S 5.60 Selection of a suitable backbone technology

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section, Administrator

The selection of a network protocol for the backbone is a decisive factor for the security and availability of the local network because the protocol has major influence on the available bandwidth and performance. If the cabling is planned without commitment to special services (e.g. proprietary solutions) (see also T 2.45 conceptual weaknesses in the network), a change in backbone technology is principally feasible. Even though this requires a considerable organisational, personnel and financial effort.

A general recommendation with regards to IT security for a specific backbone technology cannot be given because many individual aspects have to be taken into account. The advantages and disadvantages of the most common network protocols are given in the following:

There are four base technologies Ethernet, Token-Ring, FDDI, and ATM which can be described as follows:

Ethernet

Ethernet technology is defined in the IEEE 802.3 standard and based on the CSMA/CD (Carrier Sense Multiple Access / Collision Detection) technique. With this technique, all stations are equally entitled to access the transmission medium, although it can only be used by one station at a time. When a station needs to transmit data, it first checks if the transmission medium is available for use (carrier sense). If it is, the station starts data transfer. If several stations start transmitting data simultaneously (multiple access), a collision occurs and is detected by the affected stations (collision detection), whereupon the medium is checked again and a renewed attempt is made at transmission.

As CSMA/CD is a stochastic technique, it does not guarantee the availability of any dedicated bandwidths. For this reason, it is not very suitable for multimedia applications which require a fixed bandwidth, for example. Consequently, Ethernet-based networks do not ensure any particular Quality of Service (QoS) in general. Gigabit Ethernet systems have a technique similar to QoS.

There are three types of Ethernet which basically differ from each other only in terms of the supported transmission rates:

• Standard Ethernet

Standard Ethernet, a predecessor to the other two variants, has been in use for a long time. It provides a transmission rate of 10 Mbit/s, it is an unsuitable backbone technology for most local networks, as a rise in the network load is accompanied by a sharp increase in the number of collisions, causing the throughput to drop steadily.

• Fast Ethernet

Due to the rising number of networked computers and the resulting increase in network loads, Standard Ethernet urgently needed to be advanced in order to meet increasing technological demands. This led to the development of the Fast Ethernet with a transmission rate of 100 Mbit/s. Presently, this rate is sufficient for most networks in the backbone area, and is also advantageous in that the already established CSMA/CD technology can continue to be used. In this case however, the active network components generally need to be replaced or adapted; furthermore, the cabling needs to be checked for compatibility with Fast Ethernet.

• Gigabit Ethernet

As Fast Ethernet proved extremely successful following its introduction, a demand for an even faster Ethernet-based backbone technology was voiced. This led to the founding of the Gigabit Ethernet Alliance (GEA) by several renowned manufacturers, who wanted to achieve a transmission rate of 1 Gbit/s. The standardisation phase is to be completed soon in cooperation with the IEEE. With the help of features such as a protocol extension (Resource Reservation Protocol, RSVP) for time-critical transmissions (e.g. in the multimedia sector), the new standard is intended to provide dedicated bandwidths in Gigabit Ethernet systems. The aim of this is to supply attributes similar to those applicable to ATM, such as Quality of Service (QoS). However, as the final standard has not been approved yet, this variant should not be selected, in order to avoid the use of an implementation which might still be incomplete.

Token-Ring

Token-Ring technology is defined in the IEEE 802.5 standard and is based on the token passing technique. With this technique, a special data packet (token) travelling on a circular path is used to determine which station may use the transmission medium. When a station receives the token, it occupies the medium and then forwards the token to the next station. This ensures that the medium is only occupied by one station at a time.

In contrast to Ethernet, this deterministic technique prevents stations from having to wait for indefinite periods of time on the occurrence of high network loads before being able to transmit data. Token-Ring makes it possible to firmly specify the maximum waiting period.

A Token-Ring network is usually configured as a physical double-ring, which considerably increases the availability of the network, because, in the event of a failure of a station or an interruption of one of the rings, the faulty point can be bridged by using the other ring.

Token-Ring allows a transmission rate of 4 or 16 Mbit/s, so that for most local networks, its use as a backbone technology is no longer recommended either. The available bandwidth is too narrow. In the middle of September 1997, a "High Speed Token Ring Alliance" (HSTR) was founded by several renowned manufacturers to achieve transmission rates of 100 Mbit/s and, at a later stage, 1 Gbit/s. For this purpose, the IEEE 802.5 standard is to be extended by the middle of 1998. As this variant is still being developed, its use is not recommended at present.

