Multitasking - Projecting the impression that it (the CPU) is performing many tasks simultaneously is known as “multitasking”. Modern CPUs contain multiple processing pipelines and the newer CPUs of today actually have multiple processing cores each with its own full complement of multiple processing pipelines.

This latter development (multiple complete processing cores) has indeed given the CPU the capability to perform multiple tasks simultaneously and not merely just seem to be doing so. The way in which processing tasks are managed and distributed among the multiple processing pipelines of the multiple cores is however; still achieved in pretty much the same way that it has always been done.

Multitasking Operating System - When using multitasking operating systems (like Windows, Mac OS X, and Linux etc.) users tend to have multiple programs, utilities and applications running concurrently/simultaneously. For example you may be: editing a word document, downloading from the Internet and listening to music.

In order to be able to do this the CPU will share its processing time among the tasks requiring its attention including user initiated tasks, the operating system, programs, utilities, memory management and quite a few “background” services and routines. It only appears that the processor is doing many things at once because of the incredible speeds that modern CPUs are able to switch between tasks.

Communicating with the CPU - The majority of the subsystems in a PC need to send information to and receive information from the CPU and system memory (RAM). Most also expect to be able to get the CPU's attention when they do so.

In order to improve a computer's overall efficiency the CPU also needs to balance the data transfers between itself and the various other subsystems of the machine. In addition; some of a computer's subsystems such as input/output (I/O) devices and human interface devices, all tend to require “special” attention.

Different Requirements - Another influential factor here is that different devices require different amounts of CPU time at various different irregular intervals.

The mouse; for example, needs far less attention than a hard disk involved in the transference of a large multi-gigabyte file. Thus; in the interest of a more efficient use of a computer's finite resources, it is most beneficial if the amount of CPU time assigned to each device reflects the type of device and the nature of the operation and processing tasks involved.

In the above example of the resource needs of the mouse versus those of the hard drive; more resources can be allocated (even dedicated) to the hard drive for the duration of its current operation(s) while the mouse gets a smaller amount of CPU time.

When the hard drive is finished its current task(s) it may not be required to perform any transactions for various irregular periods of time. The system will then reassign those resources that were being used by the hard drive to other devices and processes as and when required.

Managing Processes - The computer (via the CPU) must also ensure that all active (running) processes and tasks are managed in the most efficient organized manner possible. There are basically 2 ways in which this can be done: CPU polling and device initiated interrupting.

Polling - Polling is the process whereby the CPU systematically locates and asks each device in turn if it requires any help or CPU processing time. This strategy (polling) is a very inefficient process because it is a waste of finite resources.

With polling the CPU is required to continually perform the same tasks (asking each device if it needs the CPU's attention) over and over again. More often than not the device will not require the CPU's attention. Statistically; the most likely answer or result of a hardware polling query is that which it received last time (offer declined).

With polling the CPU will continue to ask each device in sequence the same question ad infinitum. To overcome polling's inefficiency a different strategy; known as “Interrupting”; also referred to as Interrupt Request (IRQ), was developed.

Interrupting - The other way that the CPU (processor) can employ to handle CPU required processes and data transfers is to have the devices requiring the CPU's attention to issue a request for attention as and when they require it. This is the basic concept of interrupt requests.

Thus when a device has data to transfer, it generates an interrupt that says "Mr. CPU I need your attention now, please". The processor then stops what it is doing and deals with the device that requested its attention. Modern CPUs can handle many such requests at a time. In the event of multiple simultaneous interrupt requests the CPU uses a priority system that gives a priority status to interrupt requests based upon the priority associated with the device issuing the request. This is known as Interrupt Request Management.

Supply and Demand - One way of looking at interrupt requests is from a supply and demand perspective. While; having the CPU interrupted all the time may at first glance appear to be an inefficient way to run a computer, when examined closer reality proves otherwise. A large part of the reason is that the modern CPU is literally light years ahead; in terms of speed, when compared to the vast majority of devices conducting transactions with it. To put it into perspective let us consider the following scenario:

Let us suppose that a typist is typing at a rate of 120 words per minute and that on average there are five letters per word. This equates to the typist producing 600 characters of keyboard input per minute. This means that an old 200 MHz Pentium class CPU will process 20,000,000 instructions between each keystroke.

This is why having the processor spend a lot of time asking the keyboard if it needs any help would be wasteful, especially since the typist may at any time you might stop for a minute or two to review the copy, or do something else like make a cup of coffee. In fact; even while handling a full-bandwidth transfer from a 28,800 Kb/sec modem, which of course moves data much faster than the typist's fingers, the processor has over 60,000 instruction cycles between the bytes it needs to process.

Hardware Interrupts - Hardware interrupts such as those mentioned above (typing/keyboard input and modem transfers) are distinguishable from software interrupts by the fact that they generally originate from a device outside the CPU. Table 1 below shows the default IRQs in order of descending priority.

Software Interrupts - There is another type of interrupt that occurs in modern PCs; known as software interrupts. These are generated by the operating system, programs and various other software applications and are used by various software programs in response to different events that occur as the operating system and applications run.

In essence a software interrupt represents the CPU interrupting itself (as the interrupt originates from within the CPU) and is part of the reason of how the CPU is able to do many things at once.

Basic Input/Output System (BIOS) - A computer's BIOS provides various software routines (subprograms) that can be called by higher-level software such as DOS, Windows, or their applications, to perform different tasks. This includes actions like reading and writing from the hard disk, processing information received from devices, etc.

BIOS Access - Another performance enhancing functionality that software interrupts make possible is facilitating system software (DOS or the operating system), applications and other software to directly access one another via BIOS routines without having to know where the target application resides in memory.

Interrupt Vector Table - Normally, to call a software routine you need to know its address (location) in memory. However; with interrupt requests a table called an interrupt vector table is created and this is used to bypass the need to explicitly know the correct address in memory. Now every time the system is booted, the BIOS puts addresses representing where its routines are located for each interrupt that it is configured to respond to.

So whenever DOS, the operating system or other applications want to use a BIOS routine, it generates a software interrupt. The system processes the interrupt, looks up the value in the interrupt vector table and then automatically jumps directly to the appropriate BIOS routine. Modern operating systems and applications as well as DOS can also directly use this interrupt vector table.

BIOS Bypass - More recently newer operating systems bypass the BIOS totally as this does help improve system performance.

BIOS Assigned Logical Names - The BIOS assigns logical names to devices based on their IRQ number and memory address. For example:

IRQ 3 and I/O address 2F8-2FFh becomes Com2.

Legacy Devices Default Settings - For older systems; such as those based around the ISA bus, it is often the case that the default IRQ assignments must be preserved. This necessity is most common with older software and games that require the ISA SoundBlaster sound card to be accessible using the following configurations:

IRQ 5, I/O Address 220h and DMA 1

Failure to comply will result in; at best no in game sound and at worst no game at all.

Interrupt Summary - In short; interrupt requests are a mechanism that allows the various devices and software that make up a computer to jump the processing queue in order to have tasks of a predetermined “higher” priority to be executed “out of turn”. BIOS services are accessed using software interrupts, which are similar to the hardware interrupts except that they are generated inside the CPU by programs instead of being generated outside the CPU by hardware devices.

Specialization the Blade Computing Model

Unlike the bastion host or standard rack mounted servers the blade computing model has units with a number of hardware and support systems removed. The blade chassis provides these functions rather than having each individual blade component do them.

This has resulted in blades that are specialized for processing, network, storage, Input / Output (I/O) and memory subsystems. “A blade for every function” is the phrase that comes to mind.

If you need more processing power then add a blade that is loaded with multiple multi-core CPUs and oh-la-la, more processing power to brag about is yours. Similarly if it's more memory for those graphics rendering intensive applications that you require, then add a memory blade. You can even get “general purpose” blades.

Blade Computing - Rethinking the Power Supply

The idea behind this is that removing these components saves considerable space. In addition the removal of the power supply units (PSU) not only saves considerable space it also reduces the overall thermal energy produced during normal and stress level operating conditions.

Everyone who has put their hand at the back of their PC is only too well aware of the amount of heat that the PSU generates. Add in the fact that the PSU is the most common component of all computers to fail and you see the sense in replacing thirty or forty cheaper PSUs with two to four more robust and reliable units. In the big picture perspective this actually is cheaper than the multiple cheaper PSU solution.

By removing the dedicated 1 PSU per server PSUs and giving each blade a dedicated lead from a higher quality less failure-prone redundant set of PSUs considerable energy and accrued downtime losses are saved.

Energy Efficiency - The Green Factor

On top of this comes the added benefit of producing less waste thermal energy. The entire blade system requires less energy to run and considerably less energy for dedicated cooling solutions.

The Blade Enclosure

The big thing in blade computing is the engineering technologies encompassed by the blade enclosure. This is what makes it all possible. Here are some of the support features that the blade enclosure delivers:

• Housing for multiple blade servers
• Housing for specialty blades - Memory blades, compute blades, storage blades etc
• Provision of utility services such as power and cooling
• Provision of infrastructure such as networking and various interconnects
• Platform Management

Variations on a Theme

Different manufacturers do have different ideas of what should be included with each blade as well as what should or should not be provided with the blade enclosure. However, it is all of these elements in combination that make the blade computing platform.

Blade Computing Benefits

The benefits delivered by the blade computing platform model include:

Minimum Size Limit Restrictions Removed - Removal of the 1U minimum size limit requirement that traditional rack mounted server platforms must comply with. This permits greater freedom and initiatives for blade system designers and increases the overall versatility and adaptable flexibility of the blade platform

Higher Unit Densities - Instead of the 42 unit maximum of the standard rack it is not unusual for blade systems to hold up to 100 or more individual blade units per blade enclosure. These higher densities translate into greatly reduced floor space being occupied by the data center which in turn reduces the amount of cooling required thereby producing great energy bill savings and a far greener all-round computing solution.

