Wide-area Networks and the Internet
Many organizations have two or more locations that are too far apart for a practical connection via high-speed LAN technology. In these situations, a Wide Area Network (WAN) is used. Figure 1 shows a common configuration used to connect two locations.
In this example, two Ethernet LANs are connected with a T1. A T1, also known as DS-1, is a common data circuit. It supports guaranteed bandwidth of up to 1.544 Mbps. Compare this to the common 100 Mbps bandwidth for LANs. The T1 depicted in Figure 1 is a point-to-point circuit. One end of the T1 is connected to a Telco CO. The other end is connected to a Smart Jack in the remote office. A smart jack is the point at which the Telco terminates the T1 in your building. It's also the point at which the Telco's responsibility for support ends. This is known as the Demarc, short for Demarcation Point. Routers are used to connect the two LANs. Although some additional configuration and provisioning may be necessary, the manner in which these routers move packets between the two locations is essentially the same as that used by routers on a LAN.
If an organization has a large number of remote locations, point-to-point connections may be far too costly. Other technologies are available to reduce costs in these situations. We'll discuss two of them - frame relay and IP VPN. Figure 2 depicts a frame relay solution.
A frame relay network allows multiple businesses to share a network of routers and switches to move data between locations. This can result in lower WAN costs when compared to point-to-point T1 connections. To connect two offices, like the one in our example, four components are necessary - a T1 connected to the Corporate Office, a T1 connected to the remote office, a Telco frame relay network, and a Permanent Virtual Circuit (PVC). We've already discussed how T1's are connected to a business office location.
Frame relay networks are common today, although other WAN connectivity methods are often more practical. Any Telco you call will have a solution similar to its competitor. The primary differences will be cost, support, and the effort required to roll the solution out to your facilities.
A PVC is a Private Virtual Circuit that connects two of your locations. To your network, it looks like a point-to-point connection. Other businesses sharing the frame relay network can't see your data. Your Telco provisions a PVC through router and switch configurations within their frame relay network. The bold path between routers in Figure 2 represents a PVC. The path provisioned may not be the most direct path. One of the objectives of provisioning is to minimize congestion in the network.
Although frame relay networks were the economical solution for many years, IP VPN is a popular replacement. IP VPN uses the Internet instead of a frame relay network to move data between locations. This results in lower costs. Before we look at IP VPN, we should understand how the Internet works and how a single location connects to the Internet. Figure 3 is a logical representation of the Internet.
The Internet is nothing more than a large web of interconnected routers and switches that move TCP/IP packets from one of the millions of connected devices to another. Unlike a frame relay network, however, no PVC is provisioned. Each packet released to the Internet may travel a different path than the packet sent before or the packet sent after. With basic Internet service, there is little you can do to mitigate the effects of congestion. But the improvements in Internet infrastructure have mitigated performance issues related to traffic patterns to the point where using the Internet is often more cost effective than other forms of WAN connectivity. Newer quality of service technologies, like MPLS, allow subscribers to push critical packets through the Internet at times of high use. This is necessary for services like voice over IP.
Getting connected to the Internet isn't much different from how you connect your home; it's just on a larger scale with better service level expectations. Each business location is connected to an Internet Service Provider (ISP). This may be the Telco you use to provide IP VPN services. The ISP is the portal to the Internet. (Although no CO is shown in our example, the circuits from the ISP's and the business locations still run through one or more CO's.) This is a pretty straight forward setup. It's typically much cheaper than point-to-point or frame relay solutions. However, it does have one flaw. The Internet is not inherently secure.
Traffic sent over the Internet can be picked up and read by anyone with access. In general, data is accessible at any hop between the source and destination locations. This isn't usually a problem if you're just browsing the Internet, but it can become a big problem if you are moving sensitive business information across the same infrastructure. This is where IP VPN comes in. Figure 4 represents an IP VPN implementation.
A router, firewall, workstation, server, etc. is configured at each location as a VPN endpoint device. Once configured, all packets transferred between these two devices are encrypted. The encrypted data flow creates a virtual tunnel, shown in Figure 4 as the encrypted data pipe. You can use this connection as a private, secure WAN connection.
