The Network Foundation Series: Part 3 - Network Design
Discover the secrets to building a great, reliable network with our expert advice in this guide. We'll explore different techniques and approaches for designing your dream network!
Introduction
As we discussed in a previous video, the network is the foundation of all technology "systems." When designing our network, we want to make sure it's done well, so in this installment we'll learn the secrets to building a great and reliable network. We're building on Part 2 and diving into detailed network planning. Keep in mind our approach is opinionated and there are many ways to build a network, so we will try to highlight some variations as we go along.
Are you ready? Let's get started.
Principles
Let's start with the principles that will drive our design so that we can always keep our decisions grounded against these principles.
Our first set of principles are around security. Unfortunately, cyberattacks are on the rise in today's society, but we can't let them slow us down. Now, we'll take a look at some key security principles we will want to keep in mind as we design our network.
Least Privilege
Think about your network like a house: You don't give everyone in the neighborhood a key, right? Just those who need it – like family members and trusted friends or neighbors.
We call this the "Principle of Least Privilege". It means giving people (or devices) just enough access to do their job, and no more. Here are a couple of examples on a network:
- Limiting router log-ins to only specific trusted and trained administrators.
- Allowing web servers on the internet to serve website content, but blocking other types of communication.
- Finally, restricting outbound traffic to just the basics, like web browsing or email access. Then, over time, letting more legitimate types of traffic out.
This might seem like a complex endeavor, but it's actually simple: Lock down your network first, then open up what you need for each purpose. There are several benefits for your security posture when taking this approach:
First, Reduced risk. Fewer users with elevated privileges means fewer opportunities for hackers to exploit vulnerabilities.
Second, Simplified security management. With less complexity comes greater simplicity in managing user permissions and revoking them when necessary.
And finally, Improved incident response. In the event of a breach, our least privilege policy will make it easier to identify and contain affected areas.
We'll continue to build on this as we go along.
Named Access
This security principle is about accountability. When it comes to using our networks, we often try to make things easy for ourselves, but this can lead to major security issues if we're not careful. Sharing master passwords, or using the same login credentials across multiple users and systems makes life easier, but also creates security risks.
The solution is to make sure that users have (and use) their own credentials to access the systems they need to use. This also includes what we call service accounts, or "users" that are not tied to a person, but are necessary for certain processes to run on systems. This way only authorized people have access, you know who's doing what on your network, and If someone leaves or needs to be removed, you can quickly take away their privileges.
But, someone does have to have the master password, so be sure to keep it somewhere safe and have a secure process for accessing these sensitive passwords. There are several tools and strategies for this, including password managers, or perhaps a physical safe, and sticky notes on the backs of monitors. Uh, just kidding about that last one. I was just checking to see if you were still reading. Named Access is an important principle for accountability and helps build a more secure and trustworthy network.
Defense in Depth Security
It's essential to realize protecting your network isn't just about blocking the obvious threats.
Continuing with our home analogy, you don't just lock the front door, right? You also consider other entry points, like the back door, windows and hidden passages. Additionally, you might have an alarm system, as well as a few surveillance cameras. It's not just a single thing that goes into protecting your family and property.
Defense in Depth is a layered approach to security which aims to protect your network from many angles, including:
- Limiting Network Traffic Blocking; bad traffic based on behavior.
- Monitoring what's happening on your network and alerting.
- Protecting against different types of threats (such as viruses, malware and intrusions)
- Considering their sources, such as geographical location, network destinations, and whether the threat is already inside the environment.
To accomplish these elements, we'll implement a few key features in our network to help us:
- First, Network segmentation: We'll divide the network into smaller segments, each with its own access controls and monitoring so we can manage traffic more easily.
- Next, we will implement a firewall with intrusion detection, antivirus and malware threat mitigation: These tools will help us identify and block bad traffic.
- We will implement Geo IP Filtering to aid in allowing or denying traffic from specific countries.
- We will implement Custom Aliases that allow us to manage more granular control over source and destination of our network traffic.
- We will use encrypted traffic for remote access via VPN.
- And finally, we will require multi-factor authentication for managing our infrastructure.
By considering multiple threats, vulnerabilities and vectors of attack, you can build a stronger defense for your network. And don't worry, we'll talk through these threat types and sources in more detail as we go through the set up process, so just keep this principle in mind while thinking about where potential threats may come from.
