1
Posted on 1:35 PM by Hamid and filed under

The local area network (LAN) is home to sheer bandwidth and countless client server applications. Different companies have radically different networks; some have a single PC and others have hundreds of locations and thousands of computers. This page is intended to explain the basic principles and components frequently found on the LAN. The internal network is usually built with the highest bandwidth available. It is then connected to a tiny internet connection which is almost always a bottle neck for internet traffic. Most businesses of any size have at least one server to provide extra computing features to the business. The internet is explicitly distrusted and generally the network has protection from the internet built in. The LAN is something that businesses have complete control over. Network devices are much simpler than servers and PCs. It is common (and best practice) to duplicate significant portions of the Network to allow for failure without having a noticeable impact on the network. A LAN is the local cabling and set of network devices at an individual location building or campus but the internal network can easily include many LANs connected to form a WAN.

The internal network, and therefore the LAN, exists to link all of the PCs, laptops, servers, printers, and anything else that might be useful for a computer to talk to. Most LANs have a cable running from every computer to a wall jack. The wall jack is connected to a very similar type of cable that runs to a patch panel in a wiring closet. A patch panel is simply a bank of cable ports that allows all of the cables coming from each wall jack to be connected to the LAN if desired. Any active wall jack must have the corresponding port in the patch panel connected to a switch in the wiring closet. A wiring closet is a centralized room where these cables end. It is common for there to be many wiring closets in a building. The standard is that these wiring closets not actually be used for anything else besides LAN equipment, although this rarely happens in practice. If there are many switches in a wiring closet, they are connected to one or two switches within in the same closet. These serve to connect all of the switches there as well as some of the cable runs entering the room. The switches in a wiring closets are connected to a centralized switch or switch pair in a main wiring closet. The centralized switch or switch pair serves to connect the entire LAN together. These distribution switches connect to the router(s) that the location may have to further connect the switches to the internet or the enterprise WAN thus extending the LAN.

The internet is full of hackers which means that the traffic that comes from the internet is usually distrusted. On most local area networks there are more things that communicate or are set up to communicate than are used and fewer that are really needed. However everything that is on a computer that communicates on the LAN is a potential vulnerability for a hacker to exploit. For this reason most networks use a firewall which simply restricts what can communicate (IP address) to what is on the other side of a firewall and what type of communications (port number) can pass through it. Generally this means that only the things frequently used are allowed to pass through it. The idea is that anything that is not a business need is not allowed through which greatly reduces what a hacker can attack. In reality it does leave many options open for attack, although it is certainly a much smaller set of options than what would be available without it. Because the servers that communicate directly with the internet are considered the highest risk these are frequently placed in what’s called a demilitarized zone (DMZ). This simply means that the traffic to and from these servers and the normal internal network is restricted by additional firewalls. Some DMZ’s have additional firewalls inside them to further protect the LAN from any internal threat.

There is usually a firewall between the internet and the internal network (LANs); that is the firewall is placed between the internet border router and the adjacent core switch to protect the LAN. A firewall is simply a device that restricts communication and helps improve security much like a guard post does. Firewalls are also commonly used to segregate off anything else that is considered a higher risk. If there are any servers that accept connections from the internet there is frequently a demilitarized zone (DMZ). With DMZ’s a firewall is placed both between the servers and the internet and between the servers and the internal network (both LAN and WAN). This reduces the probability and impact of a server being hacked. (A hacked server on the network is a serious risk to the rest of the network and common practice is to remove it from the network regardless of it’s purpose.) There are frequently additional firewalls within a DMZ to further reduce the security risk within the DMZ. It is also common to have an intrusion detection system (IDS) at various points of the WAN, especially in the DMZ and internet connection where there is the greatest chance that an attack will happen. Unlike a firewall an IDS is not necessarily intended to stop malicious activity but rather to simply detect it, log it, and possibly notify the appropriate persons.

Many people enjoy being able to use a wireless connection to connect to the LAN rather than having cables connected to their laptop. This means that there are (depending on the size of the building) many antennas installed throughout the building. These antennas are called access points. Because the reception area provided by the access points is relatively small there are many access points connecting to each wiring closet. It is worth noting that because each access point potentially connects many computers it is much cheaper to install wireless than it is to install physical cabling to each computer. However there are many drawbacks of wireless. It is possible for someone who would not normally be allowed to both connect to the LAN to connect and to intercept the connection. Both are considered security risks. The first allows a hacker, potentially off company property, to connect to sensitive systems only accessible to employees on the LAN. The latter allows a hacker to read sensitive information being transmitted such as passwords, e-mails, etc. There are steps that can be taken to reduce this risk such as encrypting the wireless signal and placing all of the wireless traffic behind a firewall on the outside of the regular LAN. Wireless communication is somewhat slower than the physically cabled counterparts as well. For these two reasons, most businesses do not connect most of their computers to a wireless connection with exceptions for some laptop users. This may not be allowed for non-employee access and is treated as a security risk. It is common to find wireless access points on a LAN.