Now, we'll take a look at two common methods of isolating your critical network resources from the Internet. Figure 5 depicts a business location connected to the Internet via both a proxy server and a DMZ.
A proxy server can serve many purposes. In this article, we'll take a look at four: packet filtering, network address translation (NAT), performance improvement, and site access control. We're using the proxy server in this example to block all traffic initiated by systems from outside our network. Only packets sent to devices within our network, that have initiated Internet connections, are allowed to pass.
NAT is a common service that allows an organization to present a small number of IP addresses to the Internet. These public facing addresses usually have nothing in common with the addresses of devices connected to the organization's LAN or WAN. When a device on the internal network initiates a connection to the Internet, the proxy server maps the device's private IP address to one of the publicly facing IP addresses. As far as a service on the Internet is concerned, it is communicating with the publicly facing IP address. It can't see the private IP address of the device with which it's communicating. This helps protect the organization's information assets since the outside world doesn't know the IP addresses of the devices on the internal network.
Proxy servers are not required for NAT. Almost all routers, including those for home or home office, support NAT.
Performance improvement is achieved through caching. When a user on your network accesses a web site, the proxy server can store a copy of the pages she views on its disk. If she or another user attempts to access that site again, the proxy server will check its cache to see if the requested page is stored there. If it is, the proxy server retrieves it and sends it to the requesting user. This is not only faster than pulling it across the Internet, it also helps conserve circuit bandwidth.
Not all web pages can be cached. Pages that are dynamically built upon access, for example, can't be cached. Pages that can be cached should be refreshed periodically to ensure the content is up to date. Proxy servers can be configured to perform these updates automatically.
Finally, proxy servers can be used to restrict the sites to which an organization's users are allowed to connect. The capability of most proxy servers to perform this function is rather primitive. You can set up a proxy server to allow access to all web sites except those you enter into a list. The reverse is also true. You can set up the restrictions so your users can access nothing unless it's in the list. The management of these lists can become overwhelming. It's a better idea to implement one of the third party products that allow you to restrict Internet access by site category. Each category contains hundreds of sites the vendor has identified. The vendor provides daily updates to the category lists. Management is minimal.
The second way to connect to the Internet shown in Figure 5 is via a DMZ. The abbreviation DMZ is borrowed from the military term Demilitarized Zone. Like a military DMZ, a network DMZ serves as a guarded, fortified zone between the dangers lurking on the Internet and your internal network. These dangers include crackers and malware.
In the example in Figure 5, the DMZ is used strictly to allow external access to certain databases. Many organizations require this kind of access for vendors or customers. Instead of providing direct access from the Internet to production databases, it's a better idea to provide access only to application/web servers in the DMZ. The servers in the DMZ are then granted restricted access to retrieve or write data to specified databases only. This functionality is provided by firewalls.
A firewall's primary role is to restrict traffic to only packets that meet certain criteria by using access control lists.
Access control lists are used by firewalls and routers to block all packets except those the business chooses to allow. The most common type of packet filtering uses source and destination IP Addresses and ports specified in the IP datagrams to determine whether to block a packet.
In Figure 5, the external firewall is configured to allow only datagrams with a destination port of 80 and a Destination IP Address of 184.108.40.206 to pass into the DMZ. All other packets are blocked. Port 80 is used by the web application running on the web server in the DMZ. If a user coming in from the Internet opens the application and requests data, the web server will send a packet to the internal firewall with a Destination IP Address of 192.168.2.5 and port 1434. This is the address of the database server that hosts the application's data. 1434 is the port assigned to Microsoft SQL Server, a database management system on which the database is hosted. The internal firewall checks each packet it receives. In our example, it's configured with an access list that allows only traffic destined to 192.168.2.5, port 1434, and only if the source IP address matches that of the web server in the DMZ, 220.127.116.11. All other packets are blocked (dropped).
A DMZ is a very powerful tool to harden your network perimeter. In later chapters we'll see that it's just one layer in a defense in depth strategy necessary to protect your information assets.
In Part 7, the last in this series, we'll see how a wireless network might be configured.
Go to Part 7...
See other articles in this series...