Maintenance
Let's talk about keeping things running over time. When it comes to keeping your network secure over time, it's important to maintain the hardware and more importantly software that runs your network. Developing a process to ensure regular updates and security patches are being reviewed and deployed will be vital to keeping your network running in a secure manner. Frequency of updates can depend on what you are updating (i.e regular feature updates vs bug fixes), but no matter what the update schedule is, it's important to stay consistent.
To make sure we do this well;
- We'll set up automated systems and processes to handle maintenance tasks.
- Build in a regular reminder to perform certain manual checks
- We can also leverage built-in functionality that checks for updates on a regular basis and installs them on a schedule.
Logging and Monitoring
Next, to respond effectively to security incidents or other problems, we'll want to implement robust logging and monitoring capabilities. This will help us track activity across the network and identify potential issues before they become major problems.
We can leverage the power of built in logging to help achieve the following benefits:
Improved incident response: With accurate logs, we can quickly investigate and contain affected areas.
Enhanced threat detection: Our monitoring tools will alert us to suspicious activity, allowing us to take proactive measures to mitigate threats.
Better decision-making: By analyzing log data, we'll be able to make informed decisions about security policies and incident response strategies.
Issue Identification and Troubleshooting: Spotting the signs of brewing problems and addressing them before they affect the network will save a ton of time on the backend.
Even if something does happen, with proper logs, we'll be able to more quickly identify and fix those problems. In essence, Information is power. While logging often is used after the fact, it's a vital dataset that can help us refine our environment.
Organization
The next principle I would like to discuss is the consideration of what your network will be used for. This will help us organize the design to meet your goals and needs.
So, when designing your network keep in mind the following questions:
- What do I want to accomplish on the network?
- How secure does my data need to be?
- And, What kind of user experience should exist?
How you organize your network will also play into how easy it is to maintain and understand over time. Try to think of someone coming into the environment who was not there in the beginning and has to make sense of what they're looking at. For example, if nothing's labeled, or if let's say the network addressing scheme is all over the place, it becomes more difficult for a new provider coming in to quickly resolve issues or begin to support your environment right away.
Documentation
This leads us to our next principle, which is documentation. In our plan, we should always leave ample time to make sure at each stage and every change, we are documenting what those changes are and as much detail about the configuration as possible. A lack of documentation is a clear indication of a lack of planning. In the long run, this increases support costs and time spent troubleshooting or even completely redoing your network down the road. To avoid this, we will make sure we document as we go.
Performance
Let's talk next about the performance of our network. As we think about what we want our network to do, here are some things to consider when it comes to picking the right hardware and software.
First, we want to Size our Infrastructure appropriately
The performance of your network is influenced by its hardware and software components, as well as your expectations. Properly sizing your infrastructure ensures optimal performance. For instance, using a home router with 20 users would likely lead to severe performance degradation, while a similar setup in a smaller environment, let's say 5 users, might be sufficient. A good rule of thumb for picking hardware that will meet the needs of your environment can be measured on a per user basis and is anywhere between 50 and 70 dollars per user. This takes into acount your switching, wireless, and routing. If you need higher performance, then add 5 to 10 percent.
Next, choose the Right Router Hardware
When selecting a router, it's essential to consider the expected speed and throughput required by your network. A 200 Mega bit internet connection doesn't necessitate a 10 Giga bit capable router. On the other hand, if you anticipate high-performance requirements, ensure the router can handle those demands and that you are picking the correct internet technology to accomodate the needs. Not all internet bandwidth is equal. Dedicated Internet Access (or, DIA) is much more performant than a shared service like cable.
You will want to plan your Wireless Network Properly
In small environments (under 1,200 square feet), a single access point is often sufficient if properly placed and configured for your specific needs. However, in larger spaces with significant glass and metal surfaces (for example, commercial buildings), additional access points may be necessary to mitigate signal attenuation and ensure equal coverage.
Finally, consider your network Switching Hardware's capacity
When planning your internal network's switching hardware, consider the capacity needed between your internal network and the internet. Most switches will handle bandwidth requirements for environments that have most of their infrastructure in the cloud. From this perspective, it will not be your switching that is a bottleneck, but rather your internet connection. If you are hosting services internally, then you should make sure your switching hardware has the capacity to ensure peak performance.
