Remote desktop for administration helps decentralize server resources and multi-task the system administrator as well as the server systems hence cutting down the administrative operation costs. This brings flexibility in management of any large or small-scale organization network. A system administrator performs various activities. The administrator monitors the system, server resources, and maintains collection of quality crucial software. When the website client requests for a deletion of an account, a system administrator has no option other than delete and offer privilege for new accounts. Moreover, due to inventions of new software, the administrator upgrades the system to support applications for geographical information system (GIS) infrastructure. GIS collects, analyzes, stores and presents the data or a link to that data source.

A Windows Server 2003 offers processing of log messages. It is efficient and critical in all server and network management using the following four tools:

• System administration

• Network administration

• Storage management

• Directory services administration.

The aforementioned tools aids in controlling and upgrading server application and operating system that run on Windows Serve 2003. Besides, they are essential for domain controller optimization or demotion and fragmentation of the server disk. To meet various demands from the clients, system administrator uses a collection of tools. There are different types of servers with distinguished services: file and print server, web server and Web application services, mail server and terminal server. Others include remote access and virtual private network (VPN) server, directory services, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP) server, Windows Internet Naming Service (WINS) and streaming media server. An authorized Windows Server 2003 improves productivity in all size organizations. It controls server applications, provides templates configuration and maintenance of security. Windows Server 2003 is the ultimate source of website security and administration.

The hardware on a network may include: personal computers, mainframes, supercomputers, printers, fax machines, navigational control systems, and interactive entertainment centers.
The software on a network always includes application software, workstation operating systems, and network operating systems.

Networked computers have a number of advantages. They allow information to be exchanged at high speeds, they allow important devices to be shared, and they allow people to connect to their computers over long distances.

Benefit of Networking

Geographically remote areas can be connected to share information. Without actually transferring the entire file to all people involved, several people can simultaneously share large files. Also within a networked environment the information generated by a single user can be shared worldwide instantaneously. This enables faster, more precise communication which should translate into greater accuracy, productivity and cost savings.

• Networking allows different types of computers to communicate. Mac and PC users can share information and resources over a network.
  
• Users on a network can also share physical resources such as scanner, printer, or other expensive piece of hardware. Sharing hardware significantly reduces the expense of running a system.
  

Local Area Network (LAN)

1. Limited to a small geographical region
   
2. Specifically designed to share hardware and software at high speeds.
   
3. Originally developed to connect mainframes to dumb terminals (keyboard and monitor only-no system unit) over 50 years ago.
   
4. Mainframe LANs are faster, more powerful and have higher storage capabilities, while PC based LANs are more flexible to changing environments
   
5. Many companies used a combined network of mainframes and PCs
   
6. Computers
   

Everybody knows that web hosting is by leasing a domain space for business or web publishing needs. But what people do not generally know is that hosting is originated from servers, which are physically placed in offices. Both dedicated IP and shared IP are all hosted within physical servers. Most of the starting up company websites chooses to use shared IP web hosting services for their business needs because it is cheaper that way. However, the implication by other sites, which are also sharing the IP addresses, could be fly-by-night companies that indulged in scamming activities or incidentally involved in spamming activities. Although, your site has absolutely nothing to do with it, your site will be more or less implicated by not being able to be generated in search engine's search results and also not being able to communicate via email as your IP address had been blacklisted. That is why more and more companies are switching to dedicated IP web hosting for running their business operation aside.

After understanding the importance of using proper dedicated IP addresses, we also found that prices still varies among the domain web hosting providers. What is the cost of the variation of the pricing? Well, in bid to cut cost, web-hosting companies usually run their server in downtown location. The reason why the cost were significantly cheaper is that generally speaking, downtown office has a very cheap rental rate. As commercial properties are extremely expensive in the city or uptown area, the cost for the server has to ultimately be factored into the price tag offer to customers in order to make a profit.

As you may probably realised, every advantages comes with a disadvantages and vice-versa. If you are using a city or uptown server location web hosting facilities, you tend to be able to enjoy the efficiency offered by such web-hosting avenue because the infrastructure is generally better, more assurance in server uptime as well as faster connection. Although, server is able to route information through LAN cable or coaxial cable, connection speed is inevitably compromised if your hosting facility is located at countryside, downtown area. We all understand that the longer the cable, the more "load" that will act as resistance thus slowing down the speed. However, if the infrastructure of the network backbone and design is aptly done using optic fibre connection, it is possible to increase the speed to a large extend. But, downtown locations, which are usually situated at countryside, do not possess the best of infrastructure. In some worse case scenario, they may be using obsolete lease connection or even requires dial up.

In the aspect of server maintenance and contingencies, it is deemed to be more challenging to put a server situated in the office space in downtown area than going to city or uptown area. Well maintenance is done in a stipulated manner, so it should not affect the performance much. But what if the server runs into error or system hang, you need someone to actually go down to the physical server in that server room to reset it. This process could take days as it can be at a very far location. Although remote monitoring of the system health as well as straight forward remote control is generally possible, but in some incidents like crash, remote control system is unable to do a single thing about it as it may lose the control sequence altogether.

After going through at length on the pros and cons of downtown locations and uptown locations hosting, we understand that although, domain web hosting server situated at downtown is relatively much cheaper, it does carries a large extend of inconvenience which will in a sense hurt the business of the entire entity. Leaving the server to be down for too long of a time, will turn into a situation where your clients will lose trust in your business. It is a tricky situation, but the bottom line in business is adequate resource to support business operation effectively. Whilst on the other hand, business practices are encouraged to cut their operation cost to be competitive. It is a balance between cost and effectiveness that the business owner has to decide. Therefore, the business must take business objectives into consideration. In the instance of hosting an online game, you definitely have to deploy the most effective system to do the job, as server uptime is of a extreme concern to your customers.

If you've been a PC user for a while, you may have heard the term "firewall" before. This is taken from the construction term which referred to a physical wall that would contain a fire in a building. In the computing world, it now means a specific device or devices that serve to filter out traffic with the goal of protecting and/or hiding your internal network of computers (say, your home computers).

All firewalls are essentially machines that operate on sets of rules, and their basic function is to filter some of the passing traffic based on these rules. Most basic firewalls are made for very specific scenarios, such as that in the home, and require very little configuration.

These rudamentary firewalls (such as the one built into Windows XP) typically block all but known-good traffic (such as that for Windows Updates), and deny all other traffic until the user on the network side of the firewall initiates communication to the outside of the network. Then, that inbound traffic is allowed (until that connection is terminated) to permit a connection. This allows basic protection for the unpatched PC, which can still be subverted, but makes it more difficult for an attacker.

Network Address Translation

A firewall will appear to the internet with a public IP address (obtained from your ISP, most likely), while maintaining a connection on the private network with another IP address. All modern firewalls are capable of this feature.

The original reasoning for this feature was preserve the usage of public IP addresses on the rapidly-diminishing IPv4 addressing scheme, allowing your entire network to be contacted via a single address on the internet. However, because it hides the actual addresses of the computers communicating to the internet, it introduces an additional security benefit to the network. All communications go from the internet, to the firewall, then to the individual PC (or in reverse).

