These materials are © 2015 John Wiley & Sons, Ltd. Any ...€¦ · IS SOLD WITH THE UNDERSTANDING...

These materials are copy 2015 John Wiley amp Sons Ltd Any dissemination distribution or unauthorized use is strictly prohibited


Securing Hybrid Networks


Securing Hybrid Networks For Dummiesreg

Published byJohn Wiley amp Sons LtdThe AtriumSouthern GateChichesterWest SussexPO19 8SQEngland

For details on how to create a custom For Dummies book for your business or organisation contact CorporateDevelopmentwileycom For information about licensing the For Dummies brand for products or services contact BrandedRightsampLicensesWileycom

Visit our Home Page on wwwcustomdummiescom

Copyright copy 2015 by John Wiley amp Sons Ltd Chichester West Sussex England

All Rights Reserved No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording scanning or otherwise except under the terms of the Copyright Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd 90 Tottenham Court Road London W1T 4LP UK without the permission in writing of the Publisher Requests to the Publisher for per-mission should be addressed to the Permissions Department John Wiley amp Sons Ltd The Atrium Southern Gate Chichester West Sussex PO19 8SQ England or emailed to permreqwileycom or faxed to (44) 1243 770620

Trademarks Wiley the Wiley Publishing logo For Dummies the Dummies Man logo A Reference for the Rest of Us The Dummies Way Dummies Daily The Fun and Easy Way Dummiescom and related trade dress are trademarks or registered trademarks of John Wiley amp Sons Inc andor its affiliates in the United States and other countries and may not be used without written permission All other trademarks are the property of their respective owners Wiley Publishing Inc is not asso-ciated with any product or vendor mentioned in this book

LIMIT OF LIABILITYDISCLAIMER OF WARRANTY THE PUBLISHER THE AUTHOR AND ANYONE ELSE INVOLVED IN PREPARING THIS WORK MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL ACCOUNTING OR OTHER PROFESSIONAL SERVICES IF PROFESSIONAL ASSISTANCE IS REQUIRED THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION ANDOR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE FURTHER READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ

Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books

ISBN 978‐1‐119‐10105‐5 (pbk) 978‐1‐119‐10107‐9 (ebk)

Printed and bound in Great Britain by Page Bros Norwich

10 9 8 7 6 5 4 3 2 1


Table of ContentsIntroduction 1

About This Book 1Foolish Assumptions 2How to Use This Book 2Icons Used in This Book 3Where to Go from Here 3

Chapter 1 Understanding Next‐Generation Networks 5

Connecting the World 6Introducing how networks work 6Understanding network architectures 7

Deploying Hybrid Networks 9Speeding things up 9Staying secure 10Talking about network topologies 10Making the case for distributed networks 12Keeping traffic private via VPN 13

Finding a Way Through Routing and Load Balancing 15Understanding routing protocols 15Considering load‐balancing hybrid networks 16

Chapter 2 Running Efficient Hybrid Networks 19Balancing Cost Performance and Security 19

Identifying key business principles 20Addressing outage with SLAs 21

Considering Your Network Configurations 22Discerning critical versus non‐critical

applications 22Scaling for growth and change 23Firing up your firewall knowledge 24

Chapter 3 Managing Hybrid Connection Challenges 25

Managing Network Connections for Optimal Performance 25

Prioritizing traffic with QoS 26Balancing load between ISPs 26Activating dormant links 27

Securing Hybrid Networks For Dummies iv


Considering Costs 27Using consumer grade connections 28Estimating a budget 29

Keeping Your Network Safe 29Preventing eavesdropping 30Demystifying VPN protocols 30

Chapter 4 Optimizing Hybrid Networks with Multi‐Link Technology 33

Meeting Multi‐Link Technology 34Prioritizing links 34Seeing multi‐link priorization

in action 34Aggregating links 36Joining together for security 37

Load Balancing with Multi‐Link 38Rethinking the ratio method 39Getting logical though fuzzily 39

Keeping Watch over Hybrid Networks 40Proving a success 40Solving a real‐world issue 41

Chapter 5 Ten Top Tips for Managing Hybrid Connections 43

Whatrsquos the Role of the Network in My Business 44What are the Connectivity Solutions Used

in My Network 44Do I Need a Service Level Agreement 44What are the Availability Stats of My Most Important

Applications 45Is the Data Transmitted via

My Network Secure 45Am I Equipped for Increasing Volumes of Traffic 45How much Time do I Spend on Configurations 46Am I Always Using the Fastest Connection 46Do I Sometimes Prioritize Performance over Security 46Can I See All Connections Across My Network

in Real‐Time 47


Introduction

W elcome to Securing Hybrid Networks For Dummies your guide to modern network usage in large or distributed

information technology (IT) environments

The 21st century is characterized by important developments in IT that bear significant implications for business opera-tions Everyone wants to benefit from dynamic environments that adapt to the complex needs for exchanges between people hardware and software The constant business drive for lower costs everywhere affects even network connectiv-ity Adding security to low‐cost networks tends to become an issue Reading about network facts signs and symptoms is a great idea if you want to understand how to manage all types of network connections securely and efficiently ndash which is where this book comes in

We dissect information networks and place them in the con-text of a developing infrastructure where technology has a strong hand in shaping business processes Our analysis walks you through the points to address so that core network operations donrsquot monopolize the time that yoursquod most cer-tainly rather spend on the center of interest specific to your organization

About This BookThis book provides an overview of how to secure digital net-works and takes a deep dive into complex infrastructures that deploy different methods of connectivity We cover the basics to set the context as well as explore the typical developments that influence the way operations are run in a secure online environment Some useful reminders punctuate the sections to help you to keep in touch with frequently encountered acronyms and technical vocabulary

We urge you to appropriate this book as your own Feel free to annotate the general facts with your specific inputs pencil

Securing Hybrid Networks For Dummies 2


in reminders to yourself about things to check on your own network or with your colleagues and generally use the con-tent in the richest and most interactive way possible

Foolish AssumptionsWhile writing this book we made some assumptions about you

Yoursquore part of large or mid‐sized organization where some of or all the activity is digital

Yoursquore familiar with IT and have some knowledge of how operations are managed in your organization

Yoursquore interested in understanding what different options you can use to manage a growing network

You have a proactive approach to IT and want to dis-cover how to keep abreast of changing and disparate technologies

How to Use This BookWe structure Securing Hybrid Networks For Dummies into five chapters that discuss general knowledge and teachings as well as more focused investigations Herersquos an overview of what you can expect

Chapter 1 Understanding Next‐Generation Networks A concise presentation of how networks are built and main-tained We describe aspects such as architecture topol-ogy traffic isolation and optimization and we map them to the concept of evolved networks

Chapter 2 Running Efficient Hybrid Networks Starts with some background on business needs within the con-text of complex networks This chapter unites insights from different sectors to provide a microscopic view of the status quo within large‐network organizations

Chapter 3 Managing Hybrid Connection Challenges Analyzes the network management requirements that can ultimately streamline complex traffic flows ensure

Introduction 3the best levels of security and reduce unnecessary or hidden costs

Chapter 4 Optimizing Hybrid Networks with Multi‐Link Technology Looks at the unique responses provided by Stonesoft Next Generation Firewall Several real‐life situations serve to illustrate how expanded network challenges were solved

Chapter 5 Ten Top Tips for Managing Hybrid Networks Provides practical pointers in the form of revealing questions which you can use to assess your network needs and deploy appropriate measures in response to those needs