The LAN connects most of the computers and devices together with switches. A switch is basically a large bank of network cards. The switch is what connects all of the cables. A patch panel looks similar to a switch from the front but merely provides a convenient and neat way to end the cables collected in a wiring closet. A patch panel connects nothing and is just a large multi-port panel where a switch is an electronic device that connects these electronically to the LAN. Switches switch small chunks of traffic at lightning speed between whichever cables the traffic needs to go through to reach the destination. Many of these allow administrators to login from a portion of the LAN to administer the connections and advanced settings. The number of cable connections that a single one can support varies. These are a more advanced technology than a hub which has been replaced by switches in all modern LAN’s. Many of these devices in a modern network are layer 3 switches which means that they are also capable of acting as a router. If there are enough computers to require many switches, the switches connect to each other and are arranged with one or two switches connecting all of the other switches. Most larger networks contain many switches.

A router is the device that connects different smaller networks (LAN’s) together to form a WAN or MAN. The purpose of a router is to determine the next route a packet of data should take to get to the destination most efficiently. This simply means picking a device it is connected to and forwarding the packet to that device which is closer to the destination. There are usually only one or two routers in most offices. However larger networks have multiple routers at central locations such as the headquarters, data centers, and carrier’s facilities. Routers are usually only connected to only other switches and routers. Routers are generally more advanced than switches. These devices contain knowledge of the entire network where switches normally only contain knowledge of the individual LAN they service. If there is more than one office (thus multiple LANs) then there is normally a virtual circuit used to connect the locations together for which the company spends additional money. For example frame relay and asynchronous transmission mode (ATM) connections both create a virtual connection between the LANs. This means that only network traffic between the two locations can pass through and security precautions normally needed for internet connections are not necessary. This is true even though there may be a great deal of distance between the locations. Virtual private networking (VPN) can also be used for the same effect which is implemented very differently. Because this uses encryption to form the virtual circuit, it is often used to connect corporate laptops on the internet to the internal network.

If there is a shared resource, such as a website, that is used by many people there are sometimes many servers that provide the service. A load balancer is used to determine and regulate exactly how each individual server provides which portion of the load within the LAN. This provides both greater capacity (multiple servers are sharing the load rather than just one) and reliability (theoretically) as long as there is one server left the service is still available. In practice a load balancer may improve reliability but it can never be guaranteed to always detect a failure and rebalance the load without using the failed server. Similar means of balancing loads can be done other ways. For example a DNS server can simply rotate the IP address given for a DNS entry. This is how Google rotates load between different servers at different data centers. It is rare for a load balancer to balance the load to dissimilar devices or devices not on the same LAN segment.

It is common for a network to contain a proxy. A proxy is used to restrict web access, filter viruses, and move some of the load on the internet connection to the LAN. This is simply a server that caches web pages and retrieves those that are not in the cache from the internet. This allows any requests for the same web page to be loaded from the cache on the LAN rather than the internet connection reducing the load on the LAN connection. For example if two people both go to Google’s home page early in the morning the second one does not have to be loaded from the internet. This saves bandwidth. This is also sometimes used to restrict the sites that employees can go to as well as record where they go. There are companies that compile lists of websites by category intended for use as a type of parental control over the employees. For example a business can display a web page saying access denied whenever an employee tries to go to a porn site from work. Some businesses have also reported tremendous success with distributing a list of the employees who visit porn sites the most at work throughout the company. Similar things can be done with game sites where employees may waste time, racist, bigot, or malicious websites. Some people object to proxies citing privacy or censorship concerns.

Businesses’ networks almost always have at least one server on the LAN. Very large companies may have hundreds of servers. It is considered best practice to have at least two redundant network cables connected to the servers that also connect to different switches for a reliable LAN connection. This sometimes requires software installed and configured on the server to ensure that if one LAN connection fails it starts to use the other one. It is possible to have more than one LAN connection and load balance these but this requires special configuration on the switch as well as the server. If the network connection is load balanced it provides better performance due to the double sized network connectivity. Severs also are the first to receive the latest cabling and network cards. Because servers are used by many people it is often attractive to upgrade the network connections long before the rest of the network. These are often also much easier to upgrade because they are usually in the same room as the switch so the manual labor and cable length used is minimal.

Most businesses have directory services in place. This is normally considered an application level service rather than part of the LAN. This simply means that there is one or more servers on the network which are tasked with authenticating passwords and possibly other related tasks such as storing user settings. Whenever there is a need for user authentication, such as logging intro a computer or accessing a network file share, a authentication request is sent to the directory services server. This prevents someone who may have been able to gain unauthorized physical access to an enterprise PC from logging into any computer on the LAN. Of course if the intruder happens to obtain the username and password of an employee this will do little good. This is also used for internal employees to use a single password. The password is valid for shared resources such as network file shares and applications in a controllable and restrictive manner. Some examples are active directory and NIS.

There are a lot of components to the internal business network. Local area networks (LAN) are usually fairly modern and very fast and make up a great portion of the internal network. However these are almost always connected to an internet connection that is significantly slower. For this reason there are many things that can be done on a LAN or WAN that are not financially feasible on the internet. This page kept it very simple, but if you look around you will find more information on this site about local area networks and networking in general.

Stumble Upon Toolbar
1
Response to ... Local Area Network (LAN) Basic Components
Hamid said... January 18, 2009 at 1:48 PM

asdf

Post a Comment