The Different Types of Firewalls

There are several different types of firewalls available. Many feature sets fall squarely into these boundaries, while other devices will tend to blur the lines a bit more. They are as follows:

- Packet Inspection Firewalls

Packets are the fundamental "units" of communication on the internet, the smallest usable parts. This type of firewall is the cheapest, and often fastest-performing unit as the more complex types of firewalling require more built-in processing power and memory. This unit functions by examining the packet being transmitted. If this packet is allowed by the set of rules, it will be allowed onto the network to its destination. If not, it can either be dropped, which is a silent discarding of the packet, or rejected, which returns an error to the sending computer. This firewall operates at the network layer of communications.

- Stateful Firewalls

The main weakness of a packet inspection firewall is that it does not examine the state of that packet. Many packets make up a whole transmission together. Stateful firewalls maintain a record of the connections being passed through it. This type of firewall can then understand if the packet in question is a start of a new connection, from the middle of a connection, or if it is invalid altogether.

This type of firewall also operates with a set of rules. These rules can also be configured based on the state of packets. This firewall operates at the network layer, as well.

- Application-layer Firewalls

This type of firewall operates at the highest layer of network communication, the application-layer. In addition to the capabilities of the other firewall types, this device is able to understand traffic from certain applications and protocols. Thus, it should know for the large part on what type of traffic is expected through those ports, and what it can anticipate from particular protocols. 

In addition, application-layer firewalls will watch to see if a protocol is being attempted on a non-standard port, or if abuse of a protocol is being attempted.

From software-based solutions built into your operating system to extensive server room equipment dedicated to the filtering of thousands of computers daily, firewall technology is found all across the internet and serves to keep you safe at home and at work often as the first line of defense against whatever new virus or worm has been written. I hope that this article has helped you in understanding the different features and types of firewalls available today.

The first step in every security assessment and hardening process is always to conduct an environmental survey specifically tailored towards promoting a comprehensive scenario specific awareness and understanding of the prevailing functional operating climate/environment.

One all too often overlooked aspect here is physical security. One should never forget that all security starts with the physical and only then progresses to the logical if appropriate. Without further ado here are the issues and potential solutions that merit consideration with regards to all wireless networking environments and implementation scenarios.

Fixing and Camouflage

So make sure that all of your Wireless Access Points (WAPs) are physically secured. Tie downs and camouflage are great ways to do this. Both camouflaged and secreted devices (located in suspended ceilings etc) have the added security benefit of being hidden from general view.

The old adage “out of sight out of mind” immediately springs to mind. What cannot be seen is often out of mind and therefore less likely to go walk-about. WAPs can be secreted in suspended ceilings, wiring closets or fixtures such as ornaments and planter pots. This makes for an all round far more aesthetically pleasing approach.

Signal Degradation

With respect to wireless networking physical security also entails taking such factors as environmental interference from other wireless devices and cell phones etc., electromagnetic interference (EMI) from other electronic and electrical devices such as TVs, radios and public address systems, signal attenuation, degradation and for the network's wired components such as those connecting your WAPs and wireless bridges/routers to your wired network (LAN) noise and cross-talk need to be taken into consideration.

Functional Reliability

Do not overlook the need for equipment reliability and robustness along with adequate emergency situation operating functionality. It is imperative that in the event of an emergency or catastrophe that your wireless network remains fully functional unless circumstances dictate otherwise. Communication is usually the most valuable resource in times of doubt and uncertainty. Just ask the military.

Naming, Labeling and Documentation

An appropriate secure customized naming convention complete with a fully complementary secure labeling system is a must. This is generally of higher importance for a business wireless networking environment where there may be considerable numbers of roaming network member devices than is usually the case for the home wireless network.

On top of this, wireless network physical security requires the appropriate planning to ensure ready location and identification of network devices in the event of malfunctions, failures or hacking (successful or not) especially when physical access of the equipment in question becomes necessary. Of course this will include the proper documentation detailing all physical aspects of the wireless network including device location and identification markers.

Wireless Traffic Control

Another crucial principal element of physical security for all wireless networks that rates special mention here is that of traffic control. Just as one regulates the physical ebb and flow of people on any given site through orchestrated control of transport facilities and mechanisms, the same holds true for the regulation of traffic flow and control for wireless networks.

Consider this to be very much akin to a perimeter-based site/facility security strategy that deploys multiple layers of defenses for physical site access. In networking applications firewalls can do an admirable job of regulating authenticated access; very much as a fence and guard-house does for facility perimeter security. So install one and ensure that it is correctly configured.

Physical Traffic Control Mechanisms

With regards to physical traffic control for wireless networks the majority of options will be partially implemented in hardware and partially logically. The exact mix will be situation specific. Planning and due care with device placement, the selection of transmission frequency bands and power ratings will all have a role to play.

Consider that some frequencies have better physical penetration attributes than others, while more powerful signals (higher wattage) will be propagated further and will also penetrate fixtures better. There have been documented instances of wireless network signals being detectable and of service level quality at up to 125 miles from the transmission source (the official world record distance as recorded by http://www.wifi-shootout.com).

For these reasons in a high security zone one might need to deploy more specialized WAPs set to a lower transmission power rating than usual in combination with unidirectional antennae rather than omnidirectional antennae. The additional costs of these types of units are readily justifiable in terms of the additional security levels attained.

From a fiscal standpoint it is worthy of note that this small additional cost is a onetime up front encumbrance and the financial department will love the fact that these devises are far more sturdy, reliable and in general have a longer expected mean operating life thereby reducing running costs and failure induced troubleshooting and replacement rates.

Logical Traffic Control Mechanisms

Having implemented perimeter-based access verification and validation security initiatives we may well need to implement additional logical controls and network subdivisions such as Demilitarized Zones (DMZs). DMZs for instance allow for additional network traffic control, regulation, isolation and compartmentalization.

Limiting wireless devices to specific areas/zones of a network also delivers additional benefits such as greater economy and efficiency of bandwidth usage patterns and superior levels of granular administrative capabilities and ease of use.

Wireless-Free Zones

There are also many instances where wireless networking devices along with mobile communications or entertainment devices functionality are undesirable or unwelcome. The most sensitive of these areas will be related to sensitive electronic equipment such as that found in hospital trauma, intensive care, surgical units, coronary care units and life support systems. Areas where flammable materials are handled, stored or used also qualify as wireless-free zones.

In these cases and others like them we need to monitor to ensure that within a specific perimeter wireless devices are not functional and that signal leakage from wireless enabled sectors does not leak in. Perimeter threshold detection is generally considered to be the most effective solution here.

By this I mean that metaphorically speaking a line is drawn beyond which none of the above devices will pass while still turned on. Hospitals generally paint a red line on the floor, walls and ceiling to clearly mark this threshold.

Collateral Damage

When designing and planning a wireless network remember to incorporate provisions that address physical security from the health perspective by ensuring that no possible harm, collateral damage or interference can be caused by the network, its devices and its signals. Cables for example, should be secured and out of harm's way as should WAPs.

