Survivor's Guide to 2007: Network Infrastructure

To survive and thrive in 2007, infrastructure pros must prepare for and adapt to a shifting landscape. New and expensive technologies, such as unified communications, network access control, the expanding distributed enterprise and fatter applications are stretching IT dollars thin, increasing management overhead and placing performance demands on networks.

Unlike past years, when vendors focused on increasing speeds or selling new must-have devices, 2006 was characterized by consolidation. One example: the merging of AFEs (application front ends) and WAFS (wide-area file systems). The so-called branch office in a box includes features such as routing, switching, wireless access, network storage and DNS/DHCP. Appliances and management products also are coming to the fore for DNS and DHCP--both more critical than ever given the growth of VoIP and NAC.

Pressurized NetworksUnified Communications, as discussed on page 48, will require more reliable transport of real-time data over a wider area. More than just VoIP, UC can enhance collaboration and communication, particularly with a distributed or mobile workforce, but the infrastructure has to support it. The raw bandwidth must be available, but more importantly, end-to-end latency and jitter must be low and constant. The Dell'Oro Group expects Ethernet port growth to increase to 324 million by 2010, with the lion's share being Gigabit Ethernet. That means 10 Gigabit Ethernet gear--for which pricing is still high, ranging from $1,000 to $2,000 without optics for a switch module--will be needed to aggregate traffic into the core network.

Increasing bandwidth isn't always the best way to solve network bottlenecks. Chatty network protocols, like network file sharing and real-time communications, gobble up the wire, limiting maximum real-world capacity to a level well below rated throughput. Bandwidth-management techniques, such as queuing and prioritization, can boost application performance, but they can't solve WAN bandwidth woes alone.

Organizations are straining to support remote offices, whether down the street or across the country. Adding bandwidth is far more costly than beefing up the LAN, hence bandwidth constraints. Techniques such as byte- and block-level compression have long been offered as a way to eke out more WAN bits per second, but technical advances in data reduction and application optimization can increase performance by a factor of 10 to 20 times. See nwc.com/2006/1221 for more on data reduction.

AFEs often reside next to specific servers, such as Web servers or databases, and perform TCP compression and optimization, SSL off-loading and bulk compression, and they can complement data reduction technologies.

In cases where extra bandwidth is required, other new WAN technologies, including Carrier Ethernet, offer more bits per buck. There are two critical requirements for using Carrier Ethernet. The first is proximity: In many cases, Carrier Ethernet is available only in major metropolitan areas. We expect to see expansion into smaller markets in 2007. The next consideration is wiring between the local carrier's PoP and your building: Carrier Ethernet over copper, TDM circuits and other conventional WAN services are available on a limited basis, but not at the speeds available over fiber, which can reach 1 Gbps or higher.Finally, beware mixing and matching carriers. In many cases, Carrier Ethernet will be available at all your branch offices, but not from a single provider. The protocols for network-to-network peering are still being ratified, but that hasn't stopped providers such as Yipes from forging peering relationships with other carriers. Incumbents like Verizon often control the link end to end by leasing access lines from local carriers. Geographic coverage is growing, so assess a prospective provider's plans.

Give Me Access

NAC is all the rage this year. Cisco is pushing its program. Microsoft is touting NAP (Network Access Protection). The two are partnering and beta testing integration between NAC and NAP. The Trusted Computing Group is backing its TNC (Trusted Network Connect) initiative, and vendors such as Extreme Networks, Juniper Networks and Nortel Networks are piling on, looking for a piece of what's shaping up to be a fat pie--$3.9 billion in sales of NAC enforcement products by 2008, according Infonetics Research.

As we discuss in "The Plot Thickens", the trick is to have a solid understanding of what your organization needs to accomplish. There are as many ways to deploy NAC as there are vendors knocking on your door.

Controlling managed computers (those that have agents installed or for which the administrative credentials are known) is a snap: Decide what constitutes a required set of features--say, patch level, installed applications, configuration options and antivirus update files--and today's NAC products handle assessment reasonably well. If a computer is out of compliance, patch it, quarantine it or give it limited access.If you're among the nearly two-thirds of organizations planning to deploy NAC, now is the time to write policy requirements specifying those details. But once you determine how to handle managed computers, the job is only 10 percent done. The rest of the work surrounds unknown computers, and they can ruin your day.

A lot of marketing hype focuses on the guest-user problem--handling the unmanaged mobile computer. But in a recent NWC Reader Poll, guest access was the least of your concerns, especially compared with granting access to data center resources and securing the branch office.