Specialization - Through blade unit specialization further additional significant size reductions are achieved and no doubt will continue to do so

Improved Energy Efficiency - The “Greener IT” movement is becoming an ever increasing influence in technology today and will undoubtedly continue to do so in the future. Not only does blade computing reduce an organization's energy costs it also represents a much “greener” computing initiative.

Additional Information

Check out ServerWatch.com if you would like to find out more about various specialty servers and new developments in the server industry.

Traditionally ATM has a long and distinguished service record for voice communications. It is also ideally suited to multiplexing environments and can be readily configured to carry VoIP traffic streams.

In fact today we find that most consumer ADSL2+ implementations do offer a choice of PPPoE or PPPoA as their transport protocols (at least here in Perth). PPPoA stands for Point-to-Point Protocol over Asynchronous Transfer Mode.

The importance of this cannot be overlooked as it means that ATM in some form or other will be with us for some time into the future. In fact the Japanese have just recently deployed a communications satellite with an onboard ATM switch. They obviously think there is life in ATM yet.

Introducing Asynchronous Transfer Mode (ATM)

Originally intended to be a unified networking strategy Asynchronous Transfer Mode (ATM) is a connection-oriented, circuit-switched, cell relay “Jack-of-all-trades” transport protocol that uses small uniform fixed-sized cells to redress Quality of Service (QoS) issues so important to voice/video communications and the multitude of streaming applications upon which we are all so dependant.

ATM Origins and Development

During development of the standards for the Asynchronous Transfer Mode (ATM), in the mid 1980s, the goals were to create a unified networking strategy that could act as an all-round transport system for real-time video and audio as well as for image, text and email. ATM is pretty much a “Jack-of-all-trades” transport system. The two groups primarily responsible for the development of the ATM standards were the International Telecommunications Union [ITU 2004] and the ATM Forum [ATM 2004].

Over time we have seen that the majority of implementations and uses that ATM has fulfilled have been primary concerned with telephony and IP networks. Ethernet and the Internet Protocol (IP) are packet-switched network technologies that use packets of variable size referred to as frames.

ATM Protocol Basics

In marked contrast to packet-switched networking technologies; ATM is a connection-oriented, Data Link Layer (OSI Reference Model Layer 2), circuit-switched, cell relay protocol that runs over Synchronous Optical Network (SONET) Physical Layer links (OSI Reference Model Layer 1) using cells of identical and never varying size. Consistent predictability is the underlying ethos here.

Being a connection-oriented channel-based technology means that ATM must always establish a “logical” connection between the two endpoints prior to commencement of data exchange. Significantly, ATM encodes data traffic into small uniform fixed-sized cells. ATM cells are always 53 bytes in size and are comprised of 48 bytes of data and 5 bytes of header information.

ATM Cell Structure

Regardless of the original size of the packets to be transmitted ATM breaks all packets, data, and voice streams into 48-byte chunks and then adds a 5-byte routing header to each one thereby making a total of 53-bytes for each and every cell. The 5-byte header is essential for later reassembly. During development of ATM it was considered that 10% (5 bytes) of each cell (payload) being dedicated to the header for routing information was more than sufficient.

ATM multiplexes these 53-byte cells instead of the larger packets and in so doing reduces the worst-case queuing jitter by a factor of almost 30, thereby removing the need for echo cancellers. I will discuss queuing jitter along with other types of jitter shortly.

ATM Cell Formats

ATM defines two different cell formats the Network-Network Interface (NNI) and the User-Network Interface (UNI). Most ATM links use the UNI cell format.

ATM Adaption Layers (AAL)

ATM Adaptation Layers (AAL) are the rules for segmenting and reassembling packets and streams into cells. It is the AALs that provide the support for the various services delivered by ATM.

Currently, there are five different AALs and the information concerning which one is being used for each cell on a cell-by-cell basis is not contained within the cell or in the cell header. Rather, this information is negotiated by or configured at the endpoints on a per-virtual-connection basis. Here are the five different AALs and their main uses:

1. AAL1

   Constant Bit Rate (CBR) Services, Circuit Emulation

2. AAL2

   Variable Bit Rate (VBR) Services

3. AAL3

   Variable Bit Rate (VBR) Services

4. AAL4

   Variable Bit Rate (VBR) Services

5. AAL5

   Data Transport

ATM Connectivity

Because ATM is a connection-oriented channel-based technology it must establish a “logical” connection between the two endpoints prior to commencement of data exchange. ATM does this by implementing Virtual Circuits, Channels, Paths and Identifiers as follows:

• Virtual Circuits (VC)

  Virtual Circuits (VC) are admirably suited to multiplexing scenarios. Simply by including an 8-bit or 12-bit Virtual Path Identifier (VPI) and a 16-bit Virtual Channel Identifier (VCI) pair in every ATM frame's header each Virtual Circuit (VC) is uniquely identifiable.

• Virtual Channel

  An ATM Virtual Channel represents the basic means of communication between two end-points. Cells are given a unique identifier called the Virtual Channel Identifier (VCI) which is placed into the ATM cells' header. All ATM cells containing identical VCIs are transported in the same Virtual Channel.

• Virtual Path (VP)

  A Virtual Path (VP) denotes the transport of ATM cells belonging to virtual channels which share a common identifier called a Virtual Path Identifier (VPI). The VPI is included in the header of every ATM frame. In other words a Virtual Path (VP) is a bunch of Virtual Channels (VC) connecting the same end-points. These will also have a common traffic allocation.

• Virtual Path Identifier (VPI)

  The Virtual Path Identifier's (VPI) length varies depending on the interface it is sent on (inside the network or on the edge of the network.

ATM Traffic Contracts

When an ATM circuit is set up each ATM switch is informed of the traffic class of the connection. These ATM contracts constitute part of ATM's Quality of Service (QoS) mechanisms. There are four basic types of contracts:

1. Constant Bit Rate (CBR)

   A constant specified Peak Cell Rate (PCR) is set

2. Variable Bit Rate (VBR)

   An average cell rate is specified. This may peak at a certain predefined maximum level for a certain length of time before becoming problematic

3. Available Bit Rate (ABR)

   A minimum guaranteed rate is specified

4. Unspecified Bit Rate (UBR)

   Traffic is allocated all remaining transmission capacity

ATM Traffic Contract Delivery and Monitoring

Traffic Shaping

The intended objective of traffic shaping is to ensure that cell flow will meet its traffic contract and is usually done at the entry point to an ATM network.

Traffic Policing

To maintain network performance it is possible to “police” virtual circuits against their traffic contracts. Basic policing works on a cell by cell basis, but this is sub-optimal for encapsulated packet traffic. If a circuit is exceeding its traffic contract, the network can either drop the cells or mark the Cell Loss Priority (CLP) bit (to identify a cell as being discardable farther down the line).

Benefits of Using Small Fixed Size Cells

The major benefits derived from using small data cells are a reduction in queue delay and jitter; particularly in multiplexing data streams. By using small, fixed-sized cells ATM is able to transport large data files all the while maintaining minimal queuing delays. Minimal queuing delays are essential to the delivery of both voice/video communications.

Queue Delay

Queue delay related issues include problems associated with end-to-end-round-trip delays and delay variance particularly when carrying voice traffic. High traffic volumes and/or congested networks along with the arrival variance associated with variable route routing are among the main causes of queue delay issues.

Jitter

Although jitter results from queuing delay issues deviations or displacement of various aspects of high frequency pulses such as amplitude, phase timing and signal pulse width as a direct result of electromagnetic interference (EMI) and crosstalk (noise) also cause jitter. Think of jitter as being the production of “jerky” results or in video applications flicker. By using small fixed-size cells ATM is able to overcome the effects of queue delay as well as other types/sources of jitter.

Multi Purpose Transport Protocol

Asynchronous Transfer Mode (ATM) carries many different data types and formats (text, audio, video, graphics, photos etc.) from a multitude of sources and of variable sizes. When combined with standard queuing strategies, maximum queuing delays were common. This is totally unacceptable where voice and real-time video traffic is concerned.

Compression/Decompression Algorithms (Codec)

Because of the way in which many Compression/Decompression Algorithmswork special considerations need to be implemented in order to ensure they work properly as intended including:

Time

The nature of time as we humans perceive it is an analogue continuum (that is to say time is a linear progression). Once past, there is no way as yet to recover the loss.

Jitter and Queue Delay

Jitter and queue delay are of great importance because of the nature and manner of operation of the compression/decompression (codec) algorithms used in the conversion of a digitalized data stream back into an analogue audio signal. This conversion process (digital-to-analogue) is very much a “real-time, on-the-fly” process and is more attuned to” just-in-time” transport protocols.

Real-Time Streaming

In order to produce reliable, consistently “acceptable” output the codec needs the data items (the digitized voice data) to be presented to it in a predictable, regulated and evenly spaced in time data stream, hence the term “real-time streaming”.

Late Arrivals

If the data arrives after its allotted position/reception window in the time sequence (relating to that part of the data-stream) the codec will simply drop it. Not surprisingly this is unacceptable for IP telephony. Remember to keep in mind that time is analogue in nature and once a “time window” elapses, the “lost” time becomes unrecoverable.

Codec Packet Handling Options

If the transport protocol is unable to present the data as and when the codec expects it, the codec, has no choice but to assume either silence, make a “best guess” or simply drop the packet. Any way is unacceptable where voice is concerned as the conversation rapidly becomes untenable and the message does not get through.

ATM Deployment Indicators and Scenarios

ATM WAN Core Implementation

ATM production environment implementations have over time proved to be very successful in the Wide Area Network (WAN) scenarios. Numerous telecommunication providers and Internet Service Providers (ISPs) have implemented ATM in their Wide Area Network (WAN) cores.