Icons Used in This BookWe use the following icons to highlight key text so that you can navigate easily to the most useful information

This icon draws your attention to top‐notch advice

Here we highlight important information for you to bear in mind

Watch out for these potential pitfalls

Where to Go from HereYou can use this book however you like By all means take the traditional route and read it straight through from start to finish Or you can skip between sections or chapters using the headings as your guide to pinpoint the information you need Whichever way you read it you canrsquot go wrong All paths lead to the same outcome a better grasp of how the right technology works to make large and diversified net-works more agile and more secure





Understanding Next‐Generation Networks

In This Chapter Introducing networks

Growing a hybrid network

Reading about routers and load balancing

J ust as Star Trek The Next Generation was an evolved ver-sion of the original TV series (no letters if you disagree

please) so next‐generation networks are evolved communica-tion systems They span geographically dispersed locations and accommodate users logging on from a diverse array of devices

They use hybrid connections to provide access to highly vir-tualized information technology (IT) resources residing in a cloud or datacenter and they handle bandwidth‐heavy traffic such as voice and video

In this chapter we introduce you to networks in general and hybrid ones in particular and briefly talk about routing and load issues You can also see this chapter as introducing you to the rest of the book in that we define most of the technical terms that we use and provide relevant cross references to content in the other chapters

Chapter 1



Connecting the WorldAt the root of next‐generation networks lies the concept of a data network In the sphere of IT the term network refers to a system of electronic devices connected to each other for the purpose of exchanging data

The Internet a vast network made up of a multitude of smaller networks is probably the best‐known representative and also the largest

Introducing how networks workA century ago people at one location could only send infor-mation to receivers at remote destinations via messengers Today electronic transmission is used for an infinite number of activities from entertainment and education to business and beyond

Information travels across networks in packets To transmit and receive packets of data networks abide by a common set of rules referred to as protocols Transmission Control ProtocolInternet Protocol (TCPIP) is the 4‐layer operating protocol mainly used for the Internet The four layers are Application Host Internet and Network An IP address is a unique number that identifies a computer connected to a network

To remember the layers use the mnemonic Applications Have Intelligent Names

Open Systems Interconnection (OSI) is a similar framework to TCPIP that describes how machines communicate in the form of a theoretical 7‐layer model Application Presentation Session Transport Network Data and Physical (remember with All People Seem To Need Data Processing) Whereas the TCPIP model is useful for real‐world implementation OSI is a conceptual guide applicable to all data communications

Figure 1-1 shows the correspondence between the two frameworks

Keep this figure handy because we refer to the layers repre-sented in the OSI model throughout this book For example when we mention Layer 2 we mean the Data layer



The speed of data transfer is expressed in bits per second (bps) Ethernet is the most prevalent data‐link protocol It has grown exponentially over the years from 10 megabits per second (Mbps) in 1983 to the current limit of 100 gigabits per second (Gbps) Currently the majority of servers make use of a 1 Gbps connection but over the next few years you can expect a shift to 10 Gbps connections

Understanding network architecturesNetworks are by definition dynamic structures that can change and grow Generally people use the measure of throughput when evaluating the efficiency of a network Demand for net-work bandwidth can only continue to increase which is why yoursquoll hear more and more about 400 GbE which is expected to be ratified in 2017 The next step will be to the era of terabit Ethernet (1000 Gbps yikes)

Bandwidth refers to the volume of data that can be transmit-ted in a fixed amount of time For digital devices the band-width is usually expressed in bits or bytes per second

So you can speak of a network when two or more computers are enabled to exchange information Regardless of its size a network is always built using several different elements

Figure 1-1 A comparison between the OSI and TCPIP models

Securing Hybrid Networks For Dummies 8Table 1-1 outlines the primary physical components that form part of a network infrastructure

Layer 2 is the switch level and Layer 3 is the router level in the OSI model

Table 1-1 Elements Needed to Build a NetworkNetwork Components PurposeComputer Machine that stocks and processes

digital information A server stocks resources or provides a service and a client uses the service

Network Interface Card (NIC) Piece of electronic equipment that enables a computer to exchange data within a network via a set of commu-nication rules called a protocol

CableWireless Wiring is used for network connec-tions via a global standard Ethernet Cables vary in type and serve to carry broadband signals For wireless con-nections (Bluetooth Wi‐Fi) electro‐magnetic waves are harnessed

Hub A converging device with connectors (openings or ports) to computers in a network A hub receives data at one port and sends out to every connec-tion It canrsquot perform receive and send operations at the same time

Switch A selective hub Network traffic only goes where it needs to rather than to every port Can send and receive information at the same time (a switch is faster than a hub)

Router A mini‐computer that understands and directs network traffic Allows different networks to communicate Routers can be wired or wireless




Deploying Hybrid NetworksData transmitted across networks doesnrsquot require only physi-cal equipment (see the preceding section) The term broad-band refers to high‐speed Internet access where a wide band of frequencies is used to transmit data

Access to the Internet is provided in several ways

xDSL Refers collectively to all types of digital subscriber lines DSL packs data onto copper wires

Cable These connections work by using TV channel space for data transmission

Wireless communications 3G and 4G are the references for network access via cell phone technologymdash4th gen-eration mobile data protocol provides high‐speed access

Speeding things upBusiness networks often subscribe to Multi Protocol Label Switching (MPLS) a routing protocol run over data connec-tions such as DSL which makes traffic streams more efficient An MPLS network isolates traffic by connecting two or more sites in the manner of a dedicated network cable Regulatory bodies generally recommend the encryption of traffic even over MPLS networks that are considered as private

Multi Protocol Label Switching allows data packets to be transferred at the switch level (Layer 2) thereby speeding up and shaping traffic flow Flip to the later section lsquoKeeping traffic private via VPNrsquo to discover more about isolating traffic from the larger network

To manage the substantial increase in bandwidth needs char-acteristic of next‐generation networks and geographically extended organizations combining different connection cir-cuits is common practice

Hybrid networks deploy mixed connections for traffic flow For example they can use cable broadband combined with MPLS



Staying secureAlthough networks need the building blocks we describe in Table 1-1 to work actually running connected systems requires other technologies and expertise (Chapter 2 contains much more on hybrid networks) One aspect of running a network is security because networks are so widespread and accessible they also attract dishonest users

You need to ensure that your connected network isnrsquot used in any illegal criminal or abusive way

Security is an integral part of network management Network security devices block suspicious traffic inspect data packets and identify users and applications The firewalls first devel-oped in the late 1980s to manage security policies have since evolved into highly specialized tools for the specific needs of next‐generation networks

Check out Chapter 4 to see how sophisticated next‐generation firewalls not only manage the defense of a network but also make other aspects of network management more efficient

Talking about network topologiesIf you had an aerial view of a network what would it look like Well visualizing the smallest type of network or Local Area Network (LAN) typically used within a confined area such as a home or school is quite easy A Wide Area Network (WAN) on the other hand extends beyond the shell of a building and can cover a city region country or the whole world In this case different configurations link machines physically and define how information is exchanged

Here are the most prevalent network designs (check out Figure 1-2 for illustrations of each design)

Bus A linear connection between machines that sup-ports a limited number of machines Adding devices cre-ates performance issues If the central conduit fails the entire network becomes unusable

Ring Data is passed from one machine to another fol-lowing a circular path The network fails if any device or cable ceases to function



Star All machines are connected to a central node that can be a hub or a switch This widely‐used topology prevents network failure if any one machine stalls

