in decision-making about a complex process.
Best practices have also come to exist for networking. They transcend operating systems, hardware platforms, protocol innovations, and other rapidly changing components of networking. Instead of dealing with specifics, they are a set of concepts that can be applied to various situations.
Because computer and networking technology evolve so quickly, relying on best practices that can be applied to any network operating system or hardware allows you to remain focused on the big picture rather than becoming mired in the minutia. Some of the benefits of using best practices are as follows:
• Best practices offer a perspective that enables network planners to step out of the upgrade cycle long enough to take a strategic look at their current operations. Rather than focusing on today’s problems, best practices provide a perspective with which to examine the infrastructure and procedures of the underlying pieces and determine whether they are working together productively.
• Best practices offer a way to assess and codify policies and procedures and discard those that are not productive or are counterproductive. As you assess your organization in preparation for a network installation or network upgrade, remember there is no one single set of best practices for everyone. What is best for one organization is not necessarily best for another. Every organization is different; as a result, best practices cannot be slavishly copied from a successful organization or the Harvard Business Review—your organization must define them for itself. Still, with regard to building a computer network, certain practices are universal.
• Codifying and instituting best practices often results in cost savings. Cost savings aren’t an automatic corollary of the institution of best practices. However, in many cases, best practices save money by increasing efficiency.
With respect to networking, using best practices shouldn’t be an option if the goal is a robust, flexible, functional architecture. No one would ask an architect to build a small house only later to ask that it evolve into a skyscraper—but that’s what routinely happens in networking. Nightmare tales of ad hoc networking are legend in the consulting world. A classic example is the company in which several well-meaning department heads independently built their own networks, leaving the internal networking staff the onerous Franken-steinian job of stitching everything together. The complete system never operated very well, and the company expended enormous resources for a subpar solution.
The complexity of data networks at even the small local area network (LAN) level has made it imperative for network managers to review the way they execute their user job requests, desktop configuration management tasks, network management issues, and technology updates. It’s not uncommon for a network manager to find his time focused almost entirely on short-time crises, leaving little time to deal with organizational issues. Naturally, this crisis focus does little good. First, constant crises burn out network managers; second, crisis management creates an adversarial relationship between management and users.
Instituting best practices when a network is being planned is the best way to ensure the network will function well and meet the goals set for it.
Planning Best Practices: Plan, Design, Implement, and Tune
An old saying claims, “Change is the only constant.” If you’ve ever doubted this cliché, look at the changes that take place in a computer network from month to month or even week to week. The rate of change is so rapid it’s difficult to plan for the future. Consider the evolution of the Internet, particularly the World Wide Web. We’ve witnessed the dot-com boom. We’ve seen a seesaw battle from the various network operating system companies as each software giant seeks industry dominance. Throw into the mix open source possibilities, such as Linux, and it’s easy to understand why it’s difficult for the network professional to keep pace with this ever-changing industry.
Although keeping up with change can be a big challenge, it’s a necessity when dealing with the dynamics of computer networks. Being aware of the emerging products and technologies will allow a network manager to make selections leading to lowering networking costs. In the hope that I’ve convinced you of the values of staying educated, developing plans, and using best practices, let’s look at some strategies for dealing with change.
If you were building a house, would you start nailing boards together willy-nilly, or would you work from plans? You’d probably work from plans. If you didn’t, you might get a house...or you might not. Even when you do have a plan for a house, you can face spur-of-the-moment issues pertaining to the latest building materials as well as construction techniques you want to place in the plan as building is under way. The desire to make changes is always a temptation and sometimes a necessity.
That’s what building or upgrading a computer network can be like. When you’re creating or enhancing a network, because of the rapid steps in technology, it’s especially important to ensure you follow a logical process. Otherwise, you’ll wind up with a technology that no one can make sense of.
The suggested process can be simply stated as plan, design, implement, and tune:
• Plan—Plan your network from a user perspective. Stating the obvious, know what your network must do to aid its users! It sounds simple, but if you don’t know why you’re building it, you’re not likely to reap much benefit from it. Be careful here. It’s not uncommon for highly trained technicians to create a technically elegant network without a lot of input from the user community. More than once, I’ve heard, “That’s not what I wanted!”