FDDI

The FDDI (Fiber Distributed Data Interface) standard was defined in 1989 by ANSI and is based - like Token-Ring - on the token passing technique. However, FDDI additionally makes use of early token release, which forwards the token to the next station immediately after the last data packet has been send. This reduces the idle times in the ring and helps achieve a higher bandwidth.

FDDI uses optical fibre cables as the transmission medium, and provides a transmission rate of 100 Mbit/s. Due to its high throughput, FDDI is ideal for use in the backbone areas. Additional advantages include the high fault tolerance resulting from the double-ring topology, and the electromagnetic stability arising from the use of optical fibre cables. As opposed to Ethernet, FDDI is also suitable for performance-dependent multimedia applications, because it ensures a maximum delay time.

If both rings are used for data transfer, a transmission rate of as much as 200 Mbit/s is achievable; the advantage of the high fault tolerance is eliminated in this case however, because if one of the rings malfunctions, it is no longer possible to switch over automatically to the other one.

FDDI components are more expensive than Ethernet components offering a similar functionality; for this reason, the benefits derived from the use of FDDI should always be compared with the costs it generates.

FDDI can also be operated on copper cables, in which case it is termed CDDI (Copper Distributed Data Interface).

ATM

ATM stands for Asynchronous Transfer Mode, and involves a transmission technique which is very suitable for use in the backbone area of a network, and which can also supply real-time services in this area.

In ATM, information of all types is transferred in packets of a fixed length, termed cells. The information can consist of any required data, including video and audio data. The standard length of the packets allows the ATM switches to process the cells almost entirely through the use of hardware components, thus achieving a higher throughput. This results in calculable delays during the transfer of any type of information, so that separate bandwidths can be guaranteed for individual applications. ATM is therefore a very suitable technology for multimedia applications, as it guarantees a computable real-time response and, thus, Quality of Service (QoS). This means that the required bandwidths can be allocated statically or dynamically to every connected device.

Transmission as such takes place on the basis of virtual links. No fixed channels are activated between communicating stations; instead, the cells are transferred through the network via routes determined shortly before the cells were generated. This achieves typical transmission rates of roughly 25 MBit/s, 155 MBit/s and 622 MBit/s.

ATM components are still very expensive though; so to safeguard investments, efforts should therefore be made to integrate ATM components with the other technologies already existing in the network. However, ATM does not support broadcasts or MAC addresses, which is a prerequisite for the use of most protocol stacks such as TCP/IP and SPX/IPX. Three different solutions to this problem are available:

• Classical IP-over-ATM (CIP)

RFC 1577 (Classical IP-over-ATM) was developed for the use of IP over ATM; this standard allows stations with a TCP/IP protocol stack to use ATM as a transfer medium.

• LAN Emulation (LANE)

This standard emulates all relevant LAN technologies for clients on layer 2 of the OSI model. In this case, ATM is then represented as, for example, an Ethernet or Token-Ring network to the clients. This allows communications between conventional LANs and ATM.

• Multiprotocol-over-ATM (MPOA)

MPOA is basically an advancement of the classical ATM and LANE. In contrast to LANE, MPOA operates on layer 3 of the OSI model and uses LANE for transmission on layer 2. Consequently, MPOA implements bridging (layer 2) as well as routing (layer 3), and can thus configure a fully routed ATM network. At the same time, it offers all the advantages of ATM technology, such as guaranteed bandwidths for individual applications.

Furthermore, it must be noted that no compatibility or interoperability is presently guaranteed between ATM components from different manufacturers. A corresponding check is therefore required in each case.

As mentioned at the start, a general recommendation concerning the selection of a suitable backbone technology cannot be made. In addition to security requirements, influential factors here include criteria concerning future orientation, economy, scalability and the integration of existing components.

Depending on the selected protocol, only certain types of cable can be used (e.g. optical fibre cables for FDDI); each cable type is restricted in length (also refer to S 5.2 Selection of an appropriate network topography).

Additional controls:

• Have requirements concerning the availability, bandwidth and performance of the backbone of the local network been formulated and documented?

• Have all the relevant backbone technologies been considered?