Bottom line, to ensure optimal network performance, it's essential to consider who will use your network, what will they use it for, and how fast do you really need it to be. By considering factors such as internet speed, wireless capacity and performance, and internal overall network capacity, you can strike a balance between cost and performance to achieve reliable and efficient connectivity.
Simple to Complex
The simple to complex principle has two aspects. The first aspect is to keep it simple, the old KISS principle. That means you don't want to try to implement everything that could possibly happen in the future initially.
Now, this doesn't mean you do not want to have consideration for what may happen in the future, as you should always be planning for growth. Just try to separate the difference between what you need now and in the near future, from what you think things may look like five or ten years down the road.
This is where the second element of this principle comes into play. You want to make sure you implement this simple starting point in a way that allows you to scale or add complexity as needed. This enables you to start simple and grow into a complex environment over time. In networking, most of the simplification comes in the form of your initial network design choices, which we are about to jump into now.
Determining the Network's Purpose
When designing a network, it's essential to consider what you want the network to accomplish. To guide our decisions, let's explore four common questions: 1. Who will use the network? 2. What devices will be connected? 3. Where do users need access from? 4. And is this a single location?
Answering these questions can inform our design in several ways:
Who will use it?: This helps determine segmentation, performance requirements, and security measures. For instance, if you'll have guests accessing the internet, we may want to segment their traffic for added security.
What devices will be connected?: This informs how we segment functions and allocate resources. For example, Smart home components might require isolation to limit access to sensitive equipment.
Where do users need access from?: This informs our network topology and design decisions based on user mobility or location requirements. For example, if employees will be working remotely from coffee shops or co-working spaces, we may need to consider how we will secure communication that is coming into the network from outside.
Is this a single location?: Considering future growth informs our IP addressing scheme, edge infrastructure choices, and documentation practices.
By answering these questions upfront, we can create a more tailored and scalable network design that meets current needs while planning for expansion in the future.
So, let's do that now!
Design Scenario
Imagine Natalie, a young entrepreneur who's finally taking control of her destiny by starting her own business from home. As she sets up her consulting services website on an old desktop computer, she realizes that security is paramount to protecting sensitive customer information and maintaining the trust of her growing client base.
With remote workdays spent traveling or working from coffee shops, Natalie needs a secure connection to stay productive and access her network while away from home. This means setting up a reliable VPN solution to encrypt her internet traffic and keep it safe within the network. At the same time, she also needs internal Wi-Fi connectivity for when she's at home with guests or family members who may be using the network.
She also realizes that hosting online services can't be done without a stable backup internet connection in case her primary one fails – after all, downtime is no good for business! And as she starts setting up smart home devices to keep an eye on things while she's away, security becomes even more critical.
With these demands in mind, Natalie embarks on designing a network that will meet the needs of her business and its growing-pains. She'll need to strike a balance between logical configuration and physical setup – how does it all fit together? What components will she need? And what are the trade-offs?
Logical Design
Let's first recap the requirements based on our story, so we can get a depiction of the components and how they're connected. We call this a logical design. Here's our story in outline format:
Who will access the network? - Staff, guests, and customers.
What will be on the network? - A server, which includes the following hosted elements;a website, an email system, and file sharing capabilities. Additional devices include laptops, mobile devices, and smart/automation devices.
How will the network be accessed? - External from internet, potentially a backup connection, wirelessly, and from wired connections via a switch.
Where will the network reside? - To start, Natalie's home location and as her business grows, potentially multiple locations.
From this basic list of requirements, we can see a few things right off the bat. First, we have multiple network segments that we need to control traffic between. For this purpose, we will use Virtual Local Area Networks, or VLANs for short. To start, we'll need at least 4 VLANs to segment the different types of network traffic:
One for local area network traffic or Natalie's laptop
One for guests
One for the server to reside in
One for the smart devices.
Each of these networks will need their own IP subnet, so we will create a subnet for each network segment.
And because this network structure may exist in future locations, we will make sure that we space the VLAN numbers appropriately to allow us to scale things in a consistent manner. That way as we grow we can ensure that when we look at our network configuration it's very easy to tell which location the particular network resides in.
Additionally, in our logical design, because there's a potential there may be more than one internet connection, we want to make sure that the environment is set up to take advantage of multiple internet paths, just in case we decide to implement this feature.