Slow Links

For slow links less than 2M-bit/s, ATM still makes sense, which is why many ADSL systems use ATM as an intermediate layer between the physical link layer and a Layer 2 protocol like PPP or Ethernet.

Linear Audio and Video Streams

Interest in using native ATM for carrying live video and audio has increased recently. It is in these environments, where ATM can deliver the low latency and very high Quality of Service (QoS) required for handling linear audio and video streams.

Gigabit Ethernet

Today we are finding that for both new WAN implementations and for existing WAN implementation upgrades, high speed, high performance Ethernet (Gigabit Ethernet, 10Gbit Ethernet, and Metro Ethernet etc.) are rapidly replacing ATM as the technology of choice.

Relative Performance

At the time ATM was designed, 155Mbit/s (135Mbit/s payload) over fiber-optic cable was very fast in comparison to the other carrier/transport technologies available at the time. Since then however; these other technologies have evolved and are now considerably faster than they once were.

Jitter

Today; a 1,500 byte (12,000 bit) full-size Ethernet packet takes only 1.2 µs to transmit across a 10Gbit/s optical network. With this sort of speed, jitter is no longer the issue it once was. By overcoming the potential adverse effects of jitter through this ramping up of network transfer speeds we have at the same time removed the need for using small uniform cells to overcome jitter.

Complexity

Unfortunately, due to ATM's complexity it proved to be unsuitable for deployment in many of the scenarios that its creators had originally intended.

Converged Networks

The speed and traffic shaping requirements of many converged networks are also proving to be very challenging for ATM.

The first step in every security assessment and hardening process is always to conduct an environmental survey specifically tailored towards promoting a comprehensive scenario specific awareness and understanding of the prevailing functional operating climate/environment.

One all too often overlooked aspect here is physical security. One should never forget that all security starts with the physical and only then progresses to the logical if appropriate. Without further ado here are the issues and potential solutions that merit consideration with regards to all wireless networking environments and implementation scenarios.

Fixing and Camouflage

So make sure that all of your Wireless Access Points (WAPs) are physically secured. Tie downs and camouflage are great ways to do this. Both camouflaged and secreted devices (located in suspended ceilings etc) have the added security benefit of being hidden from general view.

The old adage “out of sight out of mind” immediately springs to mind. What cannot be seen is often out of mind and therefore less likely to go walk-about. WAPs can be secreted in suspended ceilings, wiring closets or fixtures such as ornaments and planter pots. This makes for an all round far more aesthetically pleasing approach.

Signal Degradation

With respect to wireless networking physical security also entails taking such factors as environmental interference from other wireless devices and cell phones etc., electromagnetic interference (EMI) from other electronic and electrical devices such as TVs, radios and public address systems, signal attenuation, degradation and for the network's wired components such as those connecting your WAPs and wireless bridges/routers to your wired network (LAN) noise and cross-talk need to be taken into consideration.

Functional Reliability

Do not overlook the need for equipment reliability and robustness along with adequate emergency situation operating functionality. It is imperative that in the event of an emergency or catastrophe that your wireless network remains fully functional unless circumstances dictate otherwise. Communication is usually the most valuable resource in times of doubt and uncertainty. Just ask the military.

Naming, Labeling and Documentation

An appropriate secure customized naming convention complete with a fully complementary secure labeling system is a must. This is generally of higher importance for a business wireless networking environment where there may be considerable numbers of roaming network member devices than is usually the case for the home wireless network.

On top of this, wireless network physical security requires the appropriate planning to ensure ready location and identification of network devices in the event of malfunctions, failures or hacking (successful or not) especially when physical access of the equipment in question becomes necessary. Of course this will include the proper documentation detailing all physical aspects of the wireless network including device location and identification markers.

Wireless Traffic Control

Another crucial principal element of physical security for all wireless networks that rates special mention here is that of traffic control. Just as one regulates the physical ebb and flow of people on any given site through orchestrated control of transport facilities and mechanisms, the same holds true for the regulation of traffic flow and control for wireless networks.

Consider this to be very much akin to a perimeter-based site/facility security strategy that deploys multiple layers of defenses for physical site access. In networking applications firewalls can do an admirable job of regulating authenticated access; very much as a fence and guard-house does for facility perimeter security. So install one and ensure that it is correctly configured.

Physical Traffic Control Mechanisms

With regards to physical traffic control for wireless networks the majority of options will be partially implemented in hardware and partially logically. The exact mix will be situation specific. Planning and due care with device placement, the selection of transmission frequency bands and power ratings will all have a role to play.

Consider that some frequencies have better physical penetration attributes than others, while more powerful signals (higher wattage) will be propagated further and will also penetrate fixtures better. There have been documented instances of wireless network signals being detectable and of service level quality at up to 125 miles from the transmission source (the official world record distance as recorded by http://www.wifi-shootout.com).

For these reasons in a high security zone one might need to deploy more specialized WAPs set to a lower transmission power rating than usual in combination with unidirectional antennae rather than omnidirectional antennae. The additional costs of these types of units are readily justifiable in terms of the additional security levels attained.

From a fiscal standpoint it is worthy of note that this small additional cost is a onetime up front encumbrance and the financial department will love the fact that these devises are far more sturdy, reliable and in general have a longer expected mean operating life thereby reducing running costs and failure induced troubleshooting and replacement rates.

Logical Traffic Control Mechanisms

Having implemented perimeter-based access verification and validation security initiatives we may well need to implement additional logical controls and network subdivisions such as Demilitarized Zones (DMZs). DMZs for instance allow for additional network traffic control, regulation, isolation and compartmentalization.

Limiting wireless devices to specific areas/zones of a network also delivers additional benefits such as greater economy and efficiency of bandwidth usage patterns and superior levels of granular administrative capabilities and ease of use.

Wireless-Free Zones

There are also many instances where wireless networking devices along with mobile communications or entertainment devices functionality are undesirable or unwelcome. The most sensitive of these areas will be related to sensitive electronic equipment such as that found in hospital trauma, intensive care, surgical units, coronary care units and life support systems. Areas where flammable materials are handled, stored or used also qualify as wireless-free zones.

In these cases and others like them we need to monitor to ensure that within a specific perimeter wireless devices are not functional and that signal leakage from wireless enabled sectors does not leak in. Perimeter threshold detection is generally considered to be the most effective solution here.

By this I mean that metaphorically speaking a line is drawn beyond which none of the above devices will pass while still turned on. Hospitals generally paint a red line on the floor, walls and ceiling to clearly mark this threshold.

Collateral Damage

When designing and planning a wireless network remember to incorporate provisions that address physical security from the health perspective by ensuring that no possible harm, collateral damage or interference can be caused by the network, its devices and its signals. Cables for example, should be secured and out of harm's way as should WAPs.

We don't, for instance want a WAP falling onto somebody from a humane perspective as well as from a litigation avoidance perspective. Nor do we want our wireless network to cause the cardiac pacemaker of a passer-by to malfunction. Here is a case where clear, readily noticeable and unambiguous notifications (signage) are our main preventative and compliance option. I guess this is more or less a disclaimer approach really.

Not only do we need to protect and guard humans from harm caused directly or indirectly by our wireless network and its components but we need to protect our wireless network from physical harm caused by humans and/or the environment as well. It is up to us to provide for our networks physical well-being as it cannot do this for itself.

Regulatory Compliance

Regulatory compliance issues also need to be addressed at all levels and all stages of a wireless network's life cycle. Local and regional standards and regulations need to be researched and fully compliant measures implemented. Policies also need to be developed, made appropriately available to those concerned and of course implemented.

Pass-Through Point Security

Just as a physical site's physical access controls may see the implementation and installation of fences and stationing of security guards at primary access points the same can often be done with wireless networks. For example there may be the opportunity to implement search mechanisms such as the pass-through points seen at airports etc. This is one way of ensuring that unknown devices do not enter within the coverage area of your wireless network.

Unfortunately, for most businesses it is often impractical to implement this type of measure as the cost and negative customer reactions may preclude it as being overly draconian. Larger chain retailers do however, employ pass-through scanning devices but they are more attuned to the detection of theft of merchandise rather than the prevention of unauthorized wireless access.

Note however, that for areas not publicly accessible and/or where sensitive materials are stored pass-through inspection security is a viable option. Espionage is a reality that must be addressed. If not the stealing of properties then the sabotage aspect may be of appropriate weight to implement pass-through surveillance mechanisms.

Much damage has been done in the past by persons posing as service or utility personal that many facilities, especially an organization's research and development and marketing divisions as well as their datacenter have seen fit to implement the pass-through security approach.

Wireless Network Presence Detection

Although a wireless network uses an invisible to the human eye medium with the right tools it becomes very observable. Tools such as Kismet for example, have very little difficulty in detecting the presence of a wireless network. Furthermore, there is very little you can do to prevent this type of detection. After all, wireless signals are transmitted over the public domain. Fortunately however, there is a lot you can do to prevent exploitation of a wireless network after detection.

The implementation of full conversation encryption including that of authentication mechanisms and connection establishment is, as far as most would-be intruders/hackers are concerned, just too much hard work considering that there are untold numbers of easier targets to be had.

Quality of Service (QoS) Geographical Access Parameters

One should always consider geographical access and connectivity requirements and parameters in conjunction with the desired timely delivery of Quality of Service (QoS) metrics. The wireless network's ideal is to provide adequate connectivity and accessibility throughout the entire area of intended coverage (no drop-out zones) and with a specified level of Quality of Service (QoS) for said area but no more.

The Quality of Service (QoS) factor may be defined by either meeting or failing to meet specific performance metrics such as transfer rates or strength of encryption.