We don't, for instance want a WAP falling onto somebody from a humane perspective as well as from a litigation avoidance perspective. Nor do we want our wireless network to cause the cardiac pacemaker of a passer-by to malfunction. Here is a case where clear, readily noticeable and unambiguous notifications (signage) are our main preventative and compliance option. I guess this is more or less a disclaimer approach really.

Not only do we need to protect and guard humans from harm caused directly or indirectly by our wireless network and its components but we need to protect our wireless network from physical harm caused by humans and/or the environment as well. It is up to us to provide for our networks physical well-being as it cannot do this for itself.

Regulatory Compliance

Regulatory compliance issues also need to be addressed at all levels and all stages of a wireless network's life cycle. Local and regional standards and regulations need to be researched and fully compliant measures implemented. Policies also need to be developed, made appropriately available to those concerned and of course implemented.

Pass-Through Point Security

Just as a physical site's physical access controls may see the implementation and installation of fences and stationing of security guards at primary access points the same can often be done with wireless networks. For example there may be the opportunity to implement search mechanisms such as the pass-through points seen at airports etc. This is one way of ensuring that unknown devices do not enter within the coverage area of your wireless network.

Unfortunately, for most businesses it is often impractical to implement this type of measure as the cost and negative customer reactions may preclude it as being overly draconian. Larger chain retailers do however, employ pass-through scanning devices but they are more attuned to the detection of theft of merchandise rather than the prevention of unauthorized wireless access.

Note however, that for areas not publicly accessible and/or where sensitive materials are stored pass-through inspection security is a viable option. Espionage is a reality that must be addressed. If not the stealing of properties then the sabotage aspect may be of appropriate weight to implement pass-through surveillance mechanisms.

Much damage has been done in the past by persons posing as service or utility personal that many facilities, especially an organization's research and development and marketing divisions as well as their datacenter have seen fit to implement the pass-through security approach.

Wireless Network Presence Detection

Although a wireless network uses an invisible to the human eye medium with the right tools it becomes very observable. Tools such as Kismet for example, have very little difficulty in detecting the presence of a wireless network. Furthermore, there is very little you can do to prevent this type of detection. After all, wireless signals are transmitted over the public domain. Fortunately however, there is a lot you can do to prevent exploitation of a wireless network after detection.

The implementation of full conversation encryption including that of authentication mechanisms and connection establishment is, as far as most would-be intruders/hackers are concerned, just too much hard work considering that there are untold numbers of easier targets to be had.

Quality of Service (QoS) Geographical Access Parameters

One should always consider geographical access and connectivity requirements and parameters in conjunction with the desired timely delivery of Quality of Service (QoS) metrics. The wireless network's ideal is to provide adequate connectivity and accessibility throughout the entire area of intended coverage (no drop-out zones) and with a specified level of Quality of Service (QoS) for said area but no more.

The Quality of Service (QoS) factor may be defined by either meeting or failing to meet specific performance metrics such as transfer rates or strength of encryption.

The geographical network confinement parameters are generally characterized and measured by the degree of signal leakage beyond a specified intended perimeter of coverage. The distance, signal strength, signal quality and degree of availability both within and beyond the designated network perimeter are the parameters that define and delineate that point at which signal leakage becomes unacceptable.

Network Monitoring and Site Surveys

In monitoring the attributes of a wireless network, tools such as Airsnort, WireShark (formerly Ethereal), NetStumbler and Kismet are your friends. Use them to conduct regular site surveys to assess signal leakage. If need be take the appropriate remedial measures to ensure compliance at all times and locations.

Some organizations even go to the extent of using signal jamming technologies to ensure that any leakage is rendered useless and piggy-backing cannot take place.

Line of Sight

Line of sight requirements need to be assessed carefully from the perspectives of both the current scenario and extrapolated into making predictions of the most likely conditions that will be prevalent at various predefined times in the future. Trees for example have a habit of growing.

So where a clear line of sight exists today the possibility that this will not be so in the future must be evaluated. In the case of trees one solution might entail lopping every other year in order to preserve said clear line of sight. No matter the terms or conditions, the establishment and implementation of a documented schedule or regime that addresses these types of issues needs to be set forth.

Conclusions

Wind, vibration, the environment in general and other factors including human interference of one form or another will all conspire to throw the most carefully designed and implemented wireless network out of alignment. Persistent cognizant vigilance must be your motto and creed.

Introduction

It would be nice to live in utopia, that ideal world where nobody was a villain and misdemeanors never occurred. Unfortunately for the majority of us residing back here on planet Earth, security breaches, compromises and issues are all too real and unpleasant facts of life. Regardless of our station in life somebody is always trying to get a free lunch at our expense or trying to take advantage of us in some other way.

This being said we need to identify the objectives, acceptable standards, policies and regulatory compliance requirements that our wireless network security should deliver as intended.

Wireless Networking Security Objectives Defined

It is widely recognized that the underlying themes of all network security, and not just the wireless components, should be such that they consistently ensure adherence to the principles expressed by the CIA of Security ethos. Simply put this means the planning, implementation and maintenance of organization/network-wide Confidentiality, Integrity and Authentication (CIA).

The implications of this are that only duly authenticated authorized users have full access to all of their allocated network resources, assets, capabilities, bandwidth and Quality of Service (QoS) in line with the appropriate user rights, permissions and privileges whilst maintaining full and comprehensive organization-wide network confidentiality and integrity. The trick is in doing so seamlessly and transparently to the user.

Strategies

The implementation of security strategies and solutions consisting of multiple layers of protection by incorporating and melding a blend of physical security, multiple layers of authentication, network monitoring, traffic flow control, firewalls, intrusion detection, intrusion prevention, surveillance, logging and log analysis, specialized software, hardware and complementary technologies are widely regarded to be the fundamental pillars upon which the preservation of rock solid security for networks is built.

Make no mistake about it, this holds true for wired and wireless networks alike. By employing a security-in-depth approach many exploits can be negated. An example of where multiple layers of authentication can return handsome dividends is in wireless network access.

First line of defense is network access and connectivity controls. Users should be required to provide valid current authentication credentials in order to begin to access the wireless network. The user's wireless adapters should also be required to authenticate themselves.

Machine authentication can be implemented by simply creating a Wireless Access Point (WAP) or wireless router MAC Address filter table. Devices lacking a qualified listed MAC Address will be automatically denied network access. This level access control actually precedes any user based authentication mechanisms since the MAC Address is contained in the Layer 2 header of every packet placed onto the network.

The next line in our defenses could involve additional authentication at various points throughout the network including transit beyond the local segment. For wireless networking components this can be most easily achieved by configuring dedicated wireless only network segments or through Virtual Local Area Network segmentation (VLANs) for wireless devices.

These specialized and segregated wireless networking segments can be placed into Demilitarized Zones (DMZs) for ease of administration. It is also advisable to make sure that they are on LAN segments physically independent of the rest of the network. Secondary user passwords or passphrases can be implemented at the application level as well.

