Conventional wisdom has held that routers are the best way to manage the backbone of an
enterprise network. Switches, faster because they don’t have to read information for
each packet, are best for workgroup or LAN-to-LAN environments.

Over the last few years, however, the role of the router and switch have radically
changed. As users have migrated to gigabit-speed network technologies, switches, albeit
often with integrated routing capability, have migrated to the corporate backbone.

At the same time, routers have moved out to the periphery of the network, where users
can take advantage of their advanced security features to move increasing amounts of data
over the public network.

Today, information technology managers who want to set up a router in a branch or
remote office can select from a range of products. As use of the Internet as an
organizational backbone for dispersed offices has picked up, so, too, have vendors efforts
to pack more functionality and features into their products.

Many branch office routers offer features that not so long ago were found only in large
central office devices. As an IT manager, the first choice you’ll face with a branch
office router is its type of connection to the outside world. Assuming a dedicated high
speed T1 line is neither needed nor affordable, you will have two technologies to choose
from for moderate-speed, low cost communications.

Integrated Services Digital Network is the here-and-now technology.

At most local telephone companies, ISDN is made up of two 64-Kbps B, or bearer,
channels and a single 16-Kbps D, or signaling, channel. For small branch offices that need
reliable access to the Internet, ISDN offers two significant advantages over conventional
dial-up modems: As a digital connection, it eliminates noise associated with analog
devices, and by aggregating the two B channels, you can get a single line capable of
128-Kbps data rates.

ISDN isn’t the only game in town, however. IT managers expecting significantly
higher bandwidth requirements down the road are taking a close look at digital subscriber
line technology. Although DSL also runs over ordinary telephone lines, it offers data
rates significantly higher than those of ISDN.

Anticipation of the technology has run high. But it has been hampered by
slower-than-expected deployment by phone carriers, a lack of standards and equipment
compatibility issues. So far, the technology has been more hype than reality.

DSL’s time may be near, however. Phone companies are rapidly ramping up service,
and vendors are developing a new generation of less expensive products. The momentum is
picking up so fast, analysts for market researchers such as Cahners In-Stat Group of
Scottsdale, Ariz., predict that the number of users of the most widely used versions of
DSL—asynchronous DSL—will jump from 25,000 subscribers in 1997 to more than 3
million next year.

Part of the confusion surrounding DSL technology stems from its many derivatives. Early
adopters of the technology have primarily implemented ADSL, a version that offers data
rates of up to 1.5 Mbps for downloading off the Internet, but slower 100-Kbps to 384-Kbps
speeds for uploading. Versions of DSL, such as G.lite (universal DSL), high-bit-rate DSL
and very-high-data-rate DSL, have different advantages. Small organizations and branch
offices are opting for yet another version of the technology—symmetrical DSL.

SDSL offers relatively high data rates—384-Kbps—in both directions. “It
fits businesses very well because they generate as much information as they receive,”
said Chuck Waggoner, president of router vendor FlowPoint Corp.

If any single feature is key to a branch office router, it’s ease-of-use.
That’s even more important in the branch or small office market particularly given
that, more often than not, IT personnel will be housed in the central office.

Most vendors are designing routers with those needs in mind. Reflecting the large
majority of installed networks, for example, most vendors offer Ethernet connectivity on
the LAN side. Some vendors integrate a multiport Ethernet hub, which lets small branch
offices connect not only to the main office, but to each other as well, in a plug-and-play

But the greatest advancements in simplifying setups have come from software features,
particularly as the world has quickly migrated to the Internet Protocol. Features such as
Dynamic Host Configuration Protocol (DHCP) help you manage your IP addresses for client
PCs by automatically assigning IP addresses to all systems connected to the router and
eliminating the need to go to each PC and give it an IP address, gateway address or subnet

Other features simplify the setup of a private IP addressing scheme. Network Address
Translation, for instance, allows either internal IP addresses to be mapped to external
ones on the WAN side, or it allows all IP addresses on the LAN side to share one IP
address on the WAN side.

That capability not only lets you save money by connecting more than one PC while using
a single log-on, but translates your hidden addresses to a valid one. Similarly on the WAN
side, a DHCP client can ask the central site to automatically assign IP addresses.

A second feature, called Port Address Translation, maps TCP and User Datagram Protocol
applications, such as Microsoft Netmeeting and Real Networks’ RealPlayer, through the
router. It’s important to note, however, that not all PAT implementations are the
same, and some routers offer only limited support.

Plug-and-play enhancements don’t stop there. Some routers go further and add
firmware configurability features that let the same hardware device support different
customer premise equipment (CPE) from the same device.

With no single standard for technologies such as SDSL, organizations may have to
support different CPE devices from multiple vendors to ensure compatibility with the DSL
access multiplexer (DSLAM) equipment deployed by the competitive local exchange carrier in
each region. Instead of having to install, configure and troubleshoot up to 10 CPE
devices, agencies can use a single device and change the configuration of the router as
the DSLAM changes.