• Design—Design your network. What is design? One definition is that it’s taking a beautiful idea and proving why it won’t work. Competent engineers don’t look for successes during the design process; they look for potential points of failure. That’s a good way to look at designing a network. It must be capable of doing what you need it to do without breaking down at every turn.
Network design includes a variety of tasks, which we’ll examine in more depth in the next hour. The chief task is capacity planning, or figuring how much your network will grow and trying to ensure you have enough capacity to deal with this growth. But the main trick to successful design (of any type) is to look for what doesn’t work and to solve problems before you implement the design. Another word of caution: It’s usually quite difficult to redo a network once it’s up and running. Therefore, don’t hurry the design phase; insofar as possible, take your time.
• Implement—Implementation is the process of physically realizing the design. Most likely, the design process will miss something. One approach to address this situation is to take a phased, step-by-step approach to implementation. By this, I mean testing individual components first and then piecing them together into a larger whole. This practice allows you to verify the soundness of the hardware and software configurations and to isolate problems for their proper identification.
• Tune—Implementations always leave some loose ends. Tuning is the part of the process in which you try to rectify the small flaws in your creation. Note that tuning isn’t intended to compensate for fundamental design flaws. Don’t try to patch a network with a flawed design. If you do, you’ll likely end up with an automated mess on your hands.
Applying the Best Practices
To apply the ideal of best practices for your organization, you need a crystal ball. Because crystal balls are in short supply, you have to think hard about your business, your organization, and the available technology. You will need to judge what a network must do to keep your company competitive, serve your users, and not break the bank in the process. If you’re going to be responsible for capacity planning for a network (and if you’re the person building the network, this is almost certainly the case), answer the following questions. They represent a starting point for your reflections. As you work through these questions, take notes and add questions of your own.
1. How many workstations (computers) does your current network have?
If your network has 5 or 10 workstations, planning should be relatively simple. If, on the other hand, you have to support 500 workstations, you’ll need to structure and plan in more depth. Large networks are a challenge because they require the delivery of high-quality services to a variety of users. Most of these people can’t be supported in an ongoing, one-on-one basis.
2. How many workstations will your network have a year from now?
This question follows on the heels of the first question. The degree of expected growth can help determine what equipment you initially roll out. A 5-workstation network that will have 10 workstations the following year requires less overall power and flexibility than a 5-workstation network that will grow to 25 or 50 workstations during the same time frame. Clearly, if your network is growing at a rate that outstrips the ability of existing staff to service each user and each request manually, there will be a strong need for the services mentioned under question 1.
3. Do you or will you provide file services for your users?
If you do, you have to make provision for a file server. Discussed in earlier hours, file servers tend to be overbuilt; if you can afford more power than you need now, get it. If you centralize data storage, you need to plan to back up that data adequately—otherwise, your users will lose confidence in the shared network storage and will not use it. They’ll resort to building their own set of databases and files, which can easily morph into a situation in which your company has conflicting data.
4. Will you provide Internet email services for your users?
If you do, you will need a mail gateway. You will need to contract with an Internet service provider (ISP) to handle your bulk mail, and you’ll probably need to register a domain name on the Internet.
5. Will you provide other Internet access (the Web, File Transfer Protocol [FTP], Telnet services) to your users?
If you’re going to provide Internet access for your users, you need routers, servers, and firewalls. You can also roll the email server into this system. Chances are, you’ll also need to go to the ISP marketplace and select an ISP that can provide you access across a high-speed line (a T1, digital subscriber line [DSL], or other high-speed access).
6. Are there other services you’re providing to your user base? And are your users utilizing services “hidden” to the IS staff?
If you’re providing other services to the user community, make sure any changes (additions and deletions of hardware and software) consider these services. Another important question: Are your users employing services you’re not aware of? You might respond, “How am I to know?” Some advice: You had better find out! Before making wholesale changes to your computing and networking environment, it’s a good idea to canvas the user community to let them know these upcoming changes might affect their “private” (supposedly) standalone packages. The last thing you want is for an important user department to come to you after implementation and say, “Look what you’ve done! I can no longer run my application! What happened to my chat service? Where are my movies?” To forewarn your users is to forearm your position—not to mention your job security.
7. Do you now provide centrally administered remote access for your users? Will you ever have to provide centrally administered remote access for your users?