However, guest-user access does highlight an important problem your organization must answer: How are unmanaged computers controlled?Cutting off an unmanaged host may not be desirable--say it belongs to a vendor assisting with production installation. You can certainly enforce such a policy, but then you'll have to make other network connectivity available. If you do provide limited guest access, you'll have to decide exactly what's allowed--say, access to the Internet only. But then, what about exceptions? Some guests will need access to internal resources.

Before you even begin to deploy NAC, address these issues so that you can assess whether a particular product will fit your needs.

Finally, decide what enforcement models fit your current and future network plans. This is a tough one. While 802.1X port control is one of the best enforcement methods available, it may not be practical because the supporting infrastructure (802.1X supplicants on hosts, authentication servers and access switches that support 802.1X) may not be enterprise-ready. The reality is, 802.1X is often not an option--yet. Alternate enforcement techniques, such as in-line blocking using a bump-in-the-wire appliance, may introduce a point of failure and a potential network bottleneck. Layer 2/3 methods, such as ARP poisoning and DHCP control, are easier to deploy but less effective at combating determined attackers.

To address enforcement, tie your NAC deployment to your network architecture. Port-level access control offers a good balance between fine-grained and broad enforcement; if the enforcement is in your access switch, there's no need for an additional appliance. Consider requiring 802.1X in all access switches going forward. You don't need 802.1X in the distribution layer or core of the network; you can replace as you go. If you're deploying a NAC product now, ensure that it supports all enforcement methods you need today and in the future by offering concurrent enforcement options.

Consolidation Is KingIf you have been in IT for more than a few years, you've seen more than one round of branch-in-a-box appliances that consolidated common remote office network gear and offered a mix of file services, WAN and wireless access, and routing and switching. In reality, these were little more than multifunction file servers with limited functionality. But a small or midsize business with simple networking needs could deploy one and be up and running with minimal effort.

Today's iteration of these appliances include devices--like Adtran NetVanta Routers, Cisco Integrated Services Routers and Nortel Secure Routers--that provide routing, switching, compression, caching, firewall and IP PBX functions. Open-source routers such as those from Vyatta let you add other open-source modules to existing platforms. Additional functions, like unified threat management, application acceleration and optimization, and strong centralized management, round out the set.Are they ready today? Product will be available in 2007, but management processes and procedures will have to catch up. The IT stovepipe organization structure characterized by separate network management, security and access groups, for example, isn't conducive to the branch-in-a-box model. Forrester Research predicts that 2010 will be the magic year. We think vendors will be forced to add segregated access to management functions to match companies' IT management structures.

The Necessary Evil

The network is being tasked with more functionality and required to deliver more reliable service across the LAN and the WAN. As applications get fatter and more interactive, deficiencies and outages have a higher impact. You may not need WAN optimization yet, but you will. And you're sure to be hearing more about NAC soon. The trends are speaking loud and clear. Be sure to listen.

Monday Morning Quarterback

NETWORK INFRASTRUCTURELast year, we said Carrier Ethernet won't revolutionize the WAN, and we were right. Carrier Ethernet is growing, but geographic coverage hasn't grown fast enough.

Standards Groups You Can't Ignore

All corners of IT are affected by standards--competing standards, emergent standards and those driven through legislation and regulation. Keep your eye on the following standards bodies in 2007.

IETF NEA

The IETF's Network Endpoint Assessment working group is chartered with standardizing the communications and formats for exchanging a host's health information with a validation server. The working group won't engage in discussions about enforcing access controls, nor will it be involved in determining how to detect a lying endpoint. NEA is a valiant effort and might bring together divergent groups such as Cisco Systems, Microsoft and the Trusted Computing Group to hammer out a set of agreed-upon standards.

Metro Ethernet ForumThe MEF has successfully brought together service providers and network equipment makers to agree on the protocols and processes to deploy Carrier Ethernet, standardize service levels and measurements, perform conformance testing on network equipment and service provider networks, and define other features, such as network-to-network peering. Not only is the MEF's work relevant to its members and their customers, it also is an example of a standards body that does it all, from specification to interpretation to conformance testing.

TCG Trusted Network Connect

Bolstering its roster with the likes of Juniper, Nortel and a bunch of smaller hardware and software vendors, the TCG TNC is the only relevant group offering a set of standard protocols, formats and API definitions to compete with the Cisco and Microsoft NAC initiatives. The TNC will be conducting interoperability tests and increasing its presence at trade shows to raise awareness among IT managers. Our own surveys, and those of others, show that TNC is not well-known--a challenge it must overcome.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs and former editor in chief of Secure Enterprise. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at [email protected].