Failure to incorporate a multi-layered approach makes the likelihood of successful intrusion far more likely. If all an attacker need do is to “crack” one password or passphrase then having gained access to a wireless network component without secondary authentication mechanisms in place you can safely assume that they will have also gained full access over your entire network. This means all assets and resources including those of the wired segments.

Wired and Wireless Issues

I will now cover the major issues and areas of concern pertaining to wireless network security. Please note that this list is not intended to be absolute nor complete. New exploits and threats arise every day. Hence I have elected to present and highlight here those areas representing the greatest concern and/or those areas most likely to present future new threats and exploits.

Many of the generic issues discussed below apply equally to wireless and wired networks alike. This is especially so when the device in question is a consumer class broadband modem/router. Both the wired and wireless versions will exhibit the same basic preconfigured functionalities and default manufacturer configurations. For example manufacturers tend to use the same default administrator name, administrator password and network names as well as enabling DHCP by default.

So let's get to it and as always security starts with the physical and wireless networking is no different.

Physical Security

There are many physical security related issues regarding wireless networking security including the physical security of the device itself (accidental loss theft etc), device naming and labeling conventions, physical accessibility (so critical for troubleshooting) coverage, Quality of Service (QoS), bandwidth, signal distortion, degradation and strength, device location, type of antennae and many more. If you would like to read more then check out Wireless Networking Physical Security.

Transmission Media

Because wireless networks use a public domain transmission medium, which is freely accessible to anyone with the right tools and desire, it is imperative that additional care and attention be paid to security aspects throughout the network's entire life cycle. So it is that the appropriate time for consideration of these initiatives to commence is at the very beginning of the network's life cycle during the technical requirements analysis and evaluation, planning and design stages. The process will be ongoing from there.

Documentation

Wireless device manufacturers usually provide the device's supporting documentation either on a disc bundled with the device or available for download from the manufacturer's website. In general, this documentation usually describes first steps/getting started, minimum requirements, preparation, installation, additional security procedures and finally troubleshooting and support.

Unfortunately, the vast majority of users will either ignore or skim over this information or anything else that is not pictorially depicted in the quick start guide. Let's face it these are the realities of our plug "n" play world. The device is working and I can use it; end of deal.

Plug "n" Play

The rise in popularity of wireless networks and technologies can in no small part be attributed to plug "n" play capabilities. On the one hand this is a boon for ease of connectivity, user friendliness and all-round ease of use. Yet it is these very aspects that make plug "n" play devices across the board so susceptible to subversion and compromise.

The problem with the default plug "n" play “silent install” approach to the installation and configuration of all devices (including wireless networking devices) is that in so far as network/device security is concerned it is no approach at all.

Manufacturer Defaults

Manufacturers preload their hardware with device specific software (firmware) and a basic configuration intended to get users up and running in the shortest possible time with minimal required user input.

Factory set default configurations, parameters, options and settings of most if not all devices are in the public domain. This is due to the fact that detailed and specific device defaults lists and documentation are generally freely available on the device manufacturer's website. They can also be found on a number of other third party websites.

The big difference between the documentation, resources and tutorials etc that are published on a manufacturer's website and those published on third party websites is that on the whole the third party sites tend not to confine their listings to only those devices manufactured by a single manufacturer. They also tend to reveal more of and about the inherent flaws and potential exploits of a device that a manufacturer would prefer to “overlook”. You might say that they are a one-stop-shop.

War Driving and Wireless Network Hacking

While most of us have heard of hacking the practice of “war driving” is not so well known. So for the benefit of one and all war driving is the practice of cruising around with a wireless enabled laptop complete with a plethora of wireless networking detection and cracking tools. Many war drivers even make use of GPS to physically locate with pin-point accuracy the precise locations of any wireless networks detected.

The major distinction between the two is that war driving is all about discovering the existence of wireless networks. Hacking wireless networks on the other hand is about cracking/breaking into those wireless networks discovered through war driving or any other means such packet sniffing.

In short, the hacking of wireless networks is all about gaining access to a network whilst not being a legitimate bone fide network user with authentic access privileges and rights. This does not infer in any way that a would-be intruder is implicitly malevolent.

For example, legitimate, authorized and authentic security staff conducting site surveys, penetration testing or network preparedness assessments usually do not have “evil” intent. Still others may be attempting to access your wireless network for the thrill of it simply because it's there.

Note that the tools used for war driving and standard wireless hacking purposes are generally the same. In addition, these tools are freely available for download via the Internet usually in the form of self extracting automatic installation packages or user installable software.

What many may not realize is the degree of user friendly sophistication and capabilities that these tools have attained over the years of their existence and development. So it is that in today's wireless networking climate we must assume that attackers are by default armed with these tools. With this in mind we can construct our defenses in a manner best suited to counteracting a multiplicity of threats originating from all angles.

Conclusion

In combination a device's factory defaults and plug "n" play silent installation and setup provide a very user friendly, fast and convenient method to get a device up and running. Yet it is these very same default factory/plug "n" play device parameters, default configuration settings and behaviors that make wireless networks and wireless devices installed in this way without any further user/administrator interaction particularly inherently susceptible to compromise.

Therefore, immediately after the initial setup and installation has completed successfully the first security tasks that you should religiously attend to are the modification and/or customization of the basic manufacturer factory default settings, administrator names, passwords and configurations.

IP transit is a formal agreement, usually in the form of a registered contract by which wholesale Internet bandwidth is sold or resold by Internet Service Providers (ISPs) and content providers.

Pricing is typically offered as a fixed or sliding scale of per megabit per second per month basis (M-bit/s/Month) and requires the purchaser to commit to a minimum volume of bandwidth. Pricing for the bandwidth can be reduced significantly by purchasing larger volumes or extending the contract term.

Modern IP transit agreements typically provide service level guarantees to almost all of the major Internet Exchange Points within a continental geography such as North America, Europe or Australia. However, these IP Transit Service Level Agreements (SLAs) still only provide best-effort delivery since they do not guarantee service from the Internet Exchange Point to the final destination.

As individual consumers, we too enter into SLAs with our particular ISP to purchase IP transit. For Asymmetric Digital Subscriber Line (ADSL) broadband services these consumer grade service level contracts are generally expressed in terms of an asymmetric capped bandwidth rate usually with some upper volume limit on a Gigabytes per month basis.

The asymmetric aspect is generally manifested as a quoted download connection rate with a much lesser upload connection rate. Bear in mind that actual data transfer rates tend to be somewhat less than the connection rate in either direction.

They also tend to be variable in that once the connection has been established the actual data transfer will begin at a rate of XM-bit/sec which is not sustained indefinitely as it will progressively decrease throughout the duration of the conversation.

You will however find that at some point this transfer rate depreciation will plateau; more often than not somewhere near the rate cited by your ISP as being that of the immediately adjacent lower metric and/or lower priced service agreement rate currently available to you from that ISP.

The result is; as I am sure you have already noticed by now, that you can download considerably quicker than you can upload. Additionally, downloading a 50MB file takes considerably longer than 50 times the time taken to download a 1MB file.

Considering that the average Internet consumer's usage habits are such that they will spend a far greater proportion of time downloading then they do uploading this disparity between the two rates of transfer is usually perceived by the consumer as being satisfactory. We just accept that that is the way it is.

