Designing and building a network that meets your organization's needs isn't a trivial exercise. Today's wide array of technology options means you have many decisions to make. Should you deploy wireless technology in an enterprise network? What firewalls can or should you install? What about Gigabit Ethernet? WAN options? IP addressing? Should you deploy hardware-based or software-based solutions? Obviously, trying to design anything but the smallest network can be daunting. Fortunately, many established best practices can help guide you through the process and help you determine the right mix of technologies and design that will meet your organization's IT goals. Let me start by laying the foundation for any good network-design discussion, then I'll discuss some network-design best practices.
The OSI 7-Layer Model
A solid understanding of network design starts with a model. The Open System Interconnection (OSI) 7-layer model is an industry-standard way to describe the network protocol stack and how it applies to practical aspects of networking. Figure 1 shows the OSI model and lists examples of technologies that correspond to each layer.
When you design a network, you're most often concerned with Layer 2, Layer 3, and Layer 4. Devices such as NICs, firewalls, routers, and switches work mainly with these three layers (and on rare occasions Layer 5). By understanding how the various technologies relate to one another at each level of the OSI model, you can better design and operate a network that meets your needs.
Here's how the OSI model stacks up. Layer 2 defines the type of topology you'll use to move traffic around your network (e.g., Ethernet, token ring, Asynchronous Transfer Mode—ATM, DSL). Layer 3 defines the protocol—typically IP—you'll use to route traffic from one location to another. Finally, Layer 4 defines the protocol that higher-layer applications (i.e., applications that work at layers 5-7 in the OSI stack) will use to communicate with one another across the network. If those applications require a guarantee that the data they send is received, TCP will guarantee delivery. When such a guarantee isn't necessary, UDP can provide quick, lightweight data transmission between applications. (For more information about the OSI model, see Resources.) So, armed with this basic understanding of the OSI model, lets move on to a discussion of how to build a typical network.
The Typical Network
Although defining a typical network is difficult, I'd wager that most organizations with multiple physical locations, a decent Web presence, and more than 1000 users will have a network similar to the one that Figure 2 shows. Let's pick apart this diagram, starting from the Internet and working our way in, and I'll give tips and advice on each aspect of the network design. You'll come out with a set of guidelines for designing your network.
The Internet and Firewalls
Organizations use a variety of methods to connect to the Internet. For small businesses, a DSL router to the local phone company might be adequate, but most medium-sized and large organizations typically require multiple redundant connections to and from the Internet for failover. Telecommunications companies (telcos) such as AT&T or Sprint provide various high-bandwidth options for connecting to the Internet—offering everything from a T1 (1.544Mbps) to OC-12 (622Mbps) connection. Typically, when you set up an Internet connection, you have a range of public IP addresses for devices that need direct Internet access, such as Web servers, VPN devices, proxies, and routers. The carrier that provides your Internet connection might also provide the necessary connection hardware, or you might need to provide your own routers or WAN access devices.
Regardless of your connection speed, you need a firewall to protect your internal network from the wild and woolly Internet. You have several options for designing and implementing a firewall. Figure 2 shows one common method, in which an external router connects directly to the Internet, and an internal router connects to the organization's internal network. In the OSI model, a router typically operates on Layer 2 and Layer 3. Hardware-based routers are available from vendors such as Cisco Systems, 3COM, and Nortel Networks. A router, as its name implies, routes Layer 2 IP traffic according to source and destination IP address. A router also can filter packets according to Layer 3 (TCP and UDP) information. For example, you can build access lists on most routers to prevent certain kinds of inbound traffic from reaching your internal network. You can also prevent internal users from accessing certain types of services (e.g., Network News Transfer Protocol—NNTP—
newsgroups) on the Internet. Access lists typically take the following form:
<source IP network or host>
<destination IP network or host>
<permit or deny> <protocol> <port>
For example, the following access list prevents all HTTP traffic between an internal IP segment of 10.1.1.0 and the external host 203.33.43.10:
10.1.1.0 203.33.43.10 deny tcp 80
Port 80 is the well-known TCP port for Web or HTTP traffic.
A firewall thus becomes a set of access lists that permit or deny certain inbound and outbound traffic. The network in Figure 2 has both internal and external routers, with a network segment between them that hosts several servers, including Web servers, VPN devices, and application proxies. This intermediate network segment is often referred to as a demilitarized zone (DMZ). Servers or devices on this segment are considered unsafe because traffic from the Internet is allowed to terminate directly on them. Thus, the role of the internal router is to protect an organization's internal network from illicit traffic that might originate not from the Internet but from an intruder who might have compromised one of these DMZ servers and is attempting to get to the internal network.
Previous
Register
