COMMUNICATIONS ARCHITECTURE When developing a communications architecture for an organization’s Internet connec-tion, the primary issues are throughput requirements and availability.. If
Trang 1Service Description
Remote Control Protocols Include programs like PC Anywhere and VNC If
these protocols are required to allow remote users
to control internal systems, they should be used over a VPN
SNMP (Simple Network
Management Protocol)
(port 169)
May be used for network management of your organization’s internal network but it should not
be used from a remote site to your internal systems
COMMUNICATIONS ARCHITECTURE
When developing a communications architecture for an organization’s Internet connec-tion, the primary issues are throughput requirements and availability Throughput is something that must be discussed with the organization’s Internet Service Provider (ISP) The ISP should be able to recommend appropriate communication lines for the services
to be offered
The availability requirements of the connection should be set by the organization For example, if the Internet connection will only be used by employees for non-business criti-cal functions, the availability requirements are low and an outage is unlikely to adversely affect the organization If the organization is planning to establish an e-commerce site and have the majority of its business moving through the Internet, availability is a key to the success of the organization In this case, the design of the Internet connection should include fail-over and recovery capabilities
Single-Line Access
Single-line access to the Internet is the most common Internet architecture The ISP sup-plies a single communications line of appropriate bandwidth to the organization, as shown in Figure 9-1
Generally, the ISP will supply the router and the Channel Service Unit (CSU) for the link The local loop is the actual wire or fiber that connects the organization’s facility with the phone company’s central office (CO) The ISP will have a point of presence (POP) somewhere nearby The link to the ISP will actually terminate at the nearest POP Even though the POP is not at the closest CO, the local loop connection will require that the line
go through the closest CO From the POP, the link goes through the ISP’s network to the Internet
If we analyze the connection shown in Figure 9-1, we see that there are a number of points where an equipment failure will cause an outage For example:
▼ The router could fail
■ The CSU could fail
Trang 2■ The local loop could be cut.
■ The CO could suffer damage
▲ The ISP’s POP could fail
It should be noted that not all of these failures have an equal chance of occurring A
router has a much greater likelihood of having a hardware failure than a CO does of
suf-fering damage, for instance However, cables do suffer damage on occasion and this
may cause a significant outage This list also does not include failures that may occur
within the ISP itself Such failures do occur from time to time due to weather, cable cuts,
or denial-of-service attacks
Given the potential failure scenarios, this architecture is recommended only for
non-business-critical Internet connections
Chapter 9: Internet Architecture 139
Figure 9-1. Standard single-line access architecture
Trang 3Multiple-Line Access to a Single ISP
One way to overcome the single point of failure issues with the single ISP architecture shown in Figure 9-1 is to use multiple lines to the same ISP Different ISPs offer different
services in this regard Some call it a shadow link while others call it a redundant circuit In
any case, the goal is to provide a second communication link should a failure occur
Single-POP Access
An ISP can provide fail-over access by setting up a redundant circuit to the same POP (see Figure 9-2) The redundant circuit may include a redundant router and CSU or a single router may be used The two circuits are configured so that if the primary circuit fails, the second circuit will take over the load
140 Network Security: A Beginner’s Guide
Figure 9-2. Redundant circuit access to a single POP
Team-Fly®
Trang 4This architecture addresses failures in the router, the CSU, the phone company circuit
to the CO, and the ISP equipment at the end of the connection These failures are the more
common types of outage It does not, however, address less frequent, but no less severe
failures such as a local loop cut, damage to the CO itself, or a failure of the ISP’s POP
Likewise, if the ISP should suffer a major outage, service would still be disrupted
One benefit to this architecture is the low cost of the redundant circuit Most ISPs will
provide the redundant circuit at a cost that is lower than a second full circuit
Multiple POP Access
Additional availability and reliability can be purchased by running the second connection
to a second POP (see Figure 9-3) In this case, the second connection can be a redundant
connection or it can be up and running continuously
Chapter 9: Internet Architecture 141
Figure 9-3. Multiple connections to multiple POPs