Another factor that reinforces this degree of consumer “satisfaction” is that the majority of us remember years of frustration with dial-up services followed by the revolutionary advent of broadband (ADSL) and now with ADSL 2+ there truly is a gap of “light-years” between now and then. Still I have no doubt that the magic will wear off and consumers will be primed for further higher-speed always on services and technologies.

One of the driving forces in this vicious cycle is the size factor of the average file transferred over the Internet. With the “average” file size increasing as rapidly, if not more so than the capacity for the “I want it now” consumer's Internet service to deliver it now impatience will often win out. Nobody likes waiting for websites that are slow to load or files that take ages to transfer. With a click of the mouse we will generally surf on to the next site.

Holding consumer attention is something that Web masters are all only too acutely aware of. With Google, Yahoo, MSN and co. delivering so many options for a search this should come as no great surprise. StubleUpon.com is one such social networking service characterized by high user “surf-through” rates. I myself click the Stumble button if a site is slow to load. There are heaps of worthy sites yet to Stumble and so on I go.

The richness of Web 2.0 and user interactivity (feedback, comments, content contribution etc.) is such a powerful element that it further accelerates mass migration from once flavor-of-the-day bogged down social networking sites to newer better performing ones with such suddenness that it truly takes the breath away. Check out Delicious.com and the recent changes (including changing their user unfriendly name and URL) wrought there for these very reasons.

Other recent trends such as Software-as-a-Service (S-a-a-S) and many Web hosted applications; such as many of the more recent Help Desk implementations, all contribute to the richness, variety and in most instances the cost-effectiveness of the Web-based applications solutions over the traditional locally hosted varieties.

The most important element of all of the above implementation scenarios is that is very rarely investigated by the end-user is that somewhere along the line and usually at more than one point IP transit must be negotiated.

More often than not and for various reasons not readily available to the consumer this element of costing is hidden from obvious sight. It usually can be found under such headings in the small print of SLAs as “overhead”, “establishment fees”, administrative overheads” or as a component of “service fees/charges”.

However; for commercial enterprises and particularly those with very active websites such as social networking and bookmarking sites the standard consumer grade arrangement is most definitely unsatisfactory and so they will have a different type of SLA with their ISP. Up until very recently this usually meant leased lines or dedicated fiber optic cables between their premises and the ISP's exchange equipment.

I must also make note of the fact that the asymmetric nature of ADSL is not always manifested by higher data transfer rates for downloading than uploading. Sometimes it is more important for a site to have upload data transfer rates superior to its download data transfer rates.

Instances where this type of IP transit arrangement would be considered desirable include manufacture and developer download sites particularly where the content of the consumer downloadable files changes often, regularly or is deemed to be of a critical nature (antimalware sites). Generally their upload link to their consumer/customer accessible downloads and support sites would be a separate and dedicated link specifically for this purpose.

Urgent notification systems that need to rapidly disseminate variable critical content to a large number of target systems and users especially “knee-jerk” security responses to zero-day threats and other emerging vulnerabilities.

Update sites such as the Microsoft Windows Updates site and their automatic updates services would avail themselves of an IP transit Service Level Agreement (SLA) where administrative upload links to these facilities would be higher than that of the download rates. They may even use SDSL access technologies.

Another variant of Digital Subscriber Line (DSL) broadband services is Symmetric Digital Subscriber Line (SDSL). Yes it means just what it says. Data transfer rates are more or less equal in both directions (upload and download).

Today, with ADSL 2+ we find that many a small to medium business no longer requires these expensive alternatives. Web hosting services have also made an impact in this area through the provisioning of assorted quality of dynamics, metrics, 24/7, auto-responder, domain hosting services and Internet point-of-presence services that are affordably suitable for many smaller scale enterprises and individual requirements.

No doubt this is a lucrative field for the services hosting provider. A fact reflected by the number of hosting services providers including Microsoft's entry into the arena with their free domain hosting services.

Once built, upload the website and the rest is taken care of (more or less). No servers to worry about. Let the networking guys at your hosting service provider do that.

Yet another resurfacing technology that follows the Software-as-a-Service (S-a-a-S) centralized application, processing (computing) and services philosophy is terminal services. In a terminal services production environment implementation centrally located servers host the applications, deliver services and perform the bulk of processing (computing) for those clients assigned to it. This is the same sort of structure and relationship that existed between the mainframes of yesteryear and their associated user terminals.

The benefits of this type of arrangement include a dramatic reduction in the amount of data that needs to be transmitted between end-points. Client requests and server replies containing the results of processing and “dumb” client user service accessibility requests ready for onscreen display are basically all that is transmitted.

The above factors also apply to wireless networking and wireless Internet access technologies. The main distinctions between wireless network access (including the Internet) and other technologies is that it is wireless. Apart from this, access, authentication, logical connectivity, bandwidth and aggregate data throughput rates etc. and associated issues are for the most part much like the other available technologies when it comes to IP transit.

The result is that all of these factors are continually conspiring to change the face of the Internet and how we use it. For many of us, considerations and decisions relating to IP transit and the specific intricacies of the products and services offered by and stated in the Service Level Agreements (SLAs) between ourselves and our ISP rarely come to our attention. Yet there can be little doubt they are the arrangements upon which the Internet is built and commercial viability is derived.

I guess you could say that “there is no such thing as a free lunch”. One way or another somewhere along the line you the end user, still pays for your share of Internet access and use. The trick from all perspectives (consumers, business, government, enterprise and organizations of all sizes and persuasions) is to minimize these costs.

I will discuss many and varied aspects of the Internet in future articles. Until next time enjoy!!

Introducing Wide Area Networks (WANs)

A Wide Area Network (WAN) is generally considered to be a type of computer network that covers a broad area where communications links cross regional, metropolitan or national boundaries. Today, it is probably better to think of a WAN as a network that uses routers and publicly accessible communications links. Without doubt the largest and most well-known WAN is the Internet.

Wide Area Networks (WANs) are used to connect Local Area Networks (LANs) and other types of networks, including Metropolitan Area Networks (MANs), Local Area Networks (LANs), wireless and private networks. The purpose of a WAN is to enable users and computers in one location to communicate with users and computers in other, often very geographically dispersed and separated locations.

Typically a WAN will consist of a number of interconnected switching nodes that allows transmissions from any one device to be routed through these interconnected nodes to the specified destination device(s). These nodes are not concerned with the contents of data rather their interest is focused on the provision of a switching facility to move the data from node-to-node until they arrive at their intended destination.

Wide Area Network (WAN) Models

In essence there are two basic design models upon which all WAN connectivity structures and organization are based. They are:

The Centralized WAN Model - Consists of a server or group of servers in a central location and client computers or dumb terminals that connect to the server(s) which provide the bulk of the network's functionality. Figure 1 above is a logical construct of a typical centralized WAN. Note that all points lead to the centrally located servers.

