Local Area Network (LAN) Design

When you design a new LAN, regardless of the number of users, you must first consider the needs of the users as well as the budget that you must work with. Though simple enough in theory, there is much to consider. There are basically six aspects that you must consider when building a computer network, be it for a SMB or a large Enterprise campus. These are:

  1. Connectivity
  2. Security
  3. Redundance
  4. Standardization
  5. Disaster Recovery
  6. Growth

Connectivity

When you think of network connectivity you may think about wired and wireless connections and how they tie in with the other hardware, (routers, switches and cables.) Though this is true, there is more to consider. When you think about connectivity, you must consider the future growth of the network, what type of traffic your network will be having and how your users will be using this connectivity. When you have a perfect network design today, this may change tomorrow. You must be aware of all changes possible that will affect your user’s connectivity.

Security

Maintaining security on your network is important, and a challenge. This challenge must be met head on and should be a focus on a day-to-day network monitoring. Is your stored data secure? Are you wired and wireless connections guarded against attackers? Are your firewall logs being monitored daily? These security measures must be addressed.

Here are eight recommended precautionary steps you can take to make sure your LAN is secure.

  1. Auditing and mapping:

    Audit and map your network. Maintain a clear understanding of the entire network’s infrastructure. This includes the vendor and model, location, basic configuration of firewalls, routers, switches, Ethernet cabling, ports and wireless access points. Know what servers, computers, printers and any peripheral devices are connected as well as where they are connected and their connectivity path throughout the network.

    It is likely that you will find security vulnerabilities in your network. Take these discoveries and use them to your advantage by finding ways to increase your network security, it’s performance and reliability.

  2. Keep the network up to date:

    Make it a best practice in your organization to be sure that the firmware and software is kept up to date. Make sure default passwords have been changed and that you have a mandatory solid password policy in place. Check for configurations that may not be secure. Make sure that all workstations are up to date and have a sufficient antivirus in place and up to date.

  3. Make sure the physical network is secure:

    Physical security of the network is just as important as your firewall. You have to protect your network against hackers, viruses and bots and you need to level this type of protection for your physical network as well.

    A hacker or even an employee can take advantage of weak security in your physical network. They could attach a wireless access point to an unsecured Ethernet port thus giving them and others wireless access to your network. If an Ethernet port is disabled, it can’t be used.

    Your building should also have protection. All wiring closets should be physically secured and this should also be true of any location where switches are located. Make sure that unused Ethernet ports are disabled and all cabling is secure and not easily accessible.

  4. MAC Address filtering:

    The lack of a quick and easy authentication or encryption method is a security issue with wired networks. People can just plug into an available Ethernet port on a switch and they have access to the network. With wireless you have measures like WPA2 Personal (PSK) which can be deployed with little effort.

    MAC Address filtering is not a 100% guarantee that a hacker won’t gain access, but it can serve as a first layer of security. It can also help prevent an employee from causing an intentional, or unintentional security hole in your network. This step will also give you more control over the devices on your network. It is important that if you use MAC filtering that you keep the MAC Address list up to date.

  5. Create VLANS to separate and isolate traffic:

    VLANs can be used to group Ethernet ports, wireless access points and users among multiple virtual networks. This separation of networks provides security and prevents cross-department access. VLANs are especially useful when configured for dynamic assignment. For example, you could plug in your laptop anywhere on the network or via Wi-Fi and automatically be put onto your assigned VLAN. This can be achieved via MAC address tagging or a more secure option would be to use 802.1X authentication.

    Check your product specifications to make sure it supports IEEE 802.1Q. If your device does not support this, it will not support VLANs. For wireless access points, you’ll likely want those that support both VLAN tagging and multiple SSIDs. With multiple SSIDs you can offer multiple virtual WLANs that can be assigned to a certain VLAN.

  6. Use 802.1X for authentication:

    Due to its complexity, authentication and encryption is ignored on a wired network. Though it is common to encrypt a wireless connection, wired connections are not completed as it should.

    Deploying 802.1X authentication won’t encrypt Ethernet traffic, but it will stop a hacker from accessing the network until they can provide login credentials. you can utilize the authentication on the wireless side as well, to implement enterprise-level WPA2 security with AES encryption, which has many benefits over using the personal-level (PSK) of WPA2.

    Another great benefit of 802.1X authentication is the ability to dynamically assign users to VLANs.

    A Remote Authentication Dial-In User Service, better known as a RADIUS Server is needed in which to deploy 802.1X authentication. This server is used as the user database and is the component that authorizes/denies the network access. If you have a Windows Server, you already have a RADIUS server, the Network Policy Server (NPS) role, or in older Windows Server versions it’s the Internet Authentication Service (IAS) role. If you don’t have a server already you could consider standalone RADIUS servers.

  7. Use VPNs:

    Encryption is one of the best ways to secure network traffic. Even with VLANs and 802.1X authentication, someone can eavesdrop on the network (VLAN) to capture unencrypted traffic. This traffic can include emails, document and passwords.

    Though you can encrypt the traffic, it makes more sense to encrypt the communications. This is done though SSL and HTTPS. You can pass the sensitive traffic through a standard VPN on the client, which could be used just during the sensitive communication or forced to be used all the time.

  8. Encrypt the entire network:

    A Windows Server can serve as the IPsec server and the client capability is natively supported by Windows as well.

Redundancy

Having backup devices in place for any mission-critical components in the network is a form of redundancy. All organizations should use two identical servers. If one should fail, the other server can take over while the other server undergoes maintenance. A rule of thumb is to have redundant components and services in place for any part of a network that cannot be down for more than an hour.

Should an organization host its own website, to WAN connections should be in place. Also, having an extra switch, wireless router, and a spare laptop onsite is a good practice for ensuring that downtime is kept to a minimum.

Standardization

To ensure that network traffic and connectivity run smoothly, standardization is the route to take. It reduces cost that comes with maintenance, updates and repairs. If 90% of the employees use the same notebooks with the same word processing and email programs, a software or hardware patch across the organization can be conducted much less expensively than if everyone used a different computer model with different software installed on each.

Disaster Recovery

Importantly, a detailed disaster recovery plan should be a part of any network design. This should include provisions for back-up power and what procedures should be followed if the network or server crashes. It should also include when data is backed up, how it is backed up and where copies of the data are stored.

Office disasters, building disasters, and metropolitan-wide disasters should be included in a disaster recovery plan. Important data should be backed up daily. There are different backup methods. Some are weekly with daily incremental backups. Backup files should be stored in a secure location off-site in the event of a building disaster, such as a fire.

Growth

It is not possible to anticipate the growth of an organization, however, allowances for future growth must be built into any network design. Network design should factor in at least 20 percent growth per year, including everything from switch ports to data backup systems.