[Abstract]
The purpose of this document is to explain different types of testing programs that can be used to identify network latency issues when planning a network upgrade. Also included within this document are naming conventions for networking devices and hosts. Lastly this document will outline and explain different types of equipment and their roles as they pertain to network security based upon a provided scenario.
[Introduction and background]
Mr. Smith is the Director of IT at a law firm located in downtown Chicago. He needs to plan for a network upgrade. He has decided that he would like to have a network analysis done before the upgrade so that he can find out which systems would require upgrades and to create a strategy to present to the senior partners that will include return on investment.
The law offices occupy four floors of a high-rise building. The customer is experiencing network latency, especially in the Accounting department and in Human Resources, which both reside on the 32nd floor. The director of the Accounting department has expressed concerns about the security of his files. The Research, IT, and Corporate Administration departments all share the 33rd floor. The senior and junior partners and their support staff occupy the 35th floor, and the 36th floor is used for reception and conference rooms. The firm has decided that video conferencing is an essential component of its business and is looking to implement video conferencing as soon as possible so it can communicate with two new satellite offices that will be occupied in six months.
The firm has one network segment for each floor, but has been experiencing latency. Each floor except the 36th has 10 to 20 printers. Each floor has a 100Mb uplink to the Data Center on the 33rd floor. There are approximately 50 PCs on the 36th floor, 150 PCs on the 35th floor, and 40 PCs on both the 32nd and 33rd floors. The servers for each department reside on their respective floors. Mr. Smith is concerned about network security and wants a recommendation to secure traffic of three specific departments: Human Resources, Accounting, and Corporate Administration.
[Recommended testing program (Prototype or Pilot)]
When testing a network to get a complete understanding of issues the network may be having there is no silver bullet application, but rather a combination of applications that have specific functions. The first thing that is a major concern with understanding possible issues that are happening on a network is possible bottlenecks or bandwidth limitations as they pertain to network performance. One application that performs a secure real-time network monitoring is called “nettest (Agarwal, Boverhof, Jackson).” This open-source application designed to run on Linux platform and it incorporates a few different frameworks to conduct a series of tests as they pertain to network performance. This application is designed to work between a couple different hosts on a network so prior to using it; authorization must be attained in order to install the application between hosts. Once the performance testing is complete, it is important to know what is being sent accrossed the network. To determine what is being sent accrossed a network a packet sniffer can be used. A good useful free network packet sniffer is called “Wireshark (Sharpe, Warnicke, 2008).” Wireshark allows to packets to be captured and dumped into a file where they can be analyzed at a later point in time or for somebody with fast eyes they can analyze the packets in real-time. For both types of tests, it is recommended to perform the tests over a period of time such as over a 24-hour period. This will help to understand the demands placed on the network during peak hours as well as non-peak hours of operation. The use of multiple programs to analyze network performance and breakdown of the types of network traffic will help to identify any issues.
[Naming Structure]
When naming network devices it is important to give a device a name that can identify whom the device serves and the devices location. To identify whom the device serves there is not enough space within the devices name space to allow for complete names, so abbreviations are going to have to be used (Morris, 2008). For example the human resources department has a 3 letter designator HUM, accounting ACC, administration ADM, sales SAL, information technology INF, shipping SHI, corporate COR, and so on. To identify a devices location a building number, floor number, and room number can be used. Finally if it is desired a device can be identified by the device and if it is an internal or external device by using the identifiers SW for switch, R for router, B for bridge, W for workstation, or SE for server. When all of these abbreviations are put together a possible name for a device can look like this: ACC-115-32-J-SWI. This methodology tells somebody that this device is found in the accounting department of building 115, located on the 32nd floor in room J, and it is an internal switch. Following naming structure helps identify devices, their functions, and where they are located.
[Adequacy of security for the data in each department]
No matter which company, which organization, or which department somebody works for; there is always a need to keep data secure. Even though people work for the same company doesn’t mean they need access to the same data. One method to keep different departments from accessing each other’s data is by logically separating the network via the use of virtual LANS otherwise known as VLANs. Using VLANs keeps each department segmented so that only personnel within a particular department can access only that department’s data. Another way to keep data secured is for data that is stored in a centralized location, like a file server, is by the use of file permissions. Personnel without the correct permissions will not be able to access a particular file. It is also important to ensure data is being transported securely acrossed a network. To ensure data is being transmitted securely on the network, IPSec can be used. IPSec encrypts packets of information so that it can reach the intended destination securely. Finally it is important to ensure no outside access is allowed on the network. To prevent unauthorized access to a network, a firewall can be used. A network firewall inspects every packet it receives by checking the source and destination of each packet, and then it checks an access control list (ACL) to verify access is allowed before the packet is forwarded onto the destination.
[Functions of each network device]
Different networking devices function at different layers of the OSI model and therefore each can do their own part in ensuring a network is secure. Starting at the lowest level of the OSI model and working toward the top we can see what each device does and what added security it can provide. Physical security plays an important part of ensuring the physical connectivity is secured within a controlled area. Switches function at the data-link layer of the OSI model and their responsibility is to transport data quickly and efficiently. Switches also provide network security by allowing a network to be segmented into different VLANs. Routers function at the network layer of the OSI model and their function are to transport data from one network to another. Routers can provide a little security by providing an ACL to ensure network traffic from one network is authorized to access another network. Network firewalls also function at the network layer and their main purpose is to ensure both that traffic is authorized from one network segment to another, but also a firewall blocks any unused network ports from being accessed. Networked servers can function at the session, presentation, and application layers of the OSI model. A properly configured network server can provide security be ensuring packets are encrypted, authorized users are allowed to access a network by authenticating users, and files are secured with the correct file permissions. Each device on a network plays it own role to ensuring access to a network is authorized and data within the network is secured.
[How needs of key departments change with the network design]
Even though different departments work for the same company their specific needs may influence the design of a network. The most obvious specific need for a department is the amount of users the department has. Since the senior and junior staff of the law firm occupies the 35th floor with 150 different computers, they may have a higher demand for bandwidth than the accounting and human resources departments, which occupy the 32nd and 33rd floors with only 40 computers. The IT and research departments may both have specific needs of having the need to put their own networking devices on the network to allow for them to create a test network. The corporate department may want to use voice over IP services and therefore have a specific need of having a voice VLAN configured on their networking devices. No matter what the specific need of a department is, a good network design must incorporate all of the departments needs for both today and into the future.
[Conclusion]
In conclusion, to best identify issues pertaining to the law firm’s network a couple different tools should be used to both identify any possible bandwidth issues or issues pertaining to the types of traffic being passed along the network. Different departments within the law firm have different needs and therefore each network segment should be designed to accommodate each department’s needs. The company’s current network security is inadequate, so network security should be implemented at multiple layers of the OSI model to ensure all communications and data is secure. Each device within the network topology can play a specific role to ensuring the network is secure.
[References]
1. Agarwal, Boverhof, Jackson, Deb, Joshua, and Keith Nettest: Secure Network Testing and Monitoring. Retrieved September 27, 2008, from Nettest: Secure Network Testing and Monitoring Web site: http://acs.lbl.gov/~boverhof/nettest.html
2. Sharpe, Warnicke, Richard, Ed (2008). Wireshark: Go deep. Retrieved September 27, 2008, from Wireshark: Go deep. Web site: http://www.wireshark.org
Morris, Michael (2008, January 10th). Naming Conventions | NetworkWorld.com Community. Retrieved September 27, 2008, from Naming Conventions | NetworkWorld.com Community Web site: http://www.networkworld.com/community/node/23721