Today's typical physical Point of Sale (POS) functionality such as that implemented by chain organizations such as banks and supermarkets etc is a classic example of a centralized WAN. Software-as-a-Service (SaaS) and web based applications are other examples of a centralized WAN computing model.

The Distributed WAN Model - Consists of client and server computers distributed throughout the network (see Fig.2 below). The Internet is a distributed WAN.

The three tiered network design hierarchy consisting of a core layer, a distribution layer and an access layer is implemented on top of which ever WAN connectivity and organizational structures are chosen. For more about the three tiered network design hierarchy check this article out Network Design: Hierarchies.

Building Wide Area Networks (WANs)

In order to facilitate the efficient and effective transfer of information between a WAN's end systems a number of protocols (rules that govern the transmission and reception of information between computers and network end-points) needed to be developed and implemented.

Generically speaking; a networking protocol is the formal description of a set of rules that describe, enable, govern and regulate the various characteristics, aspects, attributes and properties of an internetwork. One of the more important early WAN protocols was X.25. Although it is not used today, many of X.25's underlying protocols and functions (with modifications and improvements) are still in use by current iterations of Frame Relay.

Initially, most WANs were built using expensive leased lines. The most common production implementations of leased line based WANs involved the use of a router at each end of the leased line to connect to the LAN on one side to a hub within the WAN on the other.

Wide Area Networks (WANs) Reducing Implementation Costs

If ever the use of Wide Area Networks (WANs), including the Internet was to become widespread and accessible to the bulk of humanity (be it as individuals or collectives) something needed to be done to reduce the startup and running costs of planning, implementing and maintaining WANs. Fortunately solutions did exist.

Less costly alternatives to using expensive leased lines when building a WAN include the use of circuit switching or packet switching technologies. Here, network protocols including TCP/IP serve to deliver transport and addressing functions. While protocols such as Packet over SONET/SDH, Multiprotocol Layer Switching (MPLS), Asynchronous Transfer Mode (ATM) and Frame Relay are commonly used by Internet Service Providers (ISPs) to deliver the links that are used in WANs.

Wide Area Network (WAN) Connectivity Options

Leased Line - Provide secure but comparatively expensive Point-to-Point connectivity between two computers or Local Area Networks (LANs) using protocols such as Point-to-Point Protocol (PPP), High-Level Data Link Control (HDLC) and Synchronous Data Link Control (SDLC).

Circuit Switching - A less expensive dedicated circuit path offering bandwidth data transfer rates ranging from 28K-bit/sec to 144K-bit/sec is created between end points. On the downside call setup and connection establishment needs to be renegotiated every time access is desired because the link is not necessarily permanent. The most well known example of circuit switching WAN connectivity is dial-up connections. Point-to-Point Protocol (PPP) and Integrated Service Digital Network (ISDN) are two of the most widely used protocols for circuit switching WAN connectivity.

Packet Switching - Variable length packets are transported over a shared single point-to-point or point-to-multipoint link across a carrier internetwork using Permanent Virtual Circuits (PVC) or Switched Virtual Circuits (SVC). X.25 and Frame Relayare two examples of packet switching protocols used for WAN connectivity.

Cell Relay - Cell Relay is very similar to packet switching, but uses fixed length cells instead of variable length packets. Data is divided into fixed-length cells and then transported across virtual circuits. Unfortunately the overhead can constitute a significant proportion of the total bandwidth. Cell relay protocols such as Asynchronous Transfer Mode (ATM) (up to 155M-bit/sec) are best for simultaneous use of Voice and data.

Virtual Private Network (VPN) - With the recent reductions in Internet connectivity and concurrent increases in bandwidth and transmission rates now offered by ISPs many organizations have opted to use VPN technologies such as those on offer from the likes of Cisco Systems, New Edge Networks, Juniper, Check Point and Vyatta to interconnect their networks. One of VPN's strong points is encryption and considering the prevalence of cyber-crime today it is no surprise to find that this form of WAN is currently very popular.

Wide Area Network (WAN) Transmission Media and Links

Any given WAN may use one, more or even all of the following technologies for the transmission and transport of information:

Copper-Based Media - Telephone lines, coaxial cable, CAT cable etc

Fiber Optic-Based Cables - Single-Mode and Multi-Mode (see Fiber Optic Cableand Optical Networkingfor more).

Wireless - Radio frequency channels, microwave links, satellite channels and publically accessible wireless “hot spots”

Wide Area Network (WAN) Transmission Rates

Typically, WAN transmission rates usually have ranged from 1.2K-bits/sec to 6 M-bit/sec, although some connections such as ATM and Leased lines can reach speeds greater than 156 M-bit/sec. The advent of ADSL 2+ has upped the ante even further.

Now with transmission rates up to 30 Mbps, DSL and cable modem are two high data-transmission rate consumer Internet connections that transmit considerably faster than a dial-up modem (56 kbps). Add to this the fact that they are also generally cheaper than both ISDN and dial-up and you get a very cost-effective solution.

Wide Area Network (WAN) Access

Wide Area Networks (WANs) may be public (usually built by Internet Service Providers (ISPs) to provide Internet connectivity) while others are private (built for a specific organization). That is to say that public access to an organization's “private” network component is regulated by that organization. In contrast, access to public networks and user privileges remains largely unregulated beyond the criteria as defined by the agreement between the consumer and your Internet Service Provider (ISP).

Hence, the general public, anonymous and guest visitors, colleagues, business partners, and associates etcetera may be permitted limited privilege access to various sectors of an organization's private network but not to all of it. Functionalities, services, assets and user capabilities will vary greatly on a case-by-case network-by-network basis.

Demilitarized Zones (DMZs)

A classic example of this regulated limited access is commonly implemented in the form of Demilitarized Zones (DMZs) that allow public access to a very restricted and confined portion of an organization's private network. Here they may be able to access a web server for e-commerce, technical support or even just for casual browsing. You cannot make a sale if you cannot communicate with your customers. Even auto responders and automated shopping carts require some degree of two-way participation from both the customer and your software.

Metropolitan Area Network (MAN)

Another increasingly more common type of WAN is the Metropolitan Area Network (MAN) which is basically the same as a WAN except that its boundaries are contained within a single metropolitan area (city).

In Australia, a MAN can be viewed as a network for which standard landline telephone communications are charged at the local call rate (not STD) as all endpoints have the same area code. With broadband configured as a permanently connected service the customer only pays the local call fee for the initial setup connection or reconnection if the service is interrupted for any reason.

Examples of private Metropolitan Area Networks (MANs) would be the corporate links between various branches of the same organization (chain stores, banks) in the Perth metropolitan area. The key here is that regardless of the protocols or other technologies being used, part of the transit will be via publically accessible networks such as the Internet. The remainder will of course be contained within the boundaries of their “private LAN”.

WANs, MANs and Interoperability

Internetworking and interoperability are key factors critical to the realization of effective and readily available e-commerce portals as well as other external network resources and services. Regulatory and other compliance issues also need to be taken into consideration.

The seamless, secure interoperability of multiple systems and networks is essential in order for the general public to have free and ready access to those components of the enterprise LAN/MAN/WAN deemed desirable by that organization/enterprise.

