Considerations for Implementing Corporate Intranets Nathan J. Muller

Transcription

1 Considerations for Implementing Corporate Intranets Nathan J. Muller Payoff Assessing whether the corporate network has the capacity to support an intranet is a top priority for many network managers. This article explains how to evaluate and improve network performance, accommodate intranet traffic demands, secure a new intranet, and in general, create an intranet environment that is flexible and integrated. Introduction A corporate intranet entails the deployment and use of Internet technologies such as the Web, , and TCP/IP on a closed private network within one organization or within a group of organizations that share common relationships. Because intranets are based on TCP/IP networking standards, they can include anything that uses this protocol suite, including existing client/server technology and connectivity to legacy host systems. Companies can benefit from Internet technology and avoid its drawbacks particularly, its lethargic performance and lack of security. Intranets support communication and collaboration; information retrieval, sharing, and management; and access to data bases and applications. None of these functions is new, but the promise of an intranet is that it can use Internet and World Wide Web technologies to do things better than before. For example, according to Microsoft Corp., Netscape Communications Corp.,Oracle Corp., and Sun Microsystems, Inc., a Web browser could become the standard interface used to access data bases, legacy applications, and data warehouses throughout the enterprise. In this scenario, the thin client (i.e., the browser)can make applications easier to maintain, desktops easier to manage, and substantially trim the IT budget. A company's customers, suppliers, and strategic partners in turn can benefit from the improved communication, greater collaboration, and reduced IT expenditure associated with implementing an intranet. They can even access each other's intranet services directly, which would speed decision making as well as save time and money. Achieving these benefits comes from properly implementing an intranet, which is far from straightforward. One of the more difficult issues to resolve is intranet content determining what information will be presented, where it will come from, how its accuracy will be ensured, and how often it will be updated. The resources must be available to do this extra work. Intranet content development is beyond the scope of this article, however. The focus here is on specific issues of network and server management. First, resources must be available to establish the service, to establish the Transmission Control Protocol/Internet Protocol (TCP/IP) network over which it runs, and to train users. Second, the impact on existing systems must be considered. This includes, for example, the capacity of the current network to support an intranet, the future usefulness of existing legacy systems, and the availability of hardware to run multimedia applications.

2 Fat Versus Thin Clients Corporate intranets provide an opportunity to ensure universal