Because the web server will need to be accessible from both inside, as well as outside the network, we need to make sure that we have the capability for our DNS server to distinguish between them Therefore, we will implement an internal DNS server to handle queries from the internal network, and rely on public DNS servers to handle queries from the internet.
So here is what our logical design will look like to start:
VLANs
We will let the first location use the default VLAN of 1 for management of devices. Moving forward, as we add sites, the second site will use VLAN 2 for management, the third, VLAN 3, etc.
VLAN 201 will serve as our internal local area network, where staff devices can connect securely and access all the resources they need to access.
VLAN 401 will serve as our hosting network, where our server will reside, and provide secure access to both internal staff, as well as customers and visitors from the outside.
VLAN 601 will be for our smart devices or our automation devices, and will be tightly controlled and segmented off from the rest of the network.
VLAN 801 will be for our guests and provide just enough access to the resources they need without granting unnecessary access to internal infrastructure.
As we bring on new sites, we will increment the VLANs. For example, 202, 402, 602, 802 for our next site. If we add another site, we'll use 203, 403, 603, etc. Additionally, if we need new network segments we will just add them as needed, for example VLAN 1002 on our second site. We will also do something similar with our IP address scheme to keep it consistent. The goal here is to identify a protocol that works for you and that will help you easily identify, can be quickly documented, and would make sense to someone coming into the environment.
There is one last thing we need to discuss regarding VLANs. In the event that we have multiple Internet connections coming into our environments, we can use VLANs to segment those connections, and handle them through our equipment in a manner that is much more flexible. So we will reserve VLAN 4001 through 4010 to be used as I S P VLANs. Further, these do not need to be unique per site, so we can reuse them when needed.
Physical Design
To start with, let's list the physical components that will make up our network. First, we will have our Internet Service provider's router. This will be the starting point at the edge of our network. We will eventually reconfigure that into bridge mode, which we will talk about more in an upcoming episode. We will also need a router, a switch and an access point for our physical network infrastructure. We're going to need a few network cables to connect everything up, so don't forget those. To keep the equipment online during brief power outages, we will get an Uninterruptible Power Supply, also known as a U.P.S., that everything will plug into for power.
The switch can be a smaller switch, but we want to be able to manage certain settings in the switch, so we'll go with a 16 port managed device . And for the access point, our space is small enough that we can go with a basic access point. Note: if you already have a router that can be converted to Access Point Mode, that will work as well. It would be great to be able to manage the switch and access point together, so we are going to try to find a solution that has unified management for those components. Something like a Ubiquiti or, if your budget isn't great to start, we could go with a TP-Link or Netgear solution. The nice thing about Ubiquiti is they allow you to host your own controller for free, which is completely inline with our core principle of decentralized technology. They also have hardware with the controller baked in if you have the budget. When it comes to our router, because this device is a central component to our network, we want to treat it a little bit differently. We want complete control over this particular component, and so we need a router with the following characteristics:
It should allow us to direct traffic to specific places (for example, send web traffic to our web server). It should not be tied to any specific hardware platform. It should be low cost but feature rich, to handle growing complexity over time. It should offer business grade features and support that can be added as we grow.
There are several options on the market that would fit this bill. Some options include pfsense, OPNsense, Untangle, and VyOS. Since the networking concepts are universal, Just make sure the solution you choose, has the feature set you need, but feel free to pick one with which you're familiar. For our purposes, we will be using OPNsense for its strong network security features and business-grade support. As a bonus, the company behind OPNSense also has principles that resonate with ours. Once we have all the components we need, we're going to connect them together in the following manner.
We will connect the LAN port of our ISP's router to the WAN port of our router. We will then connect the switch, via any port, usually the first or last port on the switch, to the LAN port on our router. From there, we will connect our server and our access point to the switch.
Conclusion
By following these best practices, you'll be well on your way to building a solid network that meets your needs. Remember, planning is key - take the time to get it right up front, and you'll save yourself headaches down the line.
In our next video, we will finally start putting into practice the concepts and planning we've been doing to build out a network that looks a lot like our design scenario. As always, if you have any questions, comments or feedback, please let us know in the comments below. We hope you'll join us! Thanks for reading and watching and see you soon.
No comments yet. Start a new discussion.