Best IP technology tips, 11/12/01

IP has arguably changed the networked world, allowing the gradual reshaping of enterprise architectures with technologies such as voice over IP, VPNs and storage-area networks. Not so long ago just on the fringes, these IP technologies are quickly moving into the mainstream. And as they do, a growing number of network professionals and industry experts can say, "Been there, done that."

What follows are some insider tips on the best ways of implementing the ever-more popular technologies of the IP world - voice, VPNs, intrusion detection and other security technologies, server clusters and SANs.

Views on VoIP

Voice over IP, which carries voice traffic on IP packet networks, has been touted as a more cost-effective alternative to circuit-switched telephones. Yet, only recently have companies started to take the plunge. As they have, they often learn one hard lesson: While standards supporting the technology have matured considerably, compliance among vendor equipment has not.

The main culprit is quality of service (QoS), which is required across an entire organization to avoid choppy or incomplete voice-over-IP transmissions. Unfortunately, slight differences in how each vendor implements the IEEE's QoS standard, 802.1P, can force network executives to use a single vendor's hardware. Combine that with older routers that don't support the standard, and the unsuspecting project manager could be faced with an expensive, if not forklift, upgrade.

"If you're implementing a packet telephony project, you're not necessarily replacing just a PBX," says Brian Riggs, an analyst at Current Analysis. "You're also potentially phasing out a majority of your datacom infrastructure."

But the secret from those who've been there is that workarounds exist, at least for companies that don't spend the time and money adhering to recognized standards on all their network equipment, Riggs says. Those companies can use virtual LANs to segregate voice and data traffic on the network, so the former could be run in a homogenous setup and the latter remain on heterogeneous systems.

Another important tip from those experienced with voice over IP has more to do with interpersonal, rather than technological, communications. If you thought regional Bell operating companies were uncooperative with troubleshooting, wait until your provider realizes it will soon lose you as a hefty voice customer, laments Daryl McDaniel, CIO of Western Heights Public School District in Oklahoma City.

While Western Heights' local carrier offered some help in the early stages of the district's voice-over-IP implementation, it practically vanished when the district's motives became clear. Not surprisingly, McDaniel recommends voice-over-IP project managers avoid disclosing the reason for their queries until absolutely necessary.

McDaniel says to anticipate significantly more delays than usual in RBOC responses - even before the tell-all moment - and build that into the project timeline. This is especially important when voice traffic needs to be converted from the RBOC's circuit-switched network to the company's packet-switched network. Project staff could have to test and decipher the networks' correlating frame types, and perhaps even inform the RBOC how to configure its switches and the equipment bridging the two networks.

"Sometimes we had to go down to [the RBOC] office in person and work our way up the food chain to get the equipment properly configured," McDaniel says. "I never thought it would be that hard to work with them."

VPN watch points

VPN technology, another datacom cost-cutter, is expanding from use in single-user remote-access configurations to deployment for site-to-site connections.

While installation concerns have eased as VPN technology has matured, maintenance can still be nettlesome, experts say. Fluctuations in Internet performance make traffic analysis an endless pain, for instance.

"It's really critical to monitor your [service] provider's performance, either with tools or through third-party vendors not affiliated with your provider," says Paul Forbes, network engineer at Trimble Navigation, a provider of Global Positioning Systems in Sunnyvale, Calif.

Tips for setting up a wireless LAN

Though wireless LANs have been around for years, new higher-speed options are making this technology inch closer to the mainstream. Network executives who have deployed wireless networks have several tips for others.

Click here for more

Trimble relies on VPNs to connect 15 satellite offices with roughly 300 users. It plans on adding another 15 remote offices and their 700 users in the first quarter 2002.

With the potentially erratic Internet and latency-sensitive applications, diligent monitoring - with off-the-shelf software that uses network probes or generates synthetic transaction scenarios - becomes even more necessary for those who need to watch budgets and generate performance data quickly, Forbes says.

To ease performance concerns, Forbes also recommends relying on a single provider capable of servicing all remote offices. This reduces latency and improves throughput over a multiple-provider setup.

When VPNs are used for remote users, beware of the standards-compliance bugaboo similar to the one that trips up voice over IP. The various components of VPN clients - everything from Ethernet cards to drivers - might sport differing implementations of the IP Security encryption standard and therefore might not work well together, says Mark Schertler, director of network security services at Primitive Logic.

Getting client communications hardware and software to work with IP stacks in the client operating system can prove especially arduous, Schertler notes. He advises IT staffs to perform rigorous compatibility testing among the various client components and to devise a common platform for distribution to remote users.