The geographical network confinement parameters are generally characterized and measured by the degree of signal leakage beyond a specified intended perimeter of coverage. The distance, signal strength, signal quality and degree of availability both within and beyond the designated network perimeter are the parameters that define and delineate that point at which signal leakage becomes unacceptable.

Network Monitoring and Site Surveys

In monitoring the attributes of a wireless network, tools such as Airsnort, WireShark (formerly Ethereal), NetStumbler and Kismet are your friends. Use them to conduct regular site surveys to assess signal leakage. If need be take the appropriate remedial measures to ensure compliance at all times and locations.

Some organizations even go to the extent of using signal jamming technologies to ensure that any leakage is rendered useless and piggy-backing cannot take place.

Line of Sight

Line of sight requirements need to be assessed carefully from the perspectives of both the current scenario and extrapolated into making predictions of the most likely conditions that will be prevalent at various predefined times in the future. Trees for example have a habit of growing.

So where a clear line of sight exists today the possibility that this will not be so in the future must be evaluated. In the case of trees one solution might entail lopping every other year in order to preserve said clear line of sight. No matter the terms or conditions, the establishment and implementation of a documented schedule or regime that addresses these types of issues needs to be set forth.

Conclusions

Wind, vibration, the environment in general and other factors including human interference of one form or another will all conspire to throw the most carefully designed and implemented wireless network out of alignment. Persistent cognizant vigilance must be your motto and creed.

Introduction

It would be nice to live in utopia, that ideal world where nobody was a villain and misdemeanors never occurred. Unfortunately for the majority of us residing back here on planet Earth, security breaches, compromises and issues are all too real and unpleasant facts of life. Regardless of our station in life somebody is always trying to get a free lunch at our expense or trying to take advantage of us in some other way.

This being said we need to identify the objectives, acceptable standards, policies and regulatory compliance requirements that our wireless network security should deliver as intended.

Wireless Networking Security Objectives Defined

It is widely recognized that the underlying themes of all network security, and not just the wireless components, should be such that they consistently ensure adherence to the principles expressed by the CIA of Security ethos. Simply put this means the planning, implementation and maintenance of organization/network-wide Confidentiality, Integrity and Authentication (CIA).

The implications of this are that only duly authenticated authorized users have full access to all of their allocated network resources, assets, capabilities, bandwidth and Quality of Service (QoS) in line with the appropriate user rights, permissions and privileges whilst maintaining full and comprehensive organization-wide network confidentiality and integrity. The trick is in doing so seamlessly and transparently to the user.

Strategies

The implementation of security strategies and solutions consisting of multiple layers of protection by incorporating and melding a blend of physical security, multiple layers of authentication, network monitoring, traffic flow control, firewalls, intrusion detection, intrusion prevention, surveillance, logging and log analysis, specialized software, hardware and complementary technologies are widely regarded to be the fundamental pillars upon which the preservation of rock solid security for networks is built.

Make no mistake about it, this holds true for wired and wireless networks alike. By employing a security-in-depth approach many exploits can be negated. An example of where multiple layers of authentication can return handsome dividends is in wireless network access.

First line of defense is network access and connectivity controls. Users should be required to provide valid current authentication credentials in order to begin to access the wireless network. The user's wireless adapters should also be required to authenticate themselves.

Machine authentication can be implemented by simply creating a Wireless Access Point (WAP) or wireless router MAC Address filter table. Devices lacking a qualified listed MAC Address will be automatically denied network access. This level access control actually precedes any user based authentication mechanisms since the MAC Address is contained in the Layer 2 header of every packet placed onto the network.

The next line in our defenses could involve additional authentication at various points throughout the network including transit beyond the local segment. For wireless networking components this can be most easily achieved by configuring dedicated wireless only network segments or through Virtual Local Area Network segmentation (VLANs) for wireless devices.

These specialized and segregated wireless networking segments can be placed into Demilitarized Zones (DMZs) for ease of administration. It is also advisable to make sure that they are on LAN segments physically independent of the rest of the network. Secondary user passwords or passphrases can be implemented at the application level as well.

Failure to incorporate a multi-layered approach makes the likelihood of successful intrusion far more likely. If all an attacker need do is to “crack” one password or passphrase then having gained access to a wireless network component without secondary authentication mechanisms in place you can safely assume that they will have also gained full access over your entire network. This means all assets and resources including those of the wired segments.

Wired and Wireless Issues

I will now cover the major issues and areas of concern pertaining to wireless network security. Please note that this list is not intended to be absolute nor complete. New exploits and threats arise every day. Hence I have elected to present and highlight here those areas representing the greatest concern and/or those areas most likely to present future new threats and exploits.

Many of the generic issues discussed below apply equally to wireless and wired networks alike. This is especially so when the device in question is a consumer class broadband modem/router. Both the wired and wireless versions will exhibit the same basic preconfigured functionalities and default manufacturer configurations. For example manufacturers tend to use the same default administrator name, administrator password and network names as well as enabling DHCP by default.

So let's get to it and as always security starts with the physical and wireless networking is no different.

Physical Security

There are many physical security related issues regarding wireless networking security including the physical security of the device itself (accidental loss theft etc), device naming and labeling conventions, physical accessibility (so critical for troubleshooting) coverage, Quality of Service (QoS), bandwidth, signal distortion, degradation and strength, device location, type of antennae and many more. If you would like to read more then check out Wireless Networking Physical Security.

Transmission Media

Because wireless networks use a public domain transmission medium, which is freely accessible to anyone with the right tools and desire, it is imperative that additional care and attention be paid to security aspects throughout the network's entire life cycle. So it is that the appropriate time for consideration of these initiatives to commence is at the very beginning of the network's life cycle during the technical requirements analysis and evaluation, planning and design stages. The process will be ongoing from there.

Documentation

Wireless device manufacturers usually provide the device's supporting documentation either on a disc bundled with the device or available for download from the manufacturer's website. In general, this documentation usually describes first steps/getting started, minimum requirements, preparation, installation, additional security procedures and finally troubleshooting and support.

Unfortunately, the vast majority of users will either ignore or skim over this information or anything else that is not pictorially depicted in the quick start guide. Let's face it these are the realities of our plug "n" play world. The device is working and I can use it; end of deal.

Plug "n" Play

The rise in popularity of wireless networks and technologies can in no small part be attributed to plug "n" play capabilities. On the one hand this is a boon for ease of connectivity, user friendliness and all-round ease of use. Yet it is these very aspects that make plug "n" play devices across the board so susceptible to subversion and compromise.

The problem with the default plug "n" play “silent install” approach to the installation and configuration of all devices (including wireless networking devices) is that in so far as network/device security is concerned it is no approach at all.

Manufacturer Defaults

Manufacturers preload their hardware with device specific software (firmware) and a basic configuration intended to get users up and running in the shortest possible time with minimal required user input.

Factory set default configurations, parameters, options and settings of most if not all devices are in the public domain. This is due to the fact that detailed and specific device defaults lists and documentation are generally freely available on the device manufacturer's website. They can also be found on a number of other third party websites.

The big difference between the documentation, resources and tutorials etc that are published on a manufacturer's website and those published on third party websites is that on the whole the third party sites tend not to confine their listings to only those devices manufactured by a single manufacturer. They also tend to reveal more of and about the inherent flaws and potential exploits of a device that a manufacturer would prefer to “overlook”. You might say that they are a one-stop-shop.

War Driving and Wireless Network Hacking

While most of us have heard of hacking the practice of “war driving” is not so well known. So for the benefit of one and all war driving is the practice of cruising around with a wireless enabled laptop complete with a plethora of wireless networking detection and cracking tools. Many war drivers even make use of GPS to physically locate with pin-point accuracy the precise locations of any wireless networks detected.

The major distinction between the two is that war driving is all about discovering the existence of wireless networks. Hacking wireless networks on the other hand is about cracking/breaking into those wireless networks discovered through war driving or any other means such packet sniffing.

In short, the hacking of wireless networks is all about gaining access to a network whilst not being a legitimate bone fide network user with authentic access privileges and rights. This does not infer in any way that a would-be intruder is implicitly malevolent.

For example, legitimate, authorized and authentic security staff conducting site surveys, penetration testing or network preparedness assessments usually do not have “evil” intent. Still others may be attempting to access your wireless network for the thrill of it simply because it's there.

Note that the tools used for war driving and standard wireless hacking purposes are generally the same. In addition, these tools are freely available for download via the Internet usually in the form of self extracting automatic installation packages or user installable software.

What many may not realize is the degree of user friendly sophistication and capabilities that these tools have attained over the years of their existence and development. So it is that in today's wireless networking climate we must assume that attackers are by default armed with these tools. With this in mind we can construct our defenses in a manner best suited to counteracting a multiplicity of threats originating from all angles.

Conclusion

In combination a device's factory defaults and plug "n" play silent installation and setup provide a very user friendly, fast and convenient method to get a device up and running. Yet it is these very same default factory/plug "n" play device parameters, default configuration settings and behaviors that make wireless networks and wireless devices installed in this way without any further user/administrator interaction particularly inherently susceptible to compromise.

Therefore, immediately after the initial setup and installation has completed successfully the first security tasks that you should religiously attend to are the modification and/or customization of the basic manufacturer factory default settings, administrator names, passwords and configurations.

As will soon become apparent, it is the way in which the Internet has evolved and hence its current structure that allows for the possibility of certain ISPs and larger Telcos to jointly exercise what would amount to an elitist monopolistic style of control over the Internet encompassing all elements and aspects of its accessibility, delivery, reach and functionality.

It is those issues surrounding current and future Internet accessibility that are of particular relevance considering the content, scope and provisions of various tabled and pending legislations in the USA and other countries. Make no mistake about it. What is at stake here is the very thing that has made the Internet what it is today; its neutrality.

Therefore; throughout the course of this investigation, we will be keeping an eye to the future while paying specific attention to how it is possible for ISPs, if permitted to control the Internet and all elements and aspects of its accessibility.