For example; it is usually deemed to be highly desirable that the general public have rapid seamless access and interactivity with an organization's e-commerce facilities such as the shopping cart, support services if appropriate and resources such as online documentation.

The expansion of Web 2.0 functionality and the upsurge of social networking applications all rely heavily on the effective and efficient seamless integration of internetworking and interoperability technologies at all levels.

The Advantages of Fiber Optical Networking

First of all, we must note that the biggest advantage of using fiber optic networking and hence the use of fiber optic cable as a transmission medium is the high degree of immunity to noise, cross-talk and Electromagnetic Interference (EMI) that this medium provides.

Spanning Large Distances - With the fiber optic technologies currently available today signal degradation and regeneration issues are not what they once were and so the distance factor that so limits copper-based media is of negligible consequence where fiber optic transmission is concerned.

Environmental Damage - Environment factors such as moisture and Radio Frequency Interference (RFI) are also not of the same criticality as they are for copper-based media. The reasons for fiber optic cable as a transmission medium providing a high degree of immunization to noise (EMI) as opposed to other transmission media all stem from the use of light to convey the information (signals) and the construction of the medium (the fiber optic cable).

Security - Due to the degree of difficulty in “tapping” fiber optic transmission lines without being detected, fiber optic transmission media offer a more secure medium than copper-based or wireless technologies.

The result is that fiber optic transmission media are the media of choice when it comes to “long haul” applications such as intercontinental, cross-continental and oceanic (marine) backbone links. It is also the preferred medium for tier one ISP backbone links. This means that new WAN implementations and applications are now predominantly fiber optic cable based. Wireless rollouts being the major exception.

Additional information regarding fiber optic cable construction, signal propagation, signal regeneration, connectors, cable rollout and modes (single-mode and multi-mode fibers) can be found at Fiber Optic Cable.

I will now discuss the major standards and implementations of fiber optic networking starting with the Fiber Distributed Data Interface (FDDI) standard and then the Synchronous Optical Networking (SONET) and the Synchronous Digital Hierarchy (SDH).

Fiber Distributed Data Interface (FDDI)

FDDI which evolved from the IEEE 802.4 token bus timed token protocol is a fault tolerant 100Mbit/sec token passing counter-rotating dual ring LAN standard that permits data transmission between two end-point devices that can be many tens of kilometers apart.

As its name indicates, fiber optic cable is the main form of physical transmission medium used in FDDI. Although a copper-based implementation called, Copper Distributed Data Interface (CDDI) does exist. Although conceived as a LAN standard FDDI has also been used for MAN and WAN implementations.

FDDI Topology - In essence FDDI is a ring network similar to IBM's Token Ring network but with a number of critical differences. The most noticeable of which is that a FDDI uses a dual-attached, counter-rotating token ring topology (see Figure 1: FDDI).

Fault Tolerance - One ring acts as the primary transmission ring and in the original implementations was capable of delivering transmission speeds of up to 100Mbit/sec. The other or secondary ring was originally intended solely to act as a backup.

This meant that the secondary ring was inactive and remained so for as long as the primary ring was functional. In the event of failure of the primary ring the secondary ring would become active. Now all traffic goes to the secondary ring for transmission. It is this built-in redundancy that makes FDDI is a fault tolerant technology.

Higher Effective Sustained Data Throughput - Another factor in FDDI's favor was that it used a much larger frame size than Ethernet which meant that it was capable of much higher effective sustained throughput rates than standard 100Mbit/sec Ethernet. Administrators also had the option of using the secondary ring for data transport rather than having it stand idly by thereby doubling transmission capacity to 200Mbit/sec.

Coverage and Scalability - Not only can FDDI traverse large distances it also scales much better than 100Mbit/sec Ethernet. This means it provides superior support for expanding enterprise networks consisting of hundreds or thousands of users.

Fiber Distributed Data Interface II (FDDI-II) - FDDI-II is a more recent development of FDDI that has added support for circuit-switched services thereby enabling FDDI to carry both voice and video signals as well. For more on FDDI including applicable standards please see About Fiber Distributed Data Interface (FDDI).

Synchronous Optical Networking - SONET

Synchronous Optical Networking (SONET) is an established high-speed WAN alternative for communicating digital information using lasers or Light-Emitting Diodes (LEDs) over optical cable offered by several telecommunications companies.

SONET was originally developed to replace the Plesiochronous Digital Hierarchy (PDH) system for transporting large amounts of telephone and data traffic as well as providing the mechanisms that allow for interoperability between equipment from different vendors. The result is that there are multiple, very closely related standards that describe synchronous optical networking including:

Synchronous Digital Hierarchy (SDH) - The SDH standard was developed by the International Telecommunication Union (ITU) and is documented in standard G.707 and its extension G.708. SDH is used throughout the world but not in North America

Synchronous Optical Networking (SONET) - The SONET standard as defined by GR-253-CORE from Telcordia™. Primarily used exclusively in Canada and the USA where SDH has not been implemented, although it can be found in other countries.

Synchronization is Key - Through the use of atomic clocks synchronous networking data transport rates are very tightly regulated which allows for entire inter-country networks to operate synchronously while greatly reducing the amount of buffering required between elements in the network. This reduction in overhead (buffering) translates into greater effective net data throughput rates.

Encapsulation - Both SONET and SDH can be used to encapsulate earlier digital transmission standards, such as the PDH standard, or used directly to support either ATM or so-called Packet over SONET/SDH (POS) networking.

Generic Transport Containers - SDH and SONET are generic all-purpose transport containers for moving voice and data rather than just communications protocols per sec.

SDH and SONET Frame Structures

Standard packet or frame oriented data transmission frames usually consist of a header and a payload with the header of the frame being transmitted first, followed by the payload and a trailer (e.g. CRC). With synchronous optical networking both the header, which is referred to as the overhead and the payload still exist but the big difference is that the overhead is not all transmitted before the payload, rather the transmission is interleaved.

Interleaved Transmission - With interleaved transmissions the transmission of the conversation goes like this:

First of all, a portion of the overhead (header) is transmitted. This is followed by part of the payload. After which the next part of the overhead is transmitted. This is followed by the next part of the payload and so on until the entire frame has been transmitted. Figure 2: Interleaving above shows this.

SONET Frame Size and Transmission Sequence - SONET frames are 810 octets in size, transmitted as 3 octets of overhead, followed by 87 octets of payload, nine times over until 810 octets have been transmitted. The total frame transmission time is 125 microseconds.

SDH Frame Size and Transmission Sequence - SDH frames are 2430 octets in size transmitted as 9 octets of overhead, followed by 261 octets of payload, also nine times over until 2430 octets have been transmitted. Again the total frame transmission time is also 125 microseconds.

It doesn't take much brain power to see that SDH is capable of an effective data throughput rate three times that which the North American implementation of SONET can achieve.

Ethernet over Fiber Optic Cable

Today we see the Gigabit Ethernet over fiber optic cable and 10G Ethernet over fiber optic cable standards being the most common implementations of optical local area networks (LANs) currently being rolled out. They are also used extensively as the network core layer's transport medium of choice particularly Ethernet networks.