Mesh All machines are connected to each other allow-ing data to travel down different paths to reach a given destination Military research led to the use of redundant communication routes to ensure that data still reaches the destination if a failure occurs at one point The Internet deploys mesh topology

An organizationrsquos network can sometimes use different topologies For more on configuration considerations flip to Chapter 2

The Internet can be traced back to ARPANET an experimen-tal communications system developed in the 1960s between university computers To find out more about the origins of network design visit httpwwwdarpamilabout historyhistoryaspx

Figure 1-2 Different configurations used to link machines



Making the case for distributed networksInitially networks operated following a centralized model where all data received by a central server subsequently dis-patched information to appropriate recipients

Evolving business models however led most organizations to embrace the move towards decentralized communication where no central node is present but each node is connected to various other nodes Thanks to these distributed networks retail organizations extend their digital reach to point‐of‐sale sites banks cater for remote branch offices and service indus-tries manage distributed workforces nationally andor globally

Distributed networks are necessarily WAN architectures which feature many advantages

Economic gain with a positive priceperformance ratio

Management of remote locations and users

Capacity to share information and resources

High availability is a systematic feature

Designed to adapt to change and growth

A common pattern emerges among enterprises with multi‐site information architectures

Remote sites need to be able to exchange information and communicate in a secure and reliable way andor with a central site

Business and bandwidth‐centered daily activity depend entirely on Internet Service Provider (ISP) connections

The availability factor of WAN infrastructures is critical

Distributed networks tend to become hybrid that is they use different connectivity options to ensure bandwidth for per-manent and changing traffic flow Although you can use many permutations such as MPLS combined with Asymmetric Digital Subscriber Line (ADSL) or Cable combined with MPLS and ADSL and so on managing and securing hybrid networks are key business requirements



Keeping traffic private via VPNVirtual private network (VPN) technology uses a method referred to as tunneling as well as various security mecha-nisms to protect data connections

Working over private or public networks VPN tunneling involves establishing and maintaining a logical network con-nection (that may contain intermediate hops) On this connec-tion packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol transmitted between the VPN client and server and finally de‐encapsulated on arrival

VPN is commonly used in the following scenarios

Remote client connections You can set up a VPN to sup-port protected access to corporate home offices over the Internet

LAN‐to‐LAN Internet working A VPN can bridge two net-works In this mode of operation an entire remote net-work (rather than just a single remote client) can join a different company network to form an extended intranet

Controlled access within an intranet Internal networks can also use VPN technology to implement controlled access to individual subnets within a private network In this mode of operation VPN clients connect to a VPN server that acts as the network gateway

This type of VPN use doesnrsquot involve an ISP or public network cabling However it allows the security ben-efits of VPN to be deployed inside an organization This approach has become especially popular as a way for businesses to protect their Wi‐Fi networks

The cost to an organization of building a dedicated private network can be reasonable at first but it increases exponen-tially as the organization grows A company with two branch offices needs just one dedicated line to connect both loca-tions but four branch offices require six lines to connect them directly to each other six branch offices need fifteen lines and so on



Internet‐based VPNs avoid this scalability problem by simply tapping into readily available public lines and network capa-bility For remote and international locations an Internet VPN offers superior reach and quality of service The reliability and performance of an Internet‐based VPN however isnrsquot under an organizationrsquos direct control Instead the solution relies on an ISP and its quality of service

You can reduce the risk of ISP failure with Internet VPNs by having two or more ISPs and using the second in a VPN failover scenario

A VPN eliminates the need for organizations to rent expensive dedicated leased lines It also allows users to work from home and reduces spending on resources such as email servers file servers and so on because all these can be accessed on the VPN connection at the central site

Two VPN scenariosA real‐world example may involve a company split into two sites the main office in North America and a smaller site in the UK The North American site already has a full net-work and storage infrastructure in place including an active directory an exchange server a file server and so on The UK site only has a small number of users say 10 employees

To make this particular structure cost effective a VPN connection from site‐to‐site would be the rec-ommended choice Providing a VPN tunnel from the UK site to the North American site would save equipment costs such as having to install another network infrastruc-ture exchange server active direc-tory server and so on As the North American site would already have administrators to maintain the infra-structure who can also maintain the

VPN connection time and human resource cost centers benefit from savings

Another rational scenario would be to close the UK site and enable employees based in the UK to work from home A remote‐access VPN scenario would be suitable if the 10 users arenrsquot based anywhere in par-ticular and the firm has no UK‐based office In this case they just require an Internet connection and configured VPN client software enabling them to connect securely to their corporate network in North America If they were using a protocol that secures communication between users and applications (such as SSL VPN which you can read about in Chapter 3) they wouldnrsquot even require configured client side software because the URL address to connect to the VPN portal would suffice



VPNs provide an efficient cost‐effective solution for compa-nies with several branch offices partners and remote users to share data and connect to their corporate network in a secure and private manner Chapter 3 has more on VPN protocols

With normal Internet traffic packets can be sniffed and read by anyone (which can be as unpleasant as it sounds) But sending data via a VPN tunnel encapsulates and encrypts all data packets providing a high level of security If packets sent securely over the Internet are sniffed theyrsquore unreadable If packets are modified the VPN gateway also detects this action

Finding a Way Through Routing and Load Balancing

Making sure that a network is available and that information travels through it at a reasonable speed is a complex mission Roadblocks attacks bottlenecks and traffic spikes can all lead to an interruption

To be safe you very quickly learn that you have to ensure the use of more than one connection thereby making an alterna-tive route available if a primary connection fails In fact it is a sensible idea to ensure that you have more than just one alternative route available and that you make use of all of the routes all of the time To keep your network secure and run-ning with a combination of routes requires complex routing and complex load‐balancing

Understanding routing protocolsIn order to eliminate the ISP as a single point of failure many corporations have had to deploy a battery of redundant exter-nal routers and switches which require the use of complex routing protocols such as Border Gateway Protocol (BGP) Hot Standby Routing Protocol (HSRP) and peering arrange-ments through ISPs

Border Gateway Protocol routes connections using an algo-rithm that determines the shortest path calculated by the number of hops (routers) between source and destination



Virtual Router Redundancy Protocol (VRRP) and HSRP are used to protect users from router failure Open Shortest Path First (OSPF) is a link state routing protocol that protects users against link failure

Many people regard this approach as excessively complicated and expensive because it requires redundant hardware more expensive routers additional software and ISP arrangement costsmdashand thatrsquos only the beginning When implemented administrators face the daunting task of configuring and maintaining the complex network in order to achieve high availability

To illustrate this complexity we examine BGP a bit further As a routing protocol BGP is designed to allow the creation of redundant routes to a set of networks To function it requires attaining an autonomous system number (ASN) Basically this number is a unique ID that identifies corporate networks to routers on the Internet and allows other routers to under-stand that more than one way exists to get to the network

But the ASN requires the two ISPs to co‐operate with each other For medium‐sized companies or even some larger enterprises and service providers co‐operation between com-peting ISPs may be challenging to arrange Moreover busi-nesses with a tight budget face the costs of upgrading routers with software and memory to keep pace with intricate BGP routing procedures

Considering load‐balancing hybrid networksAvailability and performance are two challenges that dog expanding networks making underlying connectivity key to the use and accessibility of applications Load‐balancing devices are used to maximize throughput and availability but they also inevitably add further strain to a system that should be kept simple in the best interests of business

External load balancers are appliances located in front of a network gateway They arenrsquot dependent on BGP or any other routing protocol and they use link aggregation techniques in order to address multiple ISPs External load balancers



require special equipment and constant maintenance but even under the best circumstances they canrsquot participate in a VPN network without slowing down network performance