A Distributed Wide Area Network (WAN) Model

In essence, the Internet (internetwork) is based around a distributed Wide Area Networking (WAN) model (see Fig.1 above) comprised of untold numbers of different networks of varying architectures, topologies, technologies, sizes and complexity being linked together to form one giant internetwork spanning the entire globe and even beyond into space. Yes, they do have Internet access onboard the International Space Station (ISS).

As depicted in Figure 1; consumers, enterprises and organizations of all types and sizes wishing to access remote resources or to connect with another network via the Internet must first establish and maintain a connection with their Internet Service Provider (ISP). This ISP will in turn accesses the Internet backbone either directly at an Internet Exchange Point (IX or IXP) or by connecting with another (usually larger) ISP from whom they purchase IP transit or peer with. See IP Transit for more details.

The key factor that defines a distributed WAN is that servers and clients will be spread throughout the entirety of the network more or less randomly. In fact, up until recently the majority of Internet access and services were such that end-points would be continually and sporadically connecting and disconnecting without prior notice to their ISP.

From an ISP's perspective, this behavior placed scalability issues among the hardest facets of service provision and quality of service delivery to address.

It was also common for ISPs to terminate endpoint connections that they (the ISP) “deemed” to be idle. Unfortunately, the end user and their ISP often have very different and conflicting ideas and definitions of what constitutes idle and therefore qualifying for connection termination. This has always been the most frustrating characteristic of traditional dial-up Internet access.

The Rise of Point-to-Point Links

When dissecting and analyzing the structure and topology of the Internet it is important to never lose sight of its fundamentally distributed conglomerate nature. One direct consequence of this is that routers play an essential role in connecting together the various networks and subnets which comprise the Internet.

In general, whenever these different networks are not geographically adjacent dedicated always on point-to-point links have up until recently been the traditional modus operandi (see Figure 2 below).

Historically, this type of point-to-point full-time telecommunications interconnect is known as a leased-line and in its simplest form consists of a dedicated telephone line with modems and routers or modem/routers at each end. Standard practice in implementing this design is to assign the dedicated link a subnet unto itself with only two IP addresses; one for each end.

This type of arrangement was fine from an enterprise perspective as it permitted various geographically dispersed branches of an organization to be permanently connected while preserving IP addresses.

The biggest drawback however, is the fact that point-to-point connectivity deployed as a full mesh topology (see Figure 2 above) rapidly becomes an over complicated administrative and economical nightmare. As the number of separated sites requiring interconnection increases, so too does the number of relatively expensive dedicated leased-lines and associated point-to-point connectivity terminal devices (modems, routers, cabling etc.) and infrastructure (distribution and access devices and wiring).

Another problem with traditional point-to-point connectivity is that each individual link consumed two “live” IP addresses. Incorporation of multiple redundant links as in a mesh topology (Figure 2) improved the overall internetwork's reliable availability but consumed ever larger numbers of “live” IP addresses which were fast becoming very hard to come by. This depletion of the available “live” IP address pool is one of the main reasons that we are currently transitioning to IPv6.

The practical establishment of an organization-wide mesh topology network is therefore economically and administratively unrealistic. The result was that in practice, organizations would establish up to three point-to-point links per site thereby providing redundancy of connectivity. Should any one link be disrupted the site could still communicate via the other links; albeit in a circuitous manner. The message still got through.

A Cooperative Model

Moving beyond a single enterprise desiring full-time interconnectivity the picture immediately increases in complexity. Now either every organization has its own routers connecting to the shared internetwork or some organizations could cooperatively share internetwork connected routers as their “gateway” to the internetwork. For a fee of course (see Figure 3 below).

The technical term for cooperative tariff-free network access and IP transit arrangements between different organizations (or even individuals) is peering.

Due to its numerous different forms, details, characteristics and manifestations peering warrants an article unto itself. Similarly, the Internet Service Provider (ISP) Tier system merits further investigation. However, due to the tight relationships between the two (ISP tiers and ISP peering) I will collectively cover them both in another article entitled Internet Service Providers (ISPs) Tiers and Peering.

Jumping forward in time for a moment, we find that for the Internet of today a modified cooperative model has won. Special organizations known as Internet Service Providers (ISPs) have their own Internet internetwork connected routers and the rest of us enter into an agreement with the ISP to gain usage rights for Internet access via their (our IPS's) Internet internetwork connected routers (see Figure 3 above).

Internet Backbone Topology

Right from the outset, the Internet in the USA has always used a backbone topology, with the original backbone network infrastructure being provided by the National Science Foundation Network (NSFNET). This structure was eventually privatised in 1995 when a variety of commercial organizations, known as Network Service Providers (NSPs) collectively took over the backbone functionality.

Note that in most parts of the world today (including Australia and the USA) these original Internet backbone provisioning and support NSPs are now referred to as Tier 1Internet Service Providers (ISPs). As I will discuss shortly; very similar structures, circumstances, peering arrangements and relationships between the Tier 1 ISPs exist in practically every Internet connected country, at least at their local national level.

Internet Exchange Points (IX or IXP)

One particularly important and pervasive characteristic of the Internet that also occurs at the local, national and the global levels is that geographically speaking Tier 1 ISPs interconnect with the Internet backbone and each other at various clearly defined and readily distinguishable physical locations throughout the Internet backbone (see Figure 4).

Originally, these Internet backbone access and ISP interconnectivity points were known as Network Access Points (NAPs). However, the term Network Access Point (NAP) is no longer used in this context. Rather, the name commonly given to the physical locations at which Tier 1 ISP Internet backbone interconnections occur today is Internet Exchange Points (IX or IXP) (see Figure 4).

Note that although the term Network Access Point (NAP) is still in common use today it now refers not to the Internet backbone access points but to those points at which users access their local network. This may be a home or corporate LAN, MAN, WAN or even a public wireless hot-spot. In fact any point at which individuals access a network is considered to be a network access point.

As one would expect either certain cooperative arrangements (peering) or very complex financial schemes exist between the various Tier 1 ISPs. I will be discussing these arrangements and Tier 2 and Tier 3 ISPs in another article so I won't delve into this aspect any further at this point. Suffice to say that on the global stage the Internet is built around the same type of backbone structure with discrete Tier1 ISP access via Internet Exchange Points (IX or IXP).

ISP Point of Presence (POP)

An ISP has a Point of Presence (POP) at a physical location if its customers can connect to it at that location. This holds true regardless of which tier that ISP may be classified as belonging to or which level of the Internet structure or local hierarchy we are discussing.

Local Conditions and Network Evolution

As an example of the changes and local conditions that may prevail in different geographical locations from time to time I will use the Australian case as this is somewhat easier to grasp and illustrate being a one-country continent even though the distinctions between Tier 1, Tier 2 and Tier 3 ISPs are somewhat blurry.

Back in 1990 the Australian Academic and Research Network (AARNet) was established to connect all Australian universities and a number of research institutions. The first AARNet implementation involved a state-level router in each Australian State capital city. These routers were connected to the main AARNet hub router in Melbourne by way of expensive leased-line services. An additional leased-line was used to link the Melbourne-based hub router to the USA.

AARNet retained ownership of all of the routers and the provision of basic carriage services was the only involvement of Telstra, the telecommunications provider at the time. Thus, Internet access between Australian universities more or less followed the cooperative model as already discussed above.

This expensive to maintain and run architecture has now been replaced by a far more economical one where an ISP (C & W Optus in this case) interconnects all state regional networks to each other as well as to the publicly accessible Australian and International Internet.

In this example we see a relatively expensive private hybrid tree/star topology network based upon point-to-point connections being replaced by a far more economical publically accessible commercial backbone-based topology internetwork.

Endpoint Connectivity and Presence

While the Internet backbone is a highly structured, ordered and persistently stable component of the global internetwork, the terminal networks, user nodes and other endpoints connecting to it are free to come and go as intermittently as they please. It is merely a matter of convenience or of a fiscally driven e-commerce desirability that sees most broadband Internet connections being “always on”.

Beyond Terra Firma and into the Future

As already noted Internet access is available onboard the International Space Station (ISS). What is not so well known is the degree to which traditionally Earth-bound communications and networking technologies and devices such as routers and switches are leaving the confines of terra firma and making the transition to space; thereby becoming truly universal infrastructure devices.

To illustrate just how much these unified communications and networking technologies are extending their reach far beyond terra firma, the Japanese have recently launched an ATM switch onboard a communications satellite.

The idea being to perform the switching functions in situ (in space) rather than beaming signals from earth-bound handsets up to the satellite, down to a ground-based exchanges for switching, then back up to the satellite for final relay back down to the intended earth-bound recipient. Compare this to the efficiency of a caller beaming the signal directly to the satellite where onboard switching takes place and the signal will then be transmitted directly to the intended recipient.

With the continuing evolution of converged unified communications and networking technologies and functionalities such as Voice over Internet Protocol (VoIP) this trend will not only continue into the foreseeable future but accelerate exponentially.

Further Reading, Additional Links and Resources:

• Wide Area Networks (WAN)
• Asynchronous Transfer Mode (ATM)
• IP Transit

IP transit is a formal agreement, usually in the form of a registered contract by which wholesale Internet bandwidth is sold or resold by Internet Service Providers (ISPs) and content providers.

Pricing is typically offered as a fixed or sliding scale of per megabit per second per month basis (M-bit/s/Month) and requires the purchaser to commit to a minimum volume of bandwidth. Pricing for the bandwidth can be reduced significantly by purchasing larger volumes or extending the contract term.

Modern IP transit agreements typically provide service level guarantees to almost all of the major Internet Exchange Points within a continental geography such as North America, Europe or Australia. However, these IP Transit Service Level Agreements (SLAs) still only provide best-effort delivery since they do not guarantee service from the Internet Exchange Point to the final destination.