The most stable VPN platforms use Microsoft's Windows 2000 operating system, says Richard Perez, security manager at MyPoints.com, an e-commerce services company in Schaumburg, Ill. According to Perez, Win 2000 offers a more refined TCP/IP stack than its predecessors and the ability to make changes to system settings without rebooting. Plus, he says, makers of VPN client software are building and testing their products better for Win 2000 than they are for the older Windows 95, 98 and NT operating systems.

Intrusion detection and other musts

Of course, security concerns come hand in hand with deployment of any 'Net-based technologies. Likewise, security plans must be an integral part of any network architecture. (Click here for tips on wireless network security.)

While firewalls, proxies and encryption have become standard network design fixtures, monitoring remains sorely neglected, Perez says. As boring and painstaking as the task seems, consistently analyzing logs in firewalls, routers and other edge equipment will give managers a guidepost for identifying normal traffic and signs of attack.

When a hacker group in China recently made port sweeps across the Internet to search for security holes in various networks, Perez's traffic logs showed the group was looking for entry into his network through a specific type of printing service. By spotting the odd probe, Perez could take preventive measures. A few weeks later, hacks occurred around the 'Net through the same service Perez identified.

"I hold those logs very dear to me," Perez says.

Network managers should also avoid some common mistakes when implementing firewall security, Schertler says. The first is opening a range of firewall ports to a particular application, so that any client can access the application. This defeats the purpose of a firewall, he says, which should be used to limit the number of ports and users that can access particular applications.

Secondly, many administrators fail to make immediate changes to a firewall's default user identifications and passwords, which are widely known in the hacker community. Keeping these default settings, even just temporarily, lets outsiders pry into the network using the firewall's system or root user information.

Schertler and others also advocate implementing an intrusion-detection system (IDS). Intrusion detection monitors inbound and outbound traffic to identify any suspicious activity on the network.

"If your firewall has been hacked, well, you won't even know the hacker is there," Schertler says.

Users who have network access through intranets or extranets, or anyone who enters a network through a VPN connection, can easily launch denial-of-service attacks, adds Teré Bracco, director of network management at Current Analysis.

"Intrusion detection is not a big, expensive investment, but it's still something that most enterprises don't address until it's too late," she says.

One secret for successful use of an IDS is to keep its focus narrow. Configuring an IDS to scan most or all of a network can be tempting, but it could cause too big of a performance hit and should be avoided, Schertler advises. Instead, the IDS should focus on the applications and systems of most importance to the company. Where external security threats are a concern, an IDS should monitor network access points for immediate detection of a compromised network.

Of server clusters and SANs

As a company's reliance on its network increases, server farms are increasingly the design method of choice to handle mounting data loads. Designing flawless clustering is the pressure point. And flawless clustering can only come when network architects thoroughly understand the applications in use, experts say. Some applications can't operate in a distributed, multithreaded environment and therefore symmetric multiprocessing (SMP) servers are a waste of money.

"CPUs are good, but more CPUs aren't necessarily better," says Steve Shah, author of Linux Administration: A Beginner's Guide and manager of technical marketing at ClickArray Networks.

Verify that software is multithreaded by testing and comparing the application's performance on single- and double-CPU machines. To determine whether the multiprocessor server is distributing the data load properly, run the application on each server, generate a load against it and watch CPU utilization. The number of transactions per second handled by each server - viewable through the vmstat tool in Unix operating systems or the performance monitor under the Windows Task Manager in Windows operating systems - should increase in direct proportion to the number of processors in the system. A dual-CPU machine should handle nearly, if not exactly, twice as many transactions. Otherwise, several single-CPU servers might offer better performance than one large SMP server.

On the other hand, multithreaded processing may not be a performance panacea either.

"A common misconception is that more threads means more performance," Shah says. However, more threads also add more overhead, which can lead to diminishing returns. To assess that threshold, a similar performance test is required. Run an application on the server and add one thread at a time until the application consumes 100% of the CPU, monitoring with the operating system tools previously mentioned.

"The truth is that you only need enough threads to keep the CPU busy 100% of the time," Shah says.

Understanding how certain applications interact in a given system will also help you design great SANs. Commonly, improperly deployed servers running NT can jeopardize data integrity or even paralyze the SAN itself, says Joe Furmanski, manager of systems and planning at UPMC Health System in Pittsburgh.

Because NT is designed to allocate available storage to the server on which it resides, SAN servers installed with the operating system must be cordoned off through zoning or logical unit number (LUN) masking. Zoning refers to rules applied in a SAN switch that tell ports which storage devices they can access; masking lets servers see specific LUNs within the storage devices while hiding others.

"It wouldn't be cool if you reboot a server and the data wasn't there," Furmanski says.

The best way to stay cool over the mind-boggling range of new technologies could be to drink up the experience of those who've gone before you.

Mendel is a freelance writer in San Francisco. He can be reached at brett@mendel.net

Related Links