The majority of the big players in the networking hardware arena like Cisco, Juniper, and Redback etc all produce numerous products with fiber optic support including Ethernet over Fiber Optic modules. Note see Network Design: Hierarchiesfor more about network design and the functions and features of a network's core layer.

Hierarchies

For the most part the large scale plans that we humans find easiest to comprehend and thus implement tend to be based and structured around a hierarchal model. So, rather than using a “flat network” model upon which to base our design we will use the far more plastic hierarchal model as it allows us a far greater degree of granular control and subdivision of roles and functionalities of its constituent components.

We are now going to take a quick look into the key principles of three-tiered hierarchal network design model that allow the network's which we design to scale as and when required whilst still providing the means by which we can retain control over its functionalities, performance, accessibility, maintenance and evolution with as little effort as possible.

As the name indicates the three-tier network model is a dramatic departure from the flat network philosophy of the past. Fundamentally; this is a layered approach, where the three layers into which all devices are classified are; the core layer, the distribution layer and the access layer. More than 90% of all network elements including infrastructure components like transmission media will fall neatly into one or other of these three categories.

I say more than 90% because there will be those special components which may straddle layer functionalities or perform multiple roles. The modern ADSL broadband modem router with a built-in multi-port Ethernet switch is a common example of this type of device. So do not be fooled into thinking that a three-tiered model ordains that there must be separate devices for each layer.

The number of devices (routers, switches etc) will be in large dictated by the situation specific requirements and resources of each internetwork being designed on a per internetwork basis. What might be considered to be appropriate for a particular internetwork design solution may be totally unreasonable for another.

Always remember that it is the internetwork designer's capacity to incorporate appropriate levels of plasticity and redundancy into their design solutions that is the art in forging an internetwork design that will work and perform in accordance with the desires and capabilities of those commissioning the internetwork. Budgetary concerns will, as is nearly always the case, be one of the biggest driving forces at work here.

The Core Layer

At the top of the hierarchy the core layer is literally the core of the network. A network's core layer's purpose & responsibility is squarely focused upon the transportation of large amounts of traffic both reliably and quickly.

This means that the core should switch traffic as fast and reliably as possible because any failures at the core level will most likely affect every single user of the network. User data should be processed by the distribution layer which will forward it to the core layer if appropriate. When designing a network the high priority objectives that should be built into the core layer include:

High speed, highly-reliable fault tolerant components possessing the lowest possible latency characteristics connected in such a manner as to eliminate bottlenecks are all high priority factors greatly desirable of a networks core layer. Therefore, the routing protocols implemented at the network's core layer must be those with the lowest convergence times as any delays will be amplified downstream throughout the network and hence felt by all.

The core layer's data-link technologies must exhibit high speed with built-in redundancy such as FDDI, Gigabit Ethernet or 10G Ethernet incorporating redundant links and even SONET or ATM both of which also include multiple redundant links.

Ideally there should be no access lists, access list processing or packet filtering performed by the core layer. This means that there will be no workgroup access or workgroup access support provided by the core. Nor will any inter-VLAN routing take place here.

One final point of advice is that one should upgrade to increase core performance rather than expand (adding routers etc.) as the internetwork grows.

The Distribution Layer

The distribution layer (also referred to as the workgroup layer) is the communication point between the core layer and the access layer. The distribution layer should not duplicate the roles or functionalities provided by any of the other layers. Your design solutions should therefore reflect this by ensuring that the distribution layer is characterized by the deliberate exclusion of all factors, services and functions that are or should be the providence another layer.

Furthermore, other design concepts that need to be at the forefront of one's thought processes when designing a network are that the primary functions of the distribution layer will encompass many intermediary or “middle-man” network aspects, functionalities and services. These functions must be transparent to the user.

Network functionalities implemented at the distribution layer will include many of the network's core infrastructure-based decision making processes including routing, routing protocol redistribution, static routing, inter-VLAN routing, best path determination and address translation. Ideally, the definition of broadcast and multicast domains, packet filtering, queuing and the implementation of access lists should all occur at the distribution layer.

Network policy implementation and network security implementation occurs at the distribution layer and includes both hardware and software devices and solutions. Since WAN access provision is generally implemented at the distribution layer firewalls (Cisco PIX, Microsoft ISA server, Zone Alarm etc.), intrusion detection systems and intrusion prevention systems and appliances are incorporated into the network at the distribution layer.

Other critical decision making functions of the network that get implemented at the distribution layer involve core layer access determination (the how & when packets can access the core) and core layer access restriction (limiting access to the core layer on an only if absolutely necessary basis).

The determination of the manner and mechanisms for handling network service requests is conducted by distribution layer devices. For example determination of the fastest way for requests to be forwarded to servers and other peripheral Services (e.g. Internet Access).

Workgroup support functions, the implementation of additional tools and the provisioning of network operation flexibility are some more tasks generally assigned to the distribution layer.

The Access Layer

This brings us to the access layer which is also referred to as the “desktop” layer. The main functions of the access layer revolve around access control, regulation of users and workgroup access to the network/internetwork's assets, resources and services.

The pervading philosophy of “shortest distance” should prevail when designing an internetwork's access layer. This means that those resources that the majority of a group of users or workgroups access regularly should be available locally. Here is where the 80/20 rule comes into play.

The 80/20 rule states that 80% of all network traffic should remain within the boundaries of the local segment. Even better is to subnet a Local Area Network (LAN) and so contain the “local” traffic to a single broadcast domain and only 20% of all network traffic will be transported via the core layer throughout the entire internetwork. This does translate to “real world” performance gains for all concerned.

With the distribution layer taking care of any requests for remote resources & services the access layer's functions, resources and services should focus primarily upon such criteria as workgroup connectivity to the distribution layer and the elimination of potential avenues of direct unabated user or workgroup access to the core layer.

Access layer traffic containment and resources access strategies often include additional network segmentation through the creation of separate collision domains (e.g. by using transparent bridging workgroup class switches or LAN Switches) and more specific access controls & policies to further augment those implemented by the distribution layer.

Static routing protocols rather than dynamic routing protocols should be used at the access layer. DDR Ethernet switching is another technology commonly used at the access layer. Local resources at the access level will include local printers, workstations, caching servers and workgroup switches the use transparent bridging.

Temporary and mobile devices (laptops, notebooks, PDAs, smart phones etc.) must not be permitted any direct access to the core or distribution layers. Rather they should connect via the access layer in a highly secure manner.

This is most often implemented via demilitarized zones (DMZs) as one can never be sure what nasties the device may have picked up on its wanderings. Generally the device will be scanned immediately upon connection and cannot be used for network access until after it passes its sanitization requirements. Better safe than sorry.

DMZs are also widely employed to allow Internet traffic a web site while reducing the web site/web site's owner potential exposure to malware. Email, bulletin boards and interactive Web 2.0 sites are other situations where implementation of DMZs is commonly used to erect a “barrier” between the public and private domains while allowing users (including the anonymous variety) to maintain their full site experience without unduly exposing the site to every piece of malware or bad intent out there.