As individual consumers, we too enter into SLAs with our particular ISP to purchase IP transit. For Asymmetric Digital Subscriber Line (ADSL) broadband services these consumer grade service level contracts are generally expressed in terms of an asymmetric capped bandwidth rate usually with some upper volume limit on a Gigabytes per month basis.

The asymmetric aspect is generally manifested as a quoted download connection rate with a much lesser upload connection rate. Bear in mind that actual data transfer rates tend to be somewhat less than the connection rate in either direction.

They also tend to be variable in that once the connection has been established the actual data transfer will begin at a rate of XM-bit/sec which is not sustained indefinitely as it will progressively decrease throughout the duration of the conversation.

You will however find that at some point this transfer rate depreciation will plateau; more often than not somewhere near the rate cited by your ISP as being that of the immediately adjacent lower metric and/or lower priced service agreement rate currently available to you from that ISP.

The result is; as I am sure you have already noticed by now, that you can download considerably quicker than you can upload. Additionally, downloading a 50MB file takes considerably longer than 50 times the time taken to download a 1MB file.

Considering that the average Internet consumer's usage habits are such that they will spend a far greater proportion of time downloading then they do uploading this disparity between the two rates of transfer is usually perceived by the consumer as being satisfactory. We just accept that that is the way it is.

Another factor that reinforces this degree of consumer “satisfaction” is that the majority of us remember years of frustration with dial-up services followed by the revolutionary advent of broadband (ADSL) and now with ADSL 2+ there truly is a gap of “light-years” between now and then. Still I have no doubt that the magic will wear off and consumers will be primed for further higher-speed always on services and technologies.

One of the driving forces in this vicious cycle is the size factor of the average file transferred over the Internet. With the “average” file size increasing as rapidly, if not more so than the capacity for the “I want it now” consumer's Internet service to deliver it now impatience will often win out. Nobody likes waiting for websites that are slow to load or files that take ages to transfer. With a click of the mouse we will generally surf on to the next site.

Holding consumer attention is something that Web masters are all only too acutely aware of. With Google, Yahoo, MSN and co. delivering so many options for a search this should come as no great surprise. StubleUpon.com is one such social networking service characterized by high user “surf-through” rates. I myself click the Stumble button if a site is slow to load. There are heaps of worthy sites yet to Stumble and so on I go.

The richness of Web 2.0 and user interactivity (feedback, comments, content contribution etc.) is such a powerful element that it further accelerates mass migration from once flavor-of-the-day bogged down social networking sites to newer better performing ones with such suddenness that it truly takes the breath away. Check out Delicious.com and the recent changes (including changing their user unfriendly name and URL) wrought there for these very reasons.

Other recent trends such as Software-as-a-Service (S-a-a-S) and many Web hosted applications; such as many of the more recent Help Desk implementations, all contribute to the richness, variety and in most instances the cost-effectiveness of the Web-based applications solutions over the traditional locally hosted varieties.

The most important element of all of the above implementation scenarios is that is very rarely investigated by the end-user is that somewhere along the line and usually at more than one point IP transit must be negotiated.

More often than not and for various reasons not readily available to the consumer this element of costing is hidden from obvious sight. It usually can be found under such headings in the small print of SLAs as “overhead”, “establishment fees”, administrative overheads” or as a component of “service fees/charges”.

However; for commercial enterprises and particularly those with very active websites such as social networking and bookmarking sites the standard consumer grade arrangement is most definitely unsatisfactory and so they will have a different type of SLA with their ISP. Up until very recently this usually meant leased lines or dedicated fiber optic cables between their premises and the ISP's exchange equipment.

I must also make note of the fact that the asymmetric nature of ADSL is not always manifested by higher data transfer rates for downloading than uploading. Sometimes it is more important for a site to have upload data transfer rates superior to its download data transfer rates.

Instances where this type of IP transit arrangement would be considered desirable include manufacture and developer download sites particularly where the content of the consumer downloadable files changes often, regularly or is deemed to be of a critical nature (antimalware sites). Generally their upload link to their consumer/customer accessible downloads and support sites would be a separate and dedicated link specifically for this purpose.

Urgent notification systems that need to rapidly disseminate variable critical content to a large number of target systems and users especially “knee-jerk” security responses to zero-day threats and other emerging vulnerabilities.

Update sites such as the Microsoft Windows Updates site and their automatic updates services would avail themselves of an IP transit Service Level Agreement (SLA) where administrative upload links to these facilities would be higher than that of the download rates. They may even use SDSL access technologies.

Another variant of Digital Subscriber Line (DSL) broadband services is Symmetric Digital Subscriber Line (SDSL). Yes it means just what it says. Data transfer rates are more or less equal in both directions (upload and download).

Today, with ADSL 2+ we find that many a small to medium business no longer requires these expensive alternatives. Web hosting services have also made an impact in this area through the provisioning of assorted quality of dynamics, metrics, 24/7, auto-responder, domain hosting services and Internet point-of-presence services that are affordably suitable for many smaller scale enterprises and individual requirements.

No doubt this is a lucrative field for the services hosting provider. A fact reflected by the number of hosting services providers including Microsoft's entry into the arena with their free domain hosting services.

Once built, upload the website and the rest is taken care of (more or less). No servers to worry about. Let the networking guys at your hosting service provider do that.

Yet another resurfacing technology that follows the Software-as-a-Service (S-a-a-S) centralized application, processing (computing) and services philosophy is terminal services. In a terminal services production environment implementation centrally located servers host the applications, deliver services and perform the bulk of processing (computing) for those clients assigned to it. This is the same sort of structure and relationship that existed between the mainframes of yesteryear and their associated user terminals.

The benefits of this type of arrangement include a dramatic reduction in the amount of data that needs to be transmitted between end-points. Client requests and server replies containing the results of processing and “dumb” client user service accessibility requests ready for onscreen display are basically all that is transmitted.

The above factors also apply to wireless networking and wireless Internet access technologies. The main distinctions between wireless network access (including the Internet) and other technologies is that it is wireless. Apart from this, access, authentication, logical connectivity, bandwidth and aggregate data throughput rates etc. and associated issues are for the most part much like the other available technologies when it comes to IP transit.

The result is that all of these factors are continually conspiring to change the face of the Internet and how we use it. For many of us, considerations and decisions relating to IP transit and the specific intricacies of the products and services offered by and stated in the Service Level Agreements (SLAs) between ourselves and our ISP rarely come to our attention. Yet there can be little doubt they are the arrangements upon which the Internet is built and commercial viability is derived.

I guess you could say that “there is no such thing as a free lunch”. One way or another somewhere along the line you the end user, still pays for your share of Internet access and use. The trick from all perspectives (consumers, business, government, enterprise and organizations of all sizes and persuasions) is to minimize these costs.

I will discuss many and varied aspects of the Internet in future articles. Until next time enjoy!!

Introducing Wide Area Networks (WANs)

A Wide Area Network (WAN) is generally considered to be a type of computer network that covers a broad area where communications links cross regional, metropolitan or national boundaries. Today, it is probably better to think of a WAN as a network that uses routers and publicly accessible communications links. Without doubt the largest and most well-known WAN is the Internet.

Wide Area Networks (WANs) are used to connect Local Area Networks (LANs) and other types of networks, including Metropolitan Area Networks (MANs), Local Area Networks (LANs), wireless and private networks. The purpose of a WAN is to enable users and computers in one location to communicate with users and computers in other, often very geographically dispersed and separated locations.

Typically a WAN will consist of a number of interconnected switching nodes that allows transmissions from any one device to be routed through these interconnected nodes to the specified destination device(s). These nodes are not concerned with the contents of data rather their interest is focused on the provision of a switching facility to move the data from node-to-node until they arrive at their intended destination.

Wide Area Network (WAN) Models

In essence there are two basic design models upon which all WAN connectivity structures and organization are based. They are:

The Centralized WAN Model - Consists of a server or group of servers in a central location and client computers or dumb terminals that connect to the server(s) which provide the bulk of the network's functionality. Figure 1 above is a logical construct of a typical centralized WAN. Note that all points lead to the centrally located servers.

Today's typical physical Point of Sale (POS) functionality such as that implemented by chain organizations such as banks and supermarkets etc is a classic example of a centralized WAN. Software-as-a-Service (SaaS) and web based applications are other examples of a centralized WAN computing model.

The Distributed WAN Model - Consists of client and server computers distributed throughout the network (see Fig.2 below). The Internet is a distributed WAN.

The three tiered network design hierarchy consisting of a core layer, a distribution layer and an access layer is implemented on top of which ever WAN connectivity and organizational structures are chosen. For more about the three tiered network design hierarchy check this article out Network Design: Hierarchies.

Building Wide Area Networks (WANs)

In order to facilitate the efficient and effective transfer of information between a WAN's end systems a number of protocols (rules that govern the transmission and reception of information between computers and network end-points) needed to be developed and implemented.

Generically speaking; a networking protocol is the formal description of a set of rules that describe, enable, govern and regulate the various characteristics, aspects, attributes and properties of an internetwork. One of the more important early WAN protocols was X.25. Although it is not used today, many of X.25's underlying protocols and functions (with modifications and improvements) are still in use by current iterations of Frame Relay.

Initially, most WANs were built using expensive leased lines. The most common production implementations of leased line based WANs involved the use of a router at each end of the leased line to connect to the LAN on one side to a hub within the WAN on the other.

Wide Area Networks (WANs) Reducing Implementation Costs

If ever the use of Wide Area Networks (WANs), including the Internet was to become widespread and accessible to the bulk of humanity (be it as individuals or collectives) something needed to be done to reduce the startup and running costs of planning, implementing and maintaining WANs. Fortunately solutions did exist.