As with BGP if end‐users want to implement load balanc-ers they must purchase specialized hardware External load balancers require specialized network components to use multiple ISPs such as a pair of gateways and a pair of load balancers (to achieve high availability on the load balancers) which adds to the cost of implementation Turn to Chapter 3 for more details on load balancing and ISPs

External load‐balancing equipment requires constant supervi-sion administration and system updates which adds to main-tenance costs Administrators have to be aware of every point through which data flows in order to implement dynamic routing processes They also have to check that the separate configurations of the gateway and the load‐balancing box are consistent which further compounds the technical complex-ity of the management process




Running Efficient Hybrid Networks

In This Chapter Producing a smooth‐running complex network

Understanding your hybrid networkrsquos use and security

D igital communications have transformed the way industries in general handle operations In a networked

ecosystem retail healthcare education manufacturing gov-ernment and finance professionals depend on the transmission of electronic data to fulfil their specific daily requirements

Although for some companies the management of a mobile workforce takes precedence over the establishment of flexible managed services or the deployment of marketing programs a well‐regulated communications infrastructure is a common core requirement Deploying in‐depth knowledge of the net-work is fundamental for any industry

In this chapter we talk you through minimizing loss of produc-tivity through network problems and enhancing the security of your hybrid network

Balancing Cost Performance and Security

Network downtime (or latency) can cause a whole host of different and undesirable outcomes ranging from reduced

Chapter 2



productivity to lost data and transactions Running your net-work efficiently means having adequate human and technical resources

You need to balance the following factors in a networking equation

Better administration can mean more people or mul-tiple solutions But in this scenario you face a drain on resources and possible added complexity When human error causes ill‐configured network devices to lead to ser-vice disruption or vulnerabilities you can see that exces-sive complexity is a pain point that needs to change

Better performance can mean reducing the number or type of heavyweight operations running over a network But because data analysis consumes bandwidth network administrators sometimes deactivate security functions across their firewalls in favor of increased speed

In this scenario the tradeoff between security and perfor-mance can lead to disaster especially as cyber‐threats seem to escalate with time

The justifiable question dangling over this analysis is how to balance performance security and cost when running a dynamic modern network By a remarkable stroke of luck we discuss precisely that in this section

Identifying key business principlesIn todayrsquos 247365 reality ongoing connectivity has changed peoplersquos lives and become a business imperative Consequently much is at stake when IT systems experience downtime Customers now associate the reliability of a busi-ness with its ability to remain connected and no organization wants to be associated with wavering and inconstant service

But incorporating agility into a network isnrsquot an easy remit especially when you consider the diverse challenges confront-ing most businesses

Chapter 2 Running Efficient Hybrid Networks 21


Containing and cutting costs IT professionals are con-stantly tasked with the need to respect budgets and find ways to reduce costs Expanding a network implies invest-ing in more technology more people and more time

Network complexity To accommodate a shifting IT landscape as Chapter 1 describes most systems backup services with supplementary equipment and layers of connectivity resulting in intricate infrastructures that lack agility and are difficult to manage

Adoption of the cloud and mobile technology Increasing reliance on web‐based technologies remote workforce enablement and cloud applications are ampli-fying the dependence on network connectivity This approach is in turn forcing companies to move quickly to keep pace with these trends

Voice and video communications Must‐have technolo-gies that are heavy consumers of bandwidth are increas-ingly prevalent They create new requirements for the management of service quality and change the proportion of resources a company dedicates to running a network

Protection against the dynamic threat landscape As networks grow and technologies evolve so do the risks stalking cyberspace Although security is a legitimate source of concern for the protection of assets itrsquos also intimately linked with continued service

Addressing outage with SLAsHistorically networked organizations have reacted to chang-ing network requirements by basing improvements on an existing infrastructure and working reactively to manage service issues In the past in the case of outage a new facet was incorporated into overall administration of the network to ensure that the problem was solved and would not reoc-cur This process was manageable only as long as networks remained relatively simple and handled basic constant traffic

In the case of hybrid networks however the game has changed Networks are becoming more complex and the need for perpetual availability and rapid exchanges is taking prece-dence over most other business processes



Therefore you have to build troubleshooting into the network and maintain levels of service in accordance with the type of activity they support Telecom and IT service providers offer Service Level Agreements (SLAs) that define the obligations the contracting parties agree to fulfill and how the customer is compensated for drops in expected availability For an ISP to provide customized service the customer has to provide full details of the structure being supported

SLAs range from very simple to highly complex service summaries Although service availability is expressed as a percentage you need to establish what downtime tolerance entails and how this downtime is defined Although 99 per cent uptime sounds like an excellent guarantee more than three days of interruption in a single year can be disastrous for some activities

Considering Your Network Configurations

Modern hybrid network configurations are multi‐task envi-ronments that require more than basic connections to run efficiently After you configure the routers and Ethernet cards set up servers and endpoints and acquire WAN connections strategic considerations move center stage

Knowing the type and volume of data transported is para-mount as is forecasting accurately what type of growth or change you can expect Knowledge of the network and how you can make full use of the available tools ultimately helps you to reduce complexity and improve performance even while your network is spreading and multiplying

Discerning critical versus non‐critical applicationsMany companies can no longer operate without online systems such as enterprise resource planning (ERP) email or cloud‐based services such as Salesforcecom For example retailers use online management tools for remote cash registers and



manufacturing plants run production supplies using custom-ized applications

At the same time a whole host of non‐business applications consume precious bandwidth whether theyrsquore social net-works or e‐learning tools that donrsquot have a business impact if they arenrsquot accessible

As a result you need to consider and address the following questions

Is a cost‐effective way available to provide backup con-nections if the MPLS fails

The Internet connection is always too limited and its usage is growing every day How do you differentiate between critical production traffic and other traffic

When you know which traffic to classify in the mission‐critical category how do you provide enough capacity for critical business traffic and yet allow other traffic when excess capacity exists

Does a way exist to direct production traffic only via MPLS connections and use a more cost‐effective connec-tion for the rest

Chapters 3 and 4 cover the ways in which you can answer these questions

Scaling for growth and changeLike waistlines and garden weeds networks tend to grow and spread Whether the expansion is local or involves external sites adding unlimited operator lines for seamless extension of connections should be easy If a company chooses to add more servers to increase capacity across its network it needs to factor in the criteria for manageability Server clusters for example are one method for ensuring scalability while mini-mizing operational tasks

Uptime and reliability are desirable for any network but they become even more important with complex architectures No one wants to be faced with a situation where you multi-ply operator lines and end up with a single point of failure because of one unreliable solution



Furthermore performing an upgrade shouldnrsquot result in slug-gish access business needs to go on as usual This require-ment is also true for failure points IT staff need to maintain activity while they troubleshoot andor apply corrective measures

Ensure that you give special care to nodes where traffic is high as well as where the chances of fault are high No dis-tributed WAN can produce a constant level of performance and the lowest latency without help Techniques such as local offloading (which takes traffic off the primary network and uses a secure local Internet access point) can increase flexibil-ity in case of emergency But you need to implement an intel-ligence process for the more critical business applications or bandwidth‐hungry data encountered across a network

Firing up your firewall knowledgeThe traditional first line of defense the simple stateful fire-wall looked only at IP addresses ports and protocols to clas-sify and control network traffic Todayrsquos firewalls have to do much more manage people control applications and allow fine‐grained policy control These capabilities allow full stack inspection while consolidating functionality to achieve sim-pler network management

