Previous Table of Contents Next



Capacity planning is possible, and there are general easily implemented rules. For example, a redundant serial connection would likely require attention and expansion once the individual link utilization reaches 35 percent—allowing for sufficient bandwidth upon a single link failure.

Encryption

For the network designer, the issue of encryption has taken on greater importance in the late 1990s. Virtual private networks and business-to-business transactions, both of which may use the Internet for transport, can greatly benefit from encryption services. As discussed in Chapters 9 and 11, encryption is the act of scrambling data between the two endpoints in an effort to prevent interception of the data. Encryption may also be used to guarantee the authenticity of the data.

In addition to the wide area networking benefits of encryption, there may be instances when it is desirable to protect data flows in the internal network. Telnet, by its very nature, is completely insecure. Data is carried in clear text, resulting in flows that can be intercepted and read with ease. This is of particular concern when you consider the information commonly sent by administrators via Telnet—router logins and configuration files. Even with the benefits of switching, which can hide some of the data flows by only forwarding packets to genuine destinations, it is remarkably easy for an internal source to monitor the traffic destined for a router. The risk increases when Telnet is used for servers and other data-storage devices.

SNMP is another directly related protocol where the network components are placed at risk within the internal network. Like Telnet, SNMP (disregarding Version 3) has a very simple password mechanism, and it sends data in clear text. These two areas should be of some concern to the network administrator, as these security holes could be exploited to initiate a denial-of-service attack or cause other problems that impede the proper flow of business data through the network.

One solution to this problem is SSH, or secure shell. Using SSH coupled with a terminal server, the designer could augment a security model by denying Telnet via the network and providing access only via the console port. This adds some expense, but again, the expense may be justified.


Cisco recently added secure shell services to the IOS, which provides another solution.

Another tool at the designer’s disposal outside the context of encryption is providing access lists to block the IP addresses permitted to access the SNMP ports on the network devices. This makes hacking of the password somewhat moot, as the attacker would also need to hijack the IP address—a more detectible event.

Why include Telnet and SNMP in a section regarding encryption? As noted before, SSH is one alternative to Telnet that uses encryption, and SNMP Version 3 supports a slightly higher level of security than Version 2. However, the real connection between these seemingly non-related issues is two-fold.

First, designers need to realize that encryption is not the magic bullet of a security solution. Configuring a router (or front-end device) to provide encryption services does precisely that—it provides encryption services. Failure to secure non-encryption services like Telnet will allow simple attacks that ultimately could thwart the encryption stream.

The second factor in encryption is the selection of an encryption protocol. Rather than describe and define all the current solutions, of which there are many, it is easier to leave this topic to other texts and, more importantly, to vendor relationships. Corporations, like people, make many decisions based on nontechnical factors, which is natural and somewhat unavoidable. As a result, the selection of an encryption provider may be determined through familiarity with a certain vendor or previous solutions. For example, Nortel may provide a better VPN solution, but previous experience with Cisco’s routers and the PIX may lead to a decision to use a Cisco device. Of course, the converse may also be true—Cisco may have a better solution for the organization, but having a shop full of Bay/Nortel routers may make the organization want to stay with such a solution.

Therefore, the best recommendations will likely result from a focus on asking the right questions and looking for standards-based support. Different protocols encrypt different portions of the packet, which may impact interoperability or diagnostic characteristics. Of course, greater encryption may augment security.

The Future of Network Design

The majority of this text addressed some of the more basic concerns in network design. In reality, future designs will prove to be much more difficult for designers to implement, relative to today, depending on whom you ask. Today, most designers are concerned with connecting workstations to servers and mainframes, and while remote access, wireless, and video-conferencing are all portions of the modern network, the current focus is on a fairly simple model wherein a relatively small number of devices communicate over clusters of networks that loosely interconnect.

In the future, the network will substantially increase in complexity. For example, not only will data require secure connections, but it will also demand true location transparency. In addition, automated data gathering, storage, and manipulation will become increasingly important, according to most futurists.

Consider the evolution of the computer. In a fairly small amount of time, computers have been deployed in many U.S. classrooms with Internet connectivity. When considered against the fact that most U.S. schools do not have per-room telephone service, this accomplishment is even more amazing.


Throughout this text, the term “Internet” has been used to mean the Internet that evolved from ARPANET—also called Internet One (I One). No dialog on the future of networking would be complete without noting the efforts in place to establish better networks dedicated to specific tasks, including academic research. However, the use of the term “Internet” does not encompass the Internet Two (I2) project or any of the other new networks.

In the academic arena, engineers and technologists are using systems that may ultimately drive the need for a capacity of over 5Gbps per user. These systems include components beyond virtual reality, wherein individuals relate with each other via sensors and feedback pressure suits. It is conceivable, according to some futurists, that the holodeck from Star Trek will be a reality within 50 years—the technology of today already mimics significant components of science fiction.

It will be interesting to see exactly what network services become commonplace in society. Today, many people carry cellular phones, PDAs (personal digital assistants), pagers, and watches; there is little reason not to combine all of these devices into a single unit. At present, most users continue to carry multiple devices for historical, user-interface, power, or availability reasons.


Previous Table of Contents Next