Less costly alternatives to using expensive leased lines when building a WAN include the use of circuit switching or packet switching technologies. Here, network protocols including TCP/IP serve to deliver transport and addressing functions. While protocols such as Packet over SONET/SDH, Multiprotocol Layer Switching (MPLS), Asynchronous Transfer Mode (ATM) and Frame Relay are commonly used by Internet Service Providers (ISPs) to deliver the links that are used in WANs.

Wide Area Network (WAN) Connectivity Options

Leased Line - Provide secure but comparatively expensive Point-to-Point connectivity between two computers or Local Area Networks (LANs) using protocols such as Point-to-Point Protocol (PPP), High-Level Data Link Control (HDLC) and Synchronous Data Link Control (SDLC).

Circuit Switching - A less expensive dedicated circuit path offering bandwidth data transfer rates ranging from 28K-bit/sec to 144K-bit/sec is created between end points. On the downside call setup and connection establishment needs to be renegotiated every time access is desired because the link is not necessarily permanent. The most well known example of circuit switching WAN connectivity is dial-up connections. Point-to-Point Protocol (PPP) and Integrated Service Digital Network (ISDN) are two of the most widely used protocols for circuit switching WAN connectivity.

Packet Switching - Variable length packets are transported over a shared single point-to-point or point-to-multipoint link across a carrier internetwork using Permanent Virtual Circuits (PVC) or Switched Virtual Circuits (SVC). X.25 and Frame Relayare two examples of packet switching protocols used for WAN connectivity.

Cell Relay - Cell Relay is very similar to packet switching, but uses fixed length cells instead of variable length packets. Data is divided into fixed-length cells and then transported across virtual circuits. Unfortunately the overhead can constitute a significant proportion of the total bandwidth. Cell relay protocols such as Asynchronous Transfer Mode (ATM) (up to 155M-bit/sec) are best for simultaneous use of Voice and data.

Virtual Private Network (VPN) - With the recent reductions in Internet connectivity and concurrent increases in bandwidth and transmission rates now offered by ISPs many organizations have opted to use VPN technologies such as those on offer from the likes of Cisco Systems, New Edge Networks, Juniper, Check Point and Vyatta to interconnect their networks. One of VPN's strong points is encryption and considering the prevalence of cyber-crime today it is no surprise to find that this form of WAN is currently very popular.

Wide Area Network (WAN) Transmission Media and Links

Any given WAN may use one, more or even all of the following technologies for the transmission and transport of information:

Copper-Based Media - Telephone lines, coaxial cable, CAT cable etc

Fiber Optic-Based Cables - Single-Mode and Multi-Mode (see Fiber Optic Cableand Optical Networkingfor more).

Wireless - Radio frequency channels, microwave links, satellite channels and publically accessible wireless “hot spots”

Wide Area Network (WAN) Transmission Rates

Typically, WAN transmission rates usually have ranged from 1.2K-bits/sec to 6 M-bit/sec, although some connections such as ATM and Leased lines can reach speeds greater than 156 M-bit/sec. The advent of ADSL 2+ has upped the ante even further.

Now with transmission rates up to 30 Mbps, DSL and cable modem are two high data-transmission rate consumer Internet connections that transmit considerably faster than a dial-up modem (56 kbps). Add to this the fact that they are also generally cheaper than both ISDN and dial-up and you get a very cost-effective solution.

Wide Area Network (WAN) Access

Wide Area Networks (WANs) may be public (usually built by Internet Service Providers (ISPs) to provide Internet connectivity) while others are private (built for a specific organization). That is to say that public access to an organization's “private” network component is regulated by that organization. In contrast, access to public networks and user privileges remains largely unregulated beyond the criteria as defined by the agreement between the consumer and your Internet Service Provider (ISP).

Hence, the general public, anonymous and guest visitors, colleagues, business partners, and associates etcetera may be permitted limited privilege access to various sectors of an organization's private network but not to all of it. Functionalities, services, assets and user capabilities will vary greatly on a case-by-case network-by-network basis.

Demilitarized Zones (DMZs)

A classic example of this regulated limited access is commonly implemented in the form of Demilitarized Zones (DMZs) that allow public access to a very restricted and confined portion of an organization's private network. Here they may be able to access a web server for e-commerce, technical support or even just for casual browsing. You cannot make a sale if you cannot communicate with your customers. Even auto responders and automated shopping carts require some degree of two-way participation from both the customer and your software.

Metropolitan Area Network (MAN)

Another increasingly more common type of WAN is the Metropolitan Area Network (MAN) which is basically the same as a WAN except that its boundaries are contained within a single metropolitan area (city).

In Australia, a MAN can be viewed as a network for which standard landline telephone communications are charged at the local call rate (not STD) as all endpoints have the same area code. With broadband configured as a permanently connected service the customer only pays the local call fee for the initial setup connection or reconnection if the service is interrupted for any reason.

Examples of private Metropolitan Area Networks (MANs) would be the corporate links between various branches of the same organization (chain stores, banks) in the Perth metropolitan area. The key here is that regardless of the protocols or other technologies being used, part of the transit will be via publically accessible networks such as the Internet. The remainder will of course be contained within the boundaries of their “private LAN”.

WANs, MANs and Interoperability

Internetworking and interoperability are key factors critical to the realization of effective and readily available e-commerce portals as well as other external network resources and services. Regulatory and other compliance issues also need to be taken into consideration.

The seamless, secure interoperability of multiple systems and networks is essential in order for the general public to have free and ready access to those components of the enterprise LAN/MAN/WAN deemed desirable by that organization/enterprise.

For example; it is usually deemed to be highly desirable that the general public have rapid seamless access and interactivity with an organization's e-commerce facilities such as the shopping cart, support services if appropriate and resources such as online documentation.

The expansion of Web 2.0 functionality and the upsurge of social networking applications all rely heavily on the effective and efficient seamless integration of internetworking and interoperability technologies at all levels.

The Advantages of Fiber Optical Networking

First of all, we must note that the biggest advantage of using fiber optic networking and hence the use of fiber optic cable as a transmission medium is the high degree of immunity to noise, cross-talk and Electromagnetic Interference (EMI) that this medium provides.

Spanning Large Distances - With the fiber optic technologies currently available today signal degradation and regeneration issues are not what they once were and so the distance factor that so limits copper-based media is of negligible consequence where fiber optic transmission is concerned.

Environmental Damage - Environment factors such as moisture and Radio Frequency Interference (RFI) are also not of the same criticality as they are for copper-based media. The reasons for fiber optic cable as a transmission medium providing a high degree of immunization to noise (EMI) as opposed to other transmission media all stem from the use of light to convey the information (signals) and the construction of the medium (the fiber optic cable).

Security - Due to the degree of difficulty in “tapping” fiber optic transmission lines without being detected, fiber optic transmission media offer a more secure medium than copper-based or wireless technologies.

The result is that fiber optic transmission media are the media of choice when it comes to “long haul” applications such as intercontinental, cross-continental and oceanic (marine) backbone links. It is also the preferred medium for tier one ISP backbone links. This means that new WAN implementations and applications are now predominantly fiber optic cable based. Wireless rollouts being the major exception.

Additional information regarding fiber optic cable construction, signal propagation, signal regeneration, connectors, cable rollout and modes (single-mode and multi-mode fibers) can be found at Fiber Optic Cable.

I will now discuss the major standards and implementations of fiber optic networking starting with the Fiber Distributed Data Interface (FDDI) standard and then the Synchronous Optical Networking (SONET) and the Synchronous Digital Hierarchy (SDH).

Fiber Distributed Data Interface (FDDI)

FDDI which evolved from the IEEE 802.4 token bus timed token protocol is a fault tolerant 100Mbit/sec token passing counter-rotating dual ring LAN standard that permits data transmission between two end-point devices that can be many tens of kilometers apart.

As its name indicates, fiber optic cable is the main form of physical transmission medium used in FDDI. Although a copper-based implementation called, Copper Distributed Data Interface (CDDI) does exist. Although conceived as a LAN standard FDDI has also been used for MAN and WAN implementations.

FDDI Topology - In essence FDDI is a ring network similar to IBM's Token Ring network but with a number of critical differences. The most noticeable of which is that a FDDI uses a dual-attached, counter-rotating token ring topology (see Figure 1: FDDI).

Fault Tolerance - One ring acts as the primary transmission ring and in the original implementations was capable of delivering transmission speeds of up to 100Mbit/sec. The other or secondary ring was originally intended solely to act as a backup.

This meant that the secondary ring was inactive and remained so for as long as the primary ring was functional. In the event of failure of the primary ring the secondary ring would become active. Now all traffic goes to the secondary ring for transmission. It is this built-in redundancy that makes FDDI is a fault tolerant technology.

Higher Effective Sustained Data Throughput - Another factor in FDDI's favor was that it used a much larger frame size than Ethernet which meant that it was capable of much higher effective sustained throughput rates than standard 100Mbit/sec Ethernet. Administrators also had the option of using the secondary ring for data transport rather than having it stand idly by thereby doubling transmission capacity to 200Mbit/sec.

Coverage and Scalability - Not only can FDDI traverse large distances it also scales much better than 100Mbit/sec Ethernet. This means it provides superior support for expanding enterprise networks consisting of hundreds or thousands of users.

Fiber Distributed Data Interface II (FDDI-II) - FDDI-II is a more recent development of FDDI that has added support for circuit-switched services thereby enabling FDDI to carry both voice and video signals as well. For more on FDDI including applicable standards please see About Fiber Distributed Data Interface (FDDI).

Synchronous Optical Networking - SONET

Synchronous Optical Networking (SONET) is an established high-speed WAN alternative for communicating digital information using lasers or Light-Emitting Diodes (LEDs) over optical cable offered by several telecommunications companies.