VPN functionality is a key element of firewall technology and has also developed in parallel with market changes Vast volumes of traffic demand larger tunnels for encrypted exchanges As we discuss in Chapter 1 businesses use VPN for intranet and site‐to‐site communication

In the past a firewall was able to manage only a limited number of VPN tunnels Today next‐generation firewalls are able to cater for many instances of tunneling and so have introduced new parameters in the configuration and manage-ment of secure connections Flip (safely and securely) to Chapter 4 for more details


Managing Hybrid Connection Challenges

In This Chapter Making informed decisions about connectivity

Thinking about cost

Optimizing security

F orget what you may have seen in a Monty Python movie The Holy Grail for a modern companyrsquos network isnrsquot an

ancient chalice but efficient secure and cost‐effective connec-tion And you donrsquot have to travel to distant lands because you can find our guide to meeting all these requirements right here in this chapter So no need to don a suit of armor for this quest ndash unless you really insist

Managing Network Connections for Optimal Performance

Every online organization has network traffic thatrsquos vital to it and traffic thatrsquos just nice to have For example connections to the stock exchange are crucial for banks and stockbrokers but their other Internet connections arenrsquot as important (In Chapter 2 we look at different types of traffic associated with the applications used in business)

In this section we discuss maximizing the performance of your network

Chapter 3



Prioritizing traffic with QoSQuality of Service (QoS) settings are used to control traffic priority You can give business‐critical traffic priority over normal traffic with QoS which takes effect when the network capacity is insufficient to handle all the traffic running through it (see Figure 3-1)

Quality of Service starts slowing down less important traffic and guarantees that higher priority traffic can go first For example a bank would have access to the stock exchange all the time but Internet surfing may become slower during peak traffic hours

Of course QoS doesnrsquot help if your connection is down What you ideally require is a method to combine multiple network links and QoS to benefit from connection high availability and traffic prioritization Chapter 4 provides more details

Balancing load between ISPsIn many cases companies have only one Internet connection which inevitably becomes a single point of failure Of course using several Internet connections mitigates this risk As an additional benefit more bandwidth is available for traffic too

Using several ISPs simultaneously is technically difficult how-ever because normally a default route points towards the

Figure 3-1 QoS allows important data flows to take priority over less important traffic



Internet and you can only have one default route Hybrid net-works have several paths to the Internet but only one of them can be the default route

You can solve this problem in different ways but the most common method is the use of a load balancer A load balancer can be a separate device (see Chapter 1 for more details) or it can be implemented as part of a network security device such as a next‐generation firewall (check out Chapter 4)

Activating dormant linksWhen resorting to the use of more than one ISP the tradi-tional practice was to use activendashstandby setup With this technique the primary ISP forwards traffic to and from the Internet while the second service provider link remains on standby The standby link waits until the active link fails and then takes over traffic flow As a result only 50 per cent of the available bandwidth is used because the other available link is mostly inactive

The modern alternative is to use activendashactive set‐up where both links handle traffic and the available Internet connec-tions are used to maximum capacity

In specific cases keeping some Internet links on standby and using them only during emergencies can be useful A typical example is satellite connections whose costs are based on the volume of traffic they handle Theyrsquore extremely reliable connections that are usually still available when all other con-nections fail which makes them a great option for emergency backup connections Theyrsquore only used when nothing else is available Although their cost is high in an emergency they can be a cost‐saving solution

Considering CostsIn general a connection between two sites or to the Internet should be always available and fast Ideally you can deliver unfailing uptime by an ISP using MPLS The downside for any business however is that MPLS is expensive and contracts can be long and binding



Here we look at how you can put together a more cost‐ effective solution

Using consumer grade connectionsConsumer grade connection links are much cheaper than MPLS lines (see Figure 3-2) The reason is that MPLS connec-tions come with a Service Level Agreement (SLA) that guaran-tees minimum bandwidth availability (See Chapter 2)

Consumer grade connections work with the best‐effort prin-ciple which ultimately means that theyrsquore less reliable than MPLS connections But theyrsquore still tempting for businesses because theyrsquore cheap and can offer high‐speed transmission with new 4G or Long Term Evolution (LTE) wireless connec-tions (the latter is a standard for high‐speed mobile connec-tions and an update of existing UMTS technology) Consumer grade connections can reach up to 100 Mbps but their capac-ity often fluctuates and sometimes connection outages occur

Some high‐quality link providers charge their customers on the basis of traffic volumes In such circumstances using QoS (see the earlier section lsquoPrioritizing traffic with QoSrsquo) makes sense in order to assign lower‐priority traffic to cheap links and reserve high‐quality lines for high‐priority traffic only

Figure 3-2 Managed hybrid connections especially over a large number of sites can lead to massive savings

Chapter 3 Managing Hybrid Connection Challenges 29Some companies have even gone so far as to use low‐quality links for all traffic (including high‐priority traffic) conferring standby status to all high‐quality links In case of congestion or failure they start automatically using backup high‐qual-ity links for high‐priority traffic This approach saves costs because much of the time they use cheaper lines and only occasionally revert to the more expensive options As we mention in the earlier lsquoActivating dormant linksrsquo section an example is using satellite links as a backup link for very high‐priority traffic

Estimating a budgetTime shows that connections provided by Internet links are prone to failure at some stage To eliminate the risk organiza-tions resort to multiple link types or standby systems that ultimately increase the level of complexity of an infrastructure and cost

Rethinking the combinations and roles of MPLS and broad-band connections can go a long way in helping to save on throughput costs without sacrificing performance

If you subscribe to a WAN optimization model evaluate costs by obtaining a complete picture of current link loads and a precise idea of the bandwidth needed for different types of traffic with differing priority ratings Then obtain an accurate estimate of how a solution can help you to leverage broad-band connections and benefit from agile and cost‐saving connectivity

Keeping Your Network SafeAlthough building VPNs using MPLS which works by separat-ing different traffic streams is possible MPLS connections donrsquot provide encryption




ISPs like to highlight the virtual tunneling provided by MPLS as a guarantee of the security of your traffic but separating traffic isnrsquot quite the same thing as encrypting it

Here we describe a more secure approach

Preventing eavesdroppingYou can consider the ISPrsquos MPLS network as a group of rout-ers that deliver traffic to each other with the router closest to you deciding what traffic you can see from that network The security in the network is therefore as good as the correct con-figuration in each of those routers If a configuration error is present someone else can receive the traffic destined for you

We know for a fact that people make mistakes that can make eavesdropping possible If you encrypt your traffic using the special protocols we discuss here you eliminate this risk because eavesdroppers receive only coded traffic that they canrsquot decipher

Demystifying VPN protocolsWhereas MPLS‐based VPNs are used for high‐performance connections to keep traffic private four main protocols are used to take traffic security to the next level

Point to Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

IP Security (IPsec)

Secure Socket Layer (SSL)

These protocols support authentication and encryption in VPNs Authentication allows VPN clients and servers to establish correctly the identity of people on the network Encryption allows potentially sensitive data to be hidden from the general public

The only effective way to prevent eavesdropping on network traffic is to implement traffic encryption between endpoints using IPsec or SSL VPN ISPs donrsquot normally provide encryp-tion services when you order network links from them



PPTPPoint to Point Tunneling Protocol allows remote users to access their corporate networks securely using the Microsoft Windows Platforms and other enabled systems Users dial into their local ISPs to connect securely to their networks via the Internet

PPTP a Layer 2 protocol is easy to use and configure how-ever many experts consider it weak in terms of security