With a simple firmware upgrade, the user can take a device supporting ATM over the DSL
loop, for example, and reconfigure it to support frame relay. This not only cuts the cost
of equipment, but allows organizations to set up standard installation and configuration
procedures and dramatically reduce installation time and support costs.

Network management capabilities are another important point to consider. Simple Network
Management Protocol is a communications protocol used at the intermediate network layers
to debug and manage network devices and connectivity. With it, an IT department in a
central office can monitor and manage a device remotely. Code can be updated and
performance monitored through an SNMP or Telnet connection.

In routing and bridging capability, most products will support all major protocols used
today. But it’s important to look for support for Routing Information Protocol, RIP2,
Internet Packet Exchange and Institute of Electrical and Electronic Engineers bridging.

Take a close look at bandwidth optimization features as well. In the ISDN world,
features such as dial-on-demand, bandwidth-on-demand and Multilink Point-to-Point Protocol
are common.

Dial-on-demand reduces ISDN connect charges by making a connection only when the user
needs to access a resource that is not on the local network. Bandwidth-on-demand works in
conjunction with Multilink PPP to access the second B channel when utilization level
reaches a predefined point. A few vendors have also begun to support an ISDN specification
called Always On/Dynamic ISDN. AO/DI uses unused bandwidth on the 16-Kbps D channel.

Another factor to consider is the impact of Internet telephony. Sending voice traffic
over the Internet will offer significant savings for organizations of all sizes. But most
government agencies would probably find the quality of service disappointing, given what
they’ve come to expect with the public telephone network.

Router vendors are just beginning to address these needs by integrating features into
their devices that let the router provide the reliability and functionality of the public
telephone network while offering savings by operating over the Internet.

“It’s probably going to be a required feature in a year or so,” said
Thom Holder, product line manager for Intel Corp.’s Network Communications Group.

Secure enough? One of the most difficult issues to assess in a branch or small office
router is security. As agencies increasingly use the public Internet to tie branch offices
to central sites, security concerns grow. Virtually all branch office routers offer some
basic filtering. But a full-featured firewall, often offered as a software option, may
make more sense for an office concerned about external network breaches.

The best way to ensure secure transmittal of data over the Internet between a branch
and central office is via a virtual private network, a private data network that uses the
public telecommunication infrastructure.

A VPN secures data by encrypting it before sending it through the public network and
decrypting it at the receiving end. Although a number of protocols have been developed,
the industry appears to be moving toward support for a protocol called IPSec.

“Other protocols may not provide the robustness of security needed for
branch-to-branch or central office connectivity,” Holder said. Consider this a
must-have feature if you’re planning to transmit sensitive data over the Internet.

Extending the agency network to a branch office over the public Internet is a surefire

Market researchers estimate that an organization can save up to 60 percent of operating
costs by using an Internet approach instead of a private network. But anyone choosing that
route had better place security at the top of the priority list.

A variety of security options are available, but the security solution du jour is
clearly the virtual private network. Using the Internet as a backbone, a VPN can securely
and cost-effectively connect an organization’s offices, telecommuters, mobile
workers, customers, partners and suppliers through a tunneling protocol and security

Ideally, it offers the same level of availability, performance and security as private
networks but with the added benefits of cost savings, scalability and manageability. But
most industry observers admit VPNs have a way to go to reach that goal.

The tunnel is the path that a given company message or file travels over the Internet.
Typically, data is encrypted before traveling over the public network and decrypted at the
receiving end. In some cases, the originating and receiving network addresses also are

A variety of tunneling specifications or methods have been developed to create VPNs.
Microsoft Corp. has built its Point-to-Point Tunneling Protocol into its Windows NT
Server; Cisco Systems Inc. has embedded its Layer 2 Forwarding Protocol into its

But the industry is quickly falling in line behind a standard approach: the IP Security
Protocol, developed by the Internet Engineering Task Force. “It looks like that is
the way everyone is going,” said Chuck Waggoner, president of router vendor FlowPoint

The new spec is attractive because it specifies several layers of security. It also
specifies use of an authentication header, which verifies the origin of data and checks
data integrity, and an encapsulating security payload that provides embedded support for

IPSec also uses the Internet Security Association and Key Management Protocol for
standardizing establishment of security relationships between clients and servers as well
as distribution of encryption keys.

Meanwhile, debate is heating up over whether tunneling and encryption should be handled
as simple software add-ons to an existing router or implemented in dedicated hardware.

As bandwidths rise and encryption grows increasingly complex and takes up more of the
host CPU’s resources, don’t be surprised to see a VPN end up as a specialized

John H. Mayer writes about networking and high-end computing in Belmont, Mass.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above