SONET was originally developed to replace the Plesiochronous Digital Hierarchy (PDH) system for transporting large amounts of telephone and data traffic as well as providing the mechanisms that allow for interoperability between equipment from different vendors. The result is that there are multiple, very closely related standards that describe synchronous optical networking including:

Synchronous Digital Hierarchy (SDH) - The SDH standard was developed by the International Telecommunication Union (ITU) and is documented in standard G.707 and its extension G.708. SDH is used throughout the world but not in North America

Synchronous Optical Networking (SONET) - The SONET standard as defined by GR-253-CORE from Telcordia™. Primarily used exclusively in Canada and the USA where SDH has not been implemented, although it can be found in other countries.

Synchronization is Key - Through the use of atomic clocks synchronous networking data transport rates are very tightly regulated which allows for entire inter-country networks to operate synchronously while greatly reducing the amount of buffering required between elements in the network. This reduction in overhead (buffering) translates into greater effective net data throughput rates.

Encapsulation - Both SONET and SDH can be used to encapsulate earlier digital transmission standards, such as the PDH standard, or used directly to support either ATM or so-called Packet over SONET/SDH (POS) networking.

Generic Transport Containers - SDH and SONET are generic all-purpose transport containers for moving voice and data rather than just communications protocols per sec.

SDH and SONET Frame Structures

Standard packet or frame oriented data transmission frames usually consist of a header and a payload with the header of the frame being transmitted first, followed by the payload and a trailer (e.g. CRC). With synchronous optical networking both the header, which is referred to as the overhead and the payload still exist but the big difference is that the overhead is not all transmitted before the payload, rather the transmission is interleaved.

Interleaved Transmission - With interleaved transmissions the transmission of the conversation goes like this:

First of all, a portion of the overhead (header) is transmitted. This is followed by part of the payload. After which the next part of the overhead is transmitted. This is followed by the next part of the payload and so on until the entire frame has been transmitted. Figure 2: Interleaving above shows this.

SONET Frame Size and Transmission Sequence - SONET frames are 810 octets in size, transmitted as 3 octets of overhead, followed by 87 octets of payload, nine times over until 810 octets have been transmitted. The total frame transmission time is 125 microseconds.

SDH Frame Size and Transmission Sequence - SDH frames are 2430 octets in size transmitted as 9 octets of overhead, followed by 261 octets of payload, also nine times over until 2430 octets have been transmitted. Again the total frame transmission time is also 125 microseconds.

It doesn't take much brain power to see that SDH is capable of an effective data throughput rate three times that which the North American implementation of SONET can achieve.

Ethernet over Fiber Optic Cable

Today we see the Gigabit Ethernet over fiber optic cable and 10G Ethernet over fiber optic cable standards being the most common implementations of optical local area networks (LANs) currently being rolled out. They are also used extensively as the network core layer's transport medium of choice particularly Ethernet networks.

The majority of the big players in the networking hardware arena like Cisco, Juniper, and Redback etc all produce numerous products with fiber optic support including Ethernet over Fiber Optic modules. Note see Network Design: Hierarchiesfor more about network design and the functions and features of a network's core layer.

Hierarchies

For the most part the large scale plans that we humans find easiest to comprehend and thus implement tend to be based and structured around a hierarchal model. So, rather than using a “flat network” model upon which to base our design we will use the far more plastic hierarchal model as it allows us a far greater degree of granular control and subdivision of roles and functionalities of its constituent components.

We are now going to take a quick look into the key principles of three-tiered hierarchal network design model that allow the network's which we design to scale as and when required whilst still providing the means by which we can retain control over its functionalities, performance, accessibility, maintenance and evolution with as little effort as possible.

As the name indicates the three-tier network model is a dramatic departure from the flat network philosophy of the past. Fundamentally; this is a layered approach, where the three layers into which all devices are classified are; the core layer, the distribution layer and the access layer. More than 90% of all network elements including infrastructure components like transmission media will fall neatly into one or other of these three categories.

I say more than 90% because there will be those special components which may straddle layer functionalities or perform multiple roles. The modern ADSL broadband modem router with a built-in multi-port Ethernet switch is a common example of this type of device. So do not be fooled into thinking that a three-tiered model ordains that there must be separate devices for each layer.

The number of devices (routers, switches etc) will be in large dictated by the situation specific requirements and resources of each internetwork being designed on a per internetwork basis. What might be considered to be appropriate for a particular internetwork design solution may be totally unreasonable for another.

Always remember that it is the internetwork designer's capacity to incorporate appropriate levels of plasticity and redundancy into their design solutions that is the art in forging an internetwork design that will work and perform in accordance with the desires and capabilities of those commissioning the internetwork. Budgetary concerns will, as is nearly always the case, be one of the biggest driving forces at work here.

The Core Layer

At the top of the hierarchy the core layer is literally the core of the network. A network's core layer's purpose & responsibility is squarely focused upon the transportation of large amounts of traffic both reliably and quickly.

This means that the core should switch traffic as fast and reliably as possible because any failures at the core level will most likely affect every single user of the network. User data should be processed by the distribution layer which will forward it to the core layer if appropriate. When designing a network the high priority objectives that should be built into the core layer include:

High speed, highly-reliable fault tolerant components possessing the lowest possible latency characteristics connected in such a manner as to eliminate bottlenecks are all high priority factors greatly desirable of a networks core layer. Therefore, the routing protocols implemented at the network's core layer must be those with the lowest convergence times as any delays will be amplified downstream throughout the network and hence felt by all.

The core layer's data-link technologies must exhibit high speed with built-in redundancy such as FDDI, Gigabit Ethernet or 10G Ethernet incorporating redundant links and even SONET or ATM both of which also include multiple redundant links.

Ideally there should be no access lists, access list processing or packet filtering performed by the core layer. This means that there will be no workgroup access or workgroup access support provided by the core. Nor will any inter-VLAN routing take place here.

One final point of advice is that one should upgrade to increase core performance rather than expand (adding routers etc.) as the internetwork grows.

The Distribution Layer

The distribution layer (also referred to as the workgroup layer) is the communication point between the core layer and the access layer. The distribution layer should not duplicate the roles or functionalities provided by any of the other layers. Your design solutions should therefore reflect this by ensuring that the distribution layer is characterized by the deliberate exclusion of all factors, services and functions that are or should be the providence another layer.

Furthermore, other design concepts that need to be at the forefront of one's thought processes when designing a network are that the primary functions of the distribution layer will encompass many intermediary or “middle-man” network aspects, functionalities and services. These functions must be transparent to the user.

Network functionalities implemented at the distribution layer will include many of the network's core infrastructure-based decision making processes including routing, routing protocol redistribution, static routing, inter-VLAN routing, best path determination and address translation. Ideally, the definition of broadcast and multicast domains, packet filtering, queuing and the implementation of access lists should all occur at the distribution layer.

Network policy implementation and network security implementation occurs at the distribution layer and includes both hardware and software devices and solutions. Since WAN access provision is generally implemented at the distribution layer firewalls (Cisco PIX, Microsoft ISA server, Zone Alarm etc.), intrusion detection systems and intrusion prevention systems and appliances are incorporated into the network at the distribution layer.

Other critical decision making functions of the network that get implemented at the distribution layer involve core layer access determination (the how & when packets can access the core) and core layer access restriction (limiting access to the core layer on an only if absolutely necessary basis).

The determination of the manner and mechanisms for handling network service requests is conducted by distribution layer devices. For example determination of the fastest way for requests to be forwarded to servers and other peripheral Services (e.g. Internet Access).

Workgroup support functions, the implementation of additional tools and the provisioning of network operation flexibility are some more tasks generally assigned to the distribution layer.

The Access Layer

This brings us to the access layer which is also referred to as the “desktop” layer. The main functions of the access layer revolve around access control, regulation of users and workgroup access to the network/internetwork's assets, resources and services.

The pervading philosophy of “shortest distance” should prevail when designing an internetwork's access layer. This means that those resources that the majority of a group of users or workgroups access regularly should be available locally. Here is where the 80/20 rule comes into play.

The 80/20 rule states that 80% of all network traffic should remain within the boundaries of the local segment. Even better is to subnet a Local Area Network (LAN) and so contain the “local” traffic to a single broadcast domain and only 20% of all network traffic will be transported via the core layer throughout the entire internetwork. This does translate to “real world” performance gains for all concerned.

With the distribution layer taking care of any requests for remote resources & services the access layer's functions, resources and services should focus primarily upon such criteria as workgroup connectivity to the distribution layer and the elimination of potential avenues of direct unabated user or workgroup access to the core layer.

Access layer traffic containment and resources access strategies often include additional network segmentation through the creation of separate collision domains (e.g. by using transparent bridging workgroup class switches or LAN Switches) and more specific access controls & policies to further augment those implemented by the distribution layer.

Static routing protocols rather than dynamic routing protocols should be used at the access layer. DDR Ethernet switching is another technology commonly used at the access layer. Local resources at the access level will include local printers, workstations, caching servers and workgroup switches the use transparent bridging.

Temporary and mobile devices (laptops, notebooks, PDAs, smart phones etc.) must not be permitted any direct access to the core or distribution layers. Rather they should connect via the access layer in a highly secure manner.

This is most often implemented via demilitarized zones (DMZs) as one can never be sure what nasties the device may have picked up on its wanderings. Generally the device will be scanned immediately upon connection and cannot be used for network access until after it passes its sanitization requirements. Better safe than sorry.

DMZs are also widely employed to allow Internet traffic a web site while reducing the web site/web site's owner potential exposure to malware. Email, bulletin boards and interactive Web 2.0 sites are other situations where implementation of DMZs is commonly used to erect a “barrier” between the public and private domains while allowing users (including the anonymous variety) to maintain their full site experience without unduly exposing the site to every piece of malware or bad intent out there.