L2TPLayer 2 Tunneling Protocol is an extension of PPTP used by ISPs to provide VPN services over the Internet It combines the functionality of PPTP and Layer 2 Forwarding protocol (L2F) with some additional functions

You can use L2TP in conjunction with IPsec to provide encryption authentication and integrity

IPsecIP Security operates on Layer 3 and therefore can protect any protocol that runs on top of IP As a framework consisting of various protocols and algorithms which can be added to and developed IPsec provides flexibility and in‐depth strength and itrsquos an almost perfect solution for securing VPNs

The only drawback is that IPsec requires setting up on the corporate network and on the client end and is a complex framework to work with Itrsquos used for both site‐to‐site and remote‐user connectivity

SSLSecure Socket Layer VPN provides excellent security for remote‐access users and is easy to use itrsquos already heavily employed in online shopping and banking SSL protected pages display lsquohttpsrsquo in the browser URL bar as opposed to lsquohttprsquo

Whereas with IPsec a remote user requires client software that would need installing configuring and sometimes trou-bleshooting with SSL the task is made simpler via the use of a web portal SSL can also imitate the way IPsec works via light-weight software



Using SSL VPN enables thousands of end‐users to access the corporate network without the support of an administrator and possible hours of configuring and troubleshooting unlike IPsec The end‐users just need to know the address of the SSL VPN portal Another advantage is that any computer can be used and you donrsquot need to rely on pre‐configured client side software

Cloud servicesIn the current IT landscape more and more companies are adopting cloud services One way to use the cloud is to extend the companyrsquos internal network to the cloud thereby creating a need to implement connections between its own network and the cloud Encrypting these connections is rec-ommended This use‐case is very similar to site‐to‐site VPN except that at the other end of the VPN you have the cloud

We donrsquot focus on data in this book but highlighting the importance of encrypting valuable data that you store in the cloud is certainly useful

Optimizing Hybrid Networks with

Multi‐Link TechnologyIn This Chapter

Appreciating the power of multi‐link management

Distributing traffic for bandwidth efficiency

Maintaining surveillance of your hybrid network

M anaging links and optimizing connectivity are integral capabilities built into Forcepointrsquos network security

solution Stonesoft Next Generattion Firewall So although the solution supports crucial features such as clustering load balancing QoS and evasion protection it also provides a simple and cost‐effective way to create secure high‐capacity connections between sites and ensure uninterrupted Internet connectivity

Designed for ease of use the implementation requires no special equipment software or ISP peering agreements needed between 2 ISPs when using BGP for high availability for your Internet connection The integrated Forcepoint Security Management Center provides all configurations and theyrsquore completely independent of any setup or co‐ordination requirements from the ISPs themselves

This chapter describes how the Multi‐Link technology native to Stonesoft Next Generation Firewall solves the hybrid net-work challenges exposed in Chapter 3 Multi‐Link refers to a simple way to combine several different ISP connections and automatically load‐balance traffic between them

Chapter 4



Meeting Multi‐Link TechnologyThe solution from Forcepoint combines the best aspects of high availability and QoS (see Chapter 3) It uses several sepa-rate network links and allows them to have different Quality of Service classes

In this section we explain how you can solve hybrid network challenges in a simple manner Yoursquoll learn how to combine several independent ISP links for increased capacity high availability and security We show you how to reserve some links for priority traffic and use low‐cost links for web surfing Faced with the requirement for always‐on connectivity you can resort to Multi‐Link technology to keep your network up and running ndash efficiently and all of the time

Prioritizing linksIn real life the result of any normal situation (enough net-working capacity and no congestion) is that all traffic is evenly load balanced between different network links When network congestion occurs (during traffic peak hours) QoS takes action either dedicating some of the network links totally to high‐priority traffic or guaranteeing a specific per-centage of the link capacity for it Lower‐priority traffic has to wait (it can be throttled) or use links that arenrsquot reserved for high‐priority traffic

Often companies subscribe to QoS so that the high‐priority traffic is kept on high‐quality network links (such as MPLS) and low‐priority traffic uses cheaper or low‐quality network links

Seeing multi‐link priorization in actionHere we examine the case of a global retail company that had been using one MPLS connection from each of its locations to its central datacenter where the main Enterprise Resource Planning system (SAP R3) was located Problems arose because SAP traffic didnrsquot always have enough bandwidth available


Chapter 4 Optimizing Hybrid Networks 35

The problemThe reason for the bandwidth issue was that the other traffic (email Internet browsing and so on) was driven through the same MPLS connection The company wanted to remove the other traffic from the MPLS connection to ensure that the SAP traffic would always have enough bandwidth

The company had several offices and so adding a second MPLS connection everywhere was too costly Raising the capacity of the MPLS connection was also considered but it was expensivemdashas well as the problem of a single point of fail-ure of the MPLS connection

Even though the company had good SLAs with its ISP the maximum compensation for the connection outage was as high as the subscription fees it had already paid In the case of a connection outage it wouldnrsquot cover the production losses and so the company wanted to have a cost‐effective backup connection for the SAP traffic

The solutionThe retail company solved its problems with the use of Stonesoft Next Generation Firewalls It purchased an addi-tional ADSL connection for all its offices which was a cost‐effective way to supply more bandwidth to each location

Forcepointrsquos Multi‐Link technology was used to load balance the traffic between the ADSL and MPLS connections The QoS feature was implemented for SAP traffic prioritization SAP traffic thus always has priority over the MPLS connection and other traffic is automatically directed to the ADSL connection When unused capacity is available on the high‐quality MPLS connection the other traffic is able to use it

In this manner the expensive and high‐quality MPLS connec-tion comes close to 100 per cent use at all times At the same time the cost‐effective ADSL connection provides capacity expansion whenever needed

Herersquos a sample configuration

SAP traffic = Priority 1 = Forced on the MPLS link

HTTP traffic = Priority 4 = Normally using ADSL + free capacity on MPLS link


Securing Hybrid Networks For Dummies 36With the preferred link selection provided by Stonesoft Next Generation Firewall the QoS functionality allows control over how each application uses the available bandwidth resources Mission‐critical applications can be placed on links that pro-vide high priority with low latency while all other applica-tions are placed on the links that have available bandwidth or provide best effort

Inherent QoS makes use of network resources more efficient by servicing the most important traffic for your business and you donrsquot need to purchase more bandwidth

This retail company now benefits from guaranteed bandwidth for mission‐criticaltime sensitive applications and a better user experience

Aggregating linksWouldnrsquot it be great if you could somehow assemble several ADSL and LTE connections together to form one big and reli-able connection The probability for them all to fail at any given time is negligible Their traffic fluctuations occur ran-domly at different times and so most of the time yoursquod benefit from more than acceptable connection speeds Moreover the total cost would be low

Even combining three ADSL or LTE connections together is cheaper than an MPLS connection of the same size

Another method would be to use several low‐cost connections and somehow make them look like one trustworthy and fast connection Thatrsquos exactly what Stonesoft Next Generation Firewall is capable of enacting

Multi‐link technology combines several hybrid network con-nections together and makes them invisible to the user of that connection (see Figure 4-1) The user sees only a fast and always available connection whatever the connections Organizations gain the flexibility to deploy the type and number of connections that are best suited for their environ-ments and their budgets



Joining together for securityAn industrial organization had their production sites in the United States and one of their sales offices was in Bermuda

The problemThe Bermuda office was totally dependent on the connection to the companyrsquos production sites One MPLS connection existed between the production site and the Bermuda office The CIO felt anxious because Bermuda is a known hurricane area One big hurricane could disrupt the communication lines and put the company out of business for a long time