Trang 5For this type of architecture to work properly, the ISP should be running the Border Gateway Protocol (BGP) BGP is a routing protocol that is used to specify routes between entities with these types of dual connections Care must be taken with BGP to set routing policies properly
It should also be noted that this configuration still has two single points of failure: the local loop and the CO These points of failure cannot be overcome unless the organiza-tion’s facility has two local loop connections If it does, the architecture can be modified,
as shown in Figure 9-4
This type of architecture reduces the points of failure to just one: the ISP itself If the ISP has a significant outage, the organization may still suffer degraded service or a com-plete loss of connectivity
Figure 9-4. Multiple connections via multiple local loops
Trang 6Multiple-Line Access to Multiple ISPs
Given the potential failure points with using a single ISP, why not use more than one? On
the surface, this seems like a good idea (and for some organizations, it is) but don’t
be-lieve that this removes all of the issues and risks with the Internet architecture The use of
multiple ISPs can, if architected correctly, reduce the risk of loss of service dramatically
(see Figure 9-5) However, a number of other issues come up in choosing the ISPs and in
the addressing scheme to use for the organization
Choice of ISPs
The complexity of establishing an architecture that uses two different ISPs is high and it
requires significant knowledge and experience in the ISPs that are used One area of
knowledge that is essential is knowledge of BGP BGP will be used to route traffic to the
organization and it must be configured properly within and between the ISPs
Chapter 9: Internet Architecture 143
Figure 9-5. Internet architecture using multiple ISPs
Trang 7Another issue that may impact the choice of ISPs has to do with the physical routing
of the connections The local loop may continue to be a single point of failure if the organi-zation’s facility does not have multiple local loop connections If there is only a single lo-cal loop, redundancy can still be accomplished by choosing an ISP that uses wireless communication for the last mile connection (see Figure 9-6)
The use of a wireless link does not remove all the availability issues as the wireless link may be lost or degraded due to atmospheric conditions, storms, or birds However, the likelihood of both a severe degradation of the wireless link and a major outage to the traditional ISP becomes very small
Figure 9-6. Using a wireless ISP to improve availability
Trang 8NOTE: The choice of a wireless ISP should be governed by the same requirements as that for a
tra-ditional ISP Any ISP should be able to provide a service-level agreement and back up that agreement
with sound management practices
Addressing
Another issue that must be resolved when working with multiple ISPs is the issue of
addressing Normally, when working with a single ISP, the ISP assigns an address
space to the organization The ISP configures routing so that traffic destined for the
organization finds its way to the organization’s systems The ISP also broadcasts the
route to those addresses to other ISPs so that traffic from all over the Internet can
reach the organization’s systems
When multiple ISPs are involved in the architecture, you must determine which
ad-dresses will be used One ISP or the other may supply the adad-dresses In this case, the
rout-ing from one ISP works as normal and the other ISP must agree to broadcast a route to
address space that belongs to the first ISP This configuration requires a strong
under-standing of the way BGP works so that traffic routes appropriately
Another option is for the organization to purchase a set of addresses itself While this
resolves some of the issues, it creates others Now both ISPs must be willing to advertise
routes to addresses that they do not own
NOTE: The addressing and routing issues should be discussed with the ISPs before contracts are
signed This issue is not easy to resolve without the full cooperation of both the ISPs
The final option is to use addresses from both ISPs In this case, some systems will be
given addresses from one ISP and other systems will be given addresses from the other
ISP This architecture does not truly resolve the availability issues and should not be used
if it can be avoided
DEMILITARIZED ZONE
DMZ stands for “demilitarized zone.” It is commonly used to refer to a portion of the
net-work that is not truly trusted The DMZ provides a place in the netnet-work to segment off
systems that are accessed by people on the Internet from those that are only accessed by
employees DMZs can also be used when dealing with business partners and other
out-side entities
Defining the DMZ
The DMZ is created by providing a semi-protected network zone The zone is normally
delineated with network access controls, such as firewalls or heavily filtered routers The
network access controls then set the policy to determine which traffic is allowed into the
Chapter 9: Internet Architecture 145