In defense of good old network design
Network architecture ain't what it used to be, but some tried-and-true principles should never be violated
Follow @pveneziaI've been building networks for the majority of my life at this point, and during most of that time little has changed in terms of basic network architecture. And yet, it seems that newer, faster, and "better" networking components and services are allowing network designs to deviate from the tried and true. In many cases, that's a really bad idea.
I'm showing my gray hair here, but I'll try to avoid any reference to the kids on my lawn or the onion on my belt.
[ Get expert networking how-to advice from InfoWorld's Networking Deep Dive PDF special report. | Stay up to date on the lighter side of tech goings-on with our Notes from the Underground newsletter. ]
Take a traditional LAN/WAN network for a medium-sized business. Back in the day you'd have a firewall with an external, internal, and a DMZ interface; internal LAN switching; and a few routers driving point-to-point or frame-relay networks to other sites. All the Internet traffic flowed through the headquarters firewall, so there was a single point of egress. If there were backup links, they were likely to be ISDN lines at each site with a terminal server at HQ to call them up if necessary.
The DMZ network was contained on a separate switch, and the various servers on the DMZ were physically connected to that, which was physically connected to the firewall's DMZ interface. Internet connectivity for the whole shebang was one or more T1s with multilink PPP or maybe a fractional T3.
Compared to today, it's a very simple setup. It's also very secure: One point of entry and exit plus physical separation of untrusted networks. And it's simple to trace and fix problems.
Today, that model is withering in the face of mixed-medium bandwidth delivery, realistic remote-office VPN scenarios, and the lack of physical separation. Let's design that same network today. (Remember, this is not how I'd do it, but how I've seen many designed recently.)
At HQ, there's an asynchronous business-class cable service in place for basic Internet browsing, and a synchronous fiber link in place for production business traffic. Both are firewalled separately -- and the firewall on the fiber link has several DMZ networks, all of which are plugged into the same switch, which is cut into non-routable VLANs but trunked to the network core in order to facilitate the array of virtual servers that need presence on those DMZs.