The company compared several different options including satellite backup connections and an additional MPLS connec-tion from another ISP using border gateway protocol (BGP) All alternatives turned out to be rather complex and costly

The solutionThe company solved the problem cost effectively by using Forcepointsrsquo Multi‐Link and FirewallVPN solutions with two MPLS connections from two different ISPs This configuration enabled them to avoid a cumbersome BGP setup and gain highly available connections

About one year after that a category four hurricane swept through Bermuda and took down one of the main Internet

Figure 4-1 Combining different links for efficient hybrid networks


Securing Hybrid Networks For Dummies 38 service providers When that event hit the news Forcepoint support personnel called the organizationrsquos IT manager and asked if hersquod noticed that one of the companyrsquos ISPs had been wiped out The IT manager said that he hadnrsquot noticed any-thingmdashconnections were functioning flawlessly This is just an example of the power of Forcepointrsquos Multi‐Link (see Figure 4-2)

The traffic from the failed ISP connection was automatically transferred to the still functioning one Business continued without interruption

Load Balancing with Multi‐LinkAt times you may think that a ratio method (whereby traffic is distributed among all the available links according to the relative capacity of the links) is the preferred solution For example if one ISPrsquos bandwidth far exceeds other connec-tions being used and is supplemented by smaller ISPs the smaller ISP may return a faster SYN‐ACK (that is synchronize acknowledgement) response

But although this option may seem like the lsquofastestrsquo connec-tion it may not take into account the proportionate band-width available

In this section we describe how Multi‐Link technology load‐balances the network traffic among different links You dis-cover how this functionality uses fuzzy logic to quickly figure out if one of the links is going bad and to move network traffic away to other valid links

Figure 4-2 Multi‐link technology secures hybrid business networks



Rethinking the ratio methodForcepointrsquos Stonesoft Next Generation Firewall technology can resolve the puzzle by using a ratio method in which traffic is distributed among all the available links according to the relative capacity of the links

The bandwidths of the other links are automatically com-pared to the bandwidth of the link with the most bandwidth to produce a ratio for distributing the traffic

Volume of traffic is low The ratio of actual traffic distri-bution is approximate

Volume of traffic is high The ratio of traffic handled by each link is closer to the ratio calculated from the link capacity

Getting logical though fuzzilyUsing ratio‐based load balancing allows Forcepointrsquos Multi‐Link to take the larger link(s) into consideration to allow for more granular and efficient use of available links

Load‐balancing traffic between several different ISPs isnrsquot as easy as it sounds (if it didnrsquot sound easy then ignore that) Handling different situations gracefully can be especially challenging Stonesoft Next Generation Firewall uses several cutting‐edge technologies including fuzzy logic to solve VPN load balancing and high‐availability issues

Here are some examples of problems that can occur if the load balancing or VPN resilience isnrsquot handled correctly

Traffic goes to only one ISP link even though multiple active links are available

Traffic goes to a poor‐quality link even though a better link is available

Traffic goes to a standby link even though an active link works

Switching to a standby link takes too long


Securing Hybrid Networks For Dummies 40Fuzzy logic is a nice tool to use in such scenarios because itrsquos a multi‐value logic that is instead of lsquo0rsquo or lsquo1rsquo you have mul-tiple values Fuzzy logic can use imprecise data and calculate lsquodegrees of truthrsquo providing answers to the following questions

How high is the load

How close are things to failing

Fuzzy logic uses input variables fuzzy sets output variables rules and lsquode‐fuzzyingrsquo to provide an answer This capability helps Stonesoft Next Generation Firewall to work optimally even in a very fast‐changing and unpredictable environment

In addition to fuzzy logic Stonesoft Next Generation Firewall uses multi‐link technology which allows it always to choose the fastest Internet service provider line

Keeping Watch over Hybrid Networks

Both experience and research have led security administrators to understand that some of the major challenges of protecting IT assets are related to managing the security infrastructure These challenges span monitoring network and server activi-ties to event detection and keeping track of configuration changes

In this section we present a real‐life case of how a global man-ufacturing enterprise deployed security management func-tionality across hybrid networks to reduce their operational costs while also ensuring that their connectivity and perfor-mance metrics met their business requirements

Proving a successCase studies available for consultation at wwwforcepointcom unanimously cite the advantages of the centralized management features offered by Stonesoft Next Generation Firewall Forcepointrsquos Security Management Center can represent a significant reduction in time and effort for


Chapter 4 Optimizing Hybrid Networks 41 organizations with dozens of globally distributed networks and hundreds of firewalls to manage

Hybrid networks spanning a large number of distributed sites need constant surveillance across the entire infrastructure to maintain agile services The Security Management Center provides complete single‐pane‐of‐glass visibility and control of physical and virtual networks and can integrate with third‐party devices and event management tools

Solving a real‐world issueAn interesting case with specific business criteria is that of a global manufacturing company requiring lower‐cost Internet connections between its production sites and sales offices

The problemThe company had several conflicting needs

The production facilities were in developing countries But although production costs were low the local infra-structure didnrsquot provide reliable Internet connections or if it did the connections were extremely costly

The ERP system required low latency connectionsmdashan MPLS connection with a strict SLA if possible

The use of a VoIP service was desirable wherever pos-sible to save costs

Two or three people operating out of one site had to manage the network infrastructure (800 sites)

In many developing countries land lines are either non‐existent or of very poor quality and unreliable However a relatively good chance exists that the wireless infrastructure is in place With Stonesoft Next Generation Firewall businesses can first use 3G wireless connections and then add high‐speed land‐line connections later when theyrsquore ready If the land‐line connec-tions fail Stonesoft Next Generation Firewall can automatically use the 3G connection as a backup

MPLS connections are moderately priced when used within one country If MPLS connections are required globally the pricing starts to rise sharply as the distance between the sites


Securing Hybrid Networks For Dummies 42grows In this case the ERP system needed a low‐latency con-nection which the MPLS can provide Fortunately the ERP system didnrsquot require much bandwidth but Internet usage and VoIP calls did

The solutionThe company decided to use a very low bandwidth MPLS line for ERP traffic and direct all the other traffic to lower‐cost ADSL lines to keep global connections costs low It was able to manage that using Forcepointrsquos Multi‐Link VPN technology which seamlessly combined different ISP connections

Managing 800 sites is no easy task without a centralized man-agement system Forcepointrsquos Security Management Center provides a clear overview of the VPN infrastructure and allows centralized remote management for all VPN devices Currently and rather impressively the company is managing its 800 sites with two administrators



Ten Top Tips for Managing Hybrid Connections

In This Chapter Navigating complexities

Highlighting the need for strategic planning

I n this chapter we present ten questions to ask yourself about your company Think of them as hints to help deter-

mine how to make your hybrid network work in the best pos-sible way as well as support future changes

Each industry is unique and the critical aspects driving one businessrsquos network can differ to a greater or lesser degree from those of another You can deduce the best practices that govern the management of your distributed network via these questions which help you to map your network infrastructure to the technological solutions at your disposal

Answering this list of questions and referring to the other relevant parts of this book helps you to tap the benefits of adapted firewalling Although by no means exhaustive the framework we present here is intended to help you grasp quickly the situation you face with your network today and then build your strategies around this knowledge

The information in this chapter isnrsquot sufficiently detailed for you to understand the intricacies of securing hybrid net-works We urge you to read the rest of this book attentively to arm yourself with a truly complete vision of efficient net-work security and management