Remote access is generally best provided by computers dedicated to the task of providing remote access. In most cases, this means implementing a server computer with virtual private networking (VPN) capabilities. For more about VPN, see Hour 8, “Remote Networking.”
As you use the best practices questions listed here to help you develop an approach to building a network, you’ll find the answer to a question might actually generate additional questions. Make sure you have all the facts and a solid plan before you begin the process of building or upgrading a network.
What you can create by answering these and other questions (questions that arise as you brainstorm the possibilities for your network) is a document specifying what you want the network to be capable of doing. You should end up with a written record that lays out the network requirements and design to meet these requirements.
Even if you’re feeling confident about the answers you’ve formulated from the questions discussed so far, you’ll likely come across two issues that can still give you headaches (typically because the issues continue to evolve). They are (a) interoperability by using standards and (b) network security. Let’s look at these issues.
Interoperability by Using Standards
Although network and computer technology changes quickly, you don’t necessarily have to concede your network becoming an outdated mucilage of hardware and software as soon as new products become available. Ideally, your network will be set up to be “future-proof,” or immune to technology shifts as much as possible. Given that computer network technology changes as rapidly as it does, you might be led to think that future-proofing is...well, far into the future.
Although complete immunity from the dynamics of change isn’t possible, you can be somewhat shielded from these transformations by deciding to follow the authoritative standards published about computer networks. As you might recall from Hour 3, “Getting Data from Here to There: How Networking Works,” the Internet Engineering Task Force (IETF) sets standards for TCP/IP-based networks and publishes those standards in documents called Requests for Comments (RFCs). The specifications set forth in the RFCs are available, free of charge and without copyright restrictions, to anyone who wants to use them.
What does this mean in terms of best practices? First, it means you should be aware of the many IETF standards. (Go to www.isoc.org.) You don’t have to know the standards in detail, but you should at least know what’s been standardized, what’s pending for standardization, and what’s not standardized. This approach allows you to select products that are likely to interwork with each other.
The other benefit of using standards-compliant products is its simplification of your purchasing decisions. If a vendor’s products are proprietary (that is, they do not conform to open standards), unless they offer a valuable service not covered in the RFCs, they should be out of the running.
To be fair and to give credit to other standards groups, the RFCs are specific parts of the standards published for computer networks. In previous hours, we’ve mentioned the fine work done by the International Telecommunications Union (ITU), the American National Standards Institute (ANSI), the International Organization for Standardization (ISO), the Institute of Electronic and Electrical Engineers (IEEE), the Electronic Industries Association (EIA), and others. The point of this discussion is this: Unless you have a specific need that cannot be satisfied by products adhering to standards, don’t accept proprietary solutions. In the long run, they will complicate your network and your life.
You should ask yourself whether you want to make your network standards compliant. In most cases, the answer is yes. Now that I’ve fostered the decision upon you, kindly take note of that decision, because you’ll take it into account when we discuss hardware and software selections in the upcoming hours.
Improving Security Using Best Practices
Best practices are quite helpful as a tool to provide security to a computer network. A network might work well enough and provide its users with their needs, but if a user illicitly sends a copy of data out of the building and gives it to a competitor, or if a hacker accesses your company files, then you as the network manager are out of luck.
A company can tolerate occasional network downtime; the enterprise data is not compromised and lies ready in wait to assume its duties. In contrast, rarely can a company tolerate a security breech; its data is often compromised and thus, cannot be trusted.
Security measures and procedures have come a long way in the past decade. Vendors and standards groups have devoted enormous efforts to devise ways to safeguard automated information systems. These efforts came about because of the large number of “cyber-villains” who have made it their life’s work to punch holes in our computer network defenses and create viruses and other malware (a collective term for software and procedures designed to harm electronic information systems). Sometimes the intrusions are merely annoying. Other times, they’re quite destructive.
Because you can’t control the behavior of those who threaten the network from outside (although you can develop a strategy for blocking their attacks), you can institute best practices to help secure the network internally. And this relates to user behaviors. Some best practices for security you can institute include the following:
• Enunciating usage policies and procedures
• Defining secure behaviors
• Monitoring what you have defined
Security is an ongoing process. You should never conclude that the network is secure and all the work is done. Good security, as you’ll find in Hour 20, “Security,” requires monitoring and vigilance.
