Translating high-level goals into a specific design can be a daunting task. Even if design services are outsourced to a consultant, the network administrator must have a clear understanding of the process to ensure any proposed design will meet requirements. The design process must meet goals in four major areas:
Infrastructure The LAN/WAN connectivity.
Services Both network services (directory services, DNS, and so on) and applications services provided by the server-based computing paradigm.
Access The ways and means employed to actually connect users to applications consistently, reliably, and securely.
Designs must protect servers and resources from attack and exploitation, enforce
Numerous models exist to aide in planning a network infrastructure, but Cisco Systems' hierarchical enterprise design methodology is the most logical and produces the most consistent results. This approach breaks the design process into manageable blocks so that networks are designed to function within the performance and scale limits of applications, protocols, and network services. The three key elements are Structure (designing to control failure domains); Hierarchy (designing based on a functional approach); and Modularity (designing for incremental expansion and growth).
Designing around Cisco's three-
Modularity in design depends on a functional building block approach. Modular network designs provide several key benefits throughout their life cycle: scalability to ease growth, cost effectiveness by buying blocks of capability as demand grows, streamlined training, simplified troubleshooting, and the capability to distribute network management if required. Treating components as functional building blocks helps define interconnection and interoperability standards. For example, at the top level, a modular design defines a "standard"
Factoring structure into your network design involves logically dividing the network to control failure domains and both Layer 2 and Layer 3. The
From the perspective of an application server in a server farm, critical services provided by the network must be available to "serve" applications to users. These include Directory Services (in a directory-service-enabled environment), name resolution to include Domain Name System (DNS) and Windows Internet
Directory Services are integrated into most modern network operating systems. The two major offerings relevant to server-based computing are Novell's eDirectory (an updated, portable version of Novell Directory Services (NDS)) and Microsoft's Active Directory (also updated in Windows Server 2003). Both offerings are loosely based on the original x.500 directory services standard, both offer Lightweight Directory Access Protocol (LDAP) support at varying levels, and both are capable of some "directory integrated application" support. All directory services
Active Directory is Microsoft's directory services component rolled out in conjunction with Windows 2000. The original implementation was
eDirectory is Novell's directory services module. Built on the basic functions of NDS, eDirectory is more standards compliant than Active Directory, is ported to other operating systems, and allows management of data in other directories from a common interface. eDirectory authentication uses Public Key Infrastructure (PKI) standards while Microsoft employs a modified version of Kerberos.
Metadirectory Services, a "directory of directories," are partially built into eDirectory. Active Directory has no built-in equivalent, so Microsoft offers Microsoft Metadirectory Services (MMS) as an add-on. MMS provides multidirectory integration via "
In a pure Windows environment (Windows 2000/XP/2003), Active Directory meets the needs of server-based computing, and at no additional cost. If a true "enterprise" directory service is required, consider eDirectory or Microsoft's add-on products.
Both Domain DNS and WINS are essential in most SBC networks. Microsoft's Active Directory relies on
Secondary or even
The need for users to access the SBC resources from a variety of locations using different access methods, media, and possibly protocols, must be
Aside from a
From an architectural standpoint, TCP/IP is the preferred protocol. Aside from its technical advantage (the entire Internet is based on TCP/IP), IPX/SPX and NetBEUI should only be
Defining required access methods is really an exercise in identifying the user community and the locations or environments from which they need to connect. In all cases, bandwidth requirements per method must be evaluated to "close the loop" and ensure that every required means of access (local, remote, dedicated media, dial-up, virtual private network (VPN), and so on) is afforded adequate bandwidth to support the number of concurrent connections expected. In most cases, enumerating the applications available to a user may be via direct client connection (Program Neighborhood) or Web-based front end (Citrix NFuse Classic). The following are common access methods based on
Traditional LAN access Local user community with direct high-speed deterministic bandwidth and little need for encryption.
Wireless LAN (WLAN) access Similar to a traditional LAN, but with a greater need for security due to the lack of defined physical boundaries. Usually requires secondary authentication (like a dial-up user) as well as some level of encryption.
Branch office, dedicated media The classic distributed branch office environment. Connection to the SBC core is via dedicated, deterministic WAN media (T1, Frame Relay, ATM, and so on) and supports both SBC connectivity and other network services. Dedicated access for remote branch offices is essential when Quality of Service (QoS) for packetized voice or video is required.
Branch office, VPN access
Similar to the dedicated media paradigm, but site-to-site bandwidth is
Remote user Internet access (applications only)
Connection is via non-deterministic bandwidth over the public Internet. Usually requires some level of encryption and may require
Remote user Internet access (applications and LAN) Connection uses a VPN over non-deterministic bandwidth via the public Internet. Usually requires increased levels of encryption and multifactor authentication to protect the LAN environment. Users access SBC resources and directly access the local LAN for drive mapping, printing, or "fat client" applications. The most common example is roaming executives or sales staff that need SBC applications and the ability to synchronize handheld devices with corporate mail servers (for example, Palm Pilot users). This may also include IT Staff that need to access and manage LAN resources and servers.
Direct dial access
Used for direct connection to the SBC core via any of several remote access methods. May be either via direct dial to an SBC member server as an asynchronous serial connection or through a remote access concentrator (RAS services on a server or hardware concentrator). Dial-up media may be either analog (typical modem) or digital (ISDN, BRI, or PRI). Analog access is limited to 33.6 Kbps while digital access can provide up to 56 Kbps for analog modem users and
An SBC network
Network security Designs should include firewalls, access lists on routers and Layer 3 switches, and intrusion detection systems (IDSs).
Authentication, authorization, and access (AAA) mechanisms must be tailored to the environment and access method. Internal "wired" users are
Data security Although the actual data for a thin-client connection is a stream of video data and input device data (pointing device and keyboard), the data must still be protected from intercept and exploitation. This is particularly true of credentials used to access the session. There are two common methods of protecting this data. The first method is Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption based on certificates and Public Key Infrastructure (PKI). The second method is IP Security (IPSec) using the Digital Encryption Standard (DES) or Advanced Encryption Standard (AES). Other mechanisms may be used in specialized cases, for example, NSA's FORTEZZA (SKIPJACK) encryption cards or Wireless Equivalent Privacy (WEP) for WLANs.