Chapter 5



Whatrsquos the Role of the Network in My Business

Whether your business activity is centered on the industrial educational financial or other segment you have to define exactly what the network brings to you in terms of business value and which parts of your activity are most dependent on it

You also need to grasp fully the consequences of downtime broken connections stealth attacks or increasing traffic vol-umes You can be surprised how networks change and grow and take you unaware when an incident occurs

Chapters 1 and 2 cover all your network needs

What are the Connectivity Solutions Used in My Network

Here you need to know exactly what you subscribe to and why digital subscriber lines (DSL) leased lines cable modems satellite mobile broadband and even WAN links such as point‐to‐point MPLS Knowing the full scope of links you use and the amount of bandwidth yoursquore obtaining condi-tions the policies you use to manage traffic

Chapter 1 covers the different types of hybrid networks that can exist

Do I Need a Service Level Agreement

Obtaining a clear picture of the quality of the connections you use helps you to decide whether you need to change ISPs or offerings implement link‐balancing technology do both or in a best‐case scenario even do nothing How great would that be

We discuss SLAs in Chapter 2



What are the Availability Stats of My Most Important Applications

You already know what applications are critical for your busi-ness Therefore take the knowledge one step further and ana-lyze whether your processes favor or do a disservice to those applications Doing so puts you in the position to change how you manage application availability

We cover the surveillance of hybrid networks in Chapter 4

Is the Data Transmitted via My Network Secure

Cyber security is one of the highest concerns for governments and business today and the fact that security precautions arenrsquot always implemented is becoming increasingly clear Taking care of your security helps you to take care of your busi-ness and avoid the disaster of breaches and non‐compliance

Go to Chapter 3 to find out more about encryption and VPN protocols that you need to use to secure your network connectivity

Am I Equipped for Increasing Volumes of Traffic

Even if your traffic flows are incident‐free at any given time you need enough foresight to prevent bottlenecks before they arrive Accessing an application from newly opened sites or lacking backup solutions in case of outage can quickly lead to great losses in production

Learn all about the Multi‐Link technology that helps you to scale your network performance in Chapter 4


How much Time do I Spend on Configurations

Research commissioned by Forcepoint revealsmdashnot surprisinglymdashthat a significant divide exists between the ideal time and realistic time businesses spend on operations such as preliminary firewall configuration policy setting and updates remote location setup and more

Although you may not be able to predict today how much time and effort will be mobilized over your installations in the future you can easily correlate current operations against the time savings of automation or remote site management

Chapter 4 provides insights on how to manage a hybrid network

Am I Always Using the Fastest Connection

You may sometimes receive reports that an application took longer than usual to access or that receivers didnrsquot see the information intended for them Paying attention to input from users and your environment is always wise but even better is being able to answer the connection‐throughput question by looking over a history across the links you deploy and using the data to troubleshoot bottleneck areas

Chapter 4 explores the different methods that Multi‐Link tech-nology will use to select the fastest available connection

Do I Sometimes Prioritize Performance over Security

As security becomes more and more complex a tug‐of‐war has emerged with network administrators facing situations where advanced protection can adversely affect network performance




As with most risk situations if people try something once and it works they tend to do it again So they may again and again turn off deep packet inspection to accelerate traffic flow without a qualm ndash until the day an attack slips by unnoticed You should therefore ensure that you obtain the right balance between full security features and optimum throughput on your network As an example consider the companies that use a separate network for backup traffic ndash in other words taking a back‐up image from a server Would they really need encryp-tion on that dedicated and extremely high traffic network

Skip back to Chapter 1 for different types of network architec-tures and their security features See Chapter 3 for methods of securing network traffic

Can I See All Connections Across My Network in Real‐Time

Whether you speak of electrical circuits railway infrastruc-tures or digital connections a global overview of whatrsquos happening on any network at each instant is undoubtedly pre-cious With distributed networks the ability to supervise from a central point and from anywhere in the world is indispensable

Browse through Chapter 4 for knowledge about the manage-ment and surveillance of hybrid networks




WILEY END USER LICENSE AGREEMENTGo to wwwwileycomgoeula to access Wileyrsquos ebook EULA

Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions

How to Use This Book

Icons Used in This Book

Where to Go from Here

Chapter 1 Understanding Next‐Generation Networks

Connecting the World

Introducing how networks work

Understanding network architectures

Deploying Hybrid Networks

Speeding things up

Staying secure

Talking about network topologies

Making the case for distributed networks

Keeping traffic private via VPN


Understanding routing protocols

Considering load‐balancing hybrid networks

Chapter 2 Running Efficient Hybrid Networks


Identifying key business principles

Addressing outage with SLAs


Discerning critical versus non‐critical applications

Scaling for growth and change

Firing up your firewall knowledge

Chapter 3 Managing Hybrid Connection Challenges


Prioritizing traffic with QoS

Balancing load between ISPs

Activating dormant links

Considering Costs

Using consumer grade connections

Estimating a budget

Keeping Your Network Safe

Preventing eavesdropping

Demystifying VPN protocols

Chapter 4 Optimizing Hybrid Networks with Multi‐Link Technology

Meeting Multi‐Link Technology

Prioritizing links

Seeing multi‐link priorization in action

Aggregating links

Joining together for security

Load Balancing with Multi‐Link

Rethinking the ratio method

Getting logical though fuzzily


Proving a success

Solving a real‐world issue

Chapter 5 Ten Top Tips for Managing Hybrid Connections











EULA


Securing Hybrid Networks











ISBN 978‐1‐119‐10105‐5 (pbk) 978‐1‐119‐10107‐9 (ebk)


10 9 8 7 6 5 4 3 2 1





























in Real‐Time 47


Introduction







































Chapter 1




























































































































Chapter 2


















































Thinking about cost

Optimizing security






Chapter 3







































IP Security (IPsec)




























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA











ISBN 978‐1‐119‐10105‐5 (pbk) 978‐1‐119‐10107‐9 (ebk)


10 9 8 7 6 5 4 3 2 1





























in Real‐Time 47


Introduction







































Chapter 1




























































































































Chapter 2


















































Thinking about cost

Optimizing security






Chapter 3







































IP Security (IPsec)




























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA





























in Real‐Time 47


Introduction







































Chapter 1




























































































































Chapter 2


















































Thinking about cost

Optimizing security






Chapter 3







































IP Security (IPsec)




























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA


Introduction







































Chapter 1




























































































































Chapter 2


















































Thinking about cost

Optimizing security






Chapter 3







































IP Security (IPsec)




























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA

































Chapter 1




























































































































Chapter 2


















































Thinking about cost

Optimizing security






Chapter 3







































IP Security (IPsec)




























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA




























































































































Chapter 2


















































Thinking about cost

Optimizing security






Chapter 3







































IP Security (IPsec)




























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA


















































Thinking about cost

Optimizing security






Chapter 3







































IP Security (IPsec)




























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA







































IP Security (IPsec)




























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA

























Chapter 4


























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA

























































































Chapter 5














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA














































Title Page

Copyright Page

Table of Contents

Introduction

About This Book

Foolish Assumptions









Speeding things up

Staying secure




















Considering Costs


Estimating a budget






Prioritizing links


Aggregating links






Proving a success













EULA

These materials are © 2015 John Wiley & Sons, Ltd. Any ...€¦ · IS SOLD WITH THE UNDERSTANDING...

Documents

Transcript of These materials are © 2015 John Wiley & Sons, Ltd. Any ...€¦ · IS SOLD WITH THE UNDERSTANDING...