Enunciating Usage Policies and Procedures
Before you set up your network, you should define how users are and are not allowed to use data. Any violation of these rules, whether it be using flash disks, Zip drives, CDs, DVDs, laptops, PDAs (personal digital assistants), email, web pages, unauthorized Internet access, or other parts of the network, must be punishable by sanctions up to and including dismissal and legal action.
Companies should incorporate these rules into an employee handbook (after all, data is like any other company property) and acknowledge them with a written and signed statement by the employee.
Defining Secure Behaviors
Because each company’s business is different, we haven’t defined an exact set of rules. However, the following questions can help you figure out where your potential security holes are
1. Do you have your servers physically secured?
2. Is each server’s operating system “hardened” against common intrusions?
3. Are controls in place to reduce Internet-based spyware, adware, and unwanted cookies?
4. Does each user have a unique password?
5. Are passwords regularly changed according to a schedule?
6. Is there a clearinghouse for passwords?
7. Are all logins, logouts, and file activity recorded at the server?
8. Are all file-copy actions to removable media logged?
9. Do your users understand their roles in helping secure the network?
10. Do you have a way to monitor and audit security?
These questions represent only the beginning of a list of security questions. Think about how your users work: Do they have read/write access to a corporate database? Do they have physical access to the various servers that make up the network? Just as with capacity planning, security is a subject that gets bigger the deeper into it you get.
The purpose of these questions is to help you determine how you want your network to operate. This material comes in useful in the hours ahead when you design and administer your network. Again, if you want to read more about security, go to Hour 20, which deals with these issues in more depth.
Monitoring What You Have Defined
“You can’t monitor what you can’t measure.” It’s as true for networks as it is for anything else. If you’re setting policies on your network, whether for access control, intrusion detection, or performance, you’ll need to be able to monitor activity to ensure your goals are being reached.
Why Monitor?
You don’t need to be a large corporation’s Network Operations Center (NOC) to monitor. If you’ve got a cable modem or DSL modem and your computer is directly connected to the Internet without a personal firewall, chances are good your computer has been scanned for security vulnerabilities by someone who means you no good.
So why monitor? The average time online of a new, not particularly well-secured system prior to being attacked and compromised is three days. Yes, three days. So it’s a good idea to find some way of protecting your system and, more importantly, auditing the results.
How Do I Monitor?
We’ll discuss monitoring in more depth in Hour 20. For this introduction, you need to be aware of the threats coming from the Internet and take action against them by configuring your existing software to remove vulnerabilities and adding software that monitors remaining vulnerabilities. Attacks can come from anywhere, and you can only defend against attacks you know about.
At this point, you’ve answered (or thought about) a lot of questions regarding what your network should do and how you want it to work. Your conclusions can help guide you in the hours ahead, when you design, build, and administer your network. If you can, assemble the information you’ve gathered into a document so that you have the questions and answers available for later review. You’ll find it useful for helping you get back on track as you go forward through the process.
Summary
In this hour, we examined the issues related to using best practices to determine the infrastructure and the policies and procedures that define your network. Hours that follow expand on these ideas. As you design or upgrade your network, be aware of the issues we’ve raised here related to network planning, interoperability, and security.
In the next hour, you’ll go through the process of designing your network, step by step. You’ll bring all you’ve learned in the book so far to bear on the process—so reviewing what you’ve read up to this point would be wise.
Q&A
Q. How can you plan for growth?
A. If the enterprise’s user base is slated to grow, planning can track this growth. Another important aspect for planning pertains not just to users, but to new applications, such as adding a new product line to a company’s market. As well, you should consider the changing of the users’ usage profiles. For example, increased use of web-based video will have a pronounced effect on the bandwidth needed to support the video traffic.
Q. Why is interoperability so important to network planning?
A. The need for interoperability affects everything else when you’re planning a network. Software or hardware that doesn’t work with other software or hardware (or that does so only under certain conditions) limits the capability of your network to do its job.
Q. What are some “best practices” that pertain to network security?
A. Best practices include defining a set of rules and behaviors for your network users, detailing proper and best practices for their use.
Q. How do products that adhere to published standards aid a network plan?
A. They greatly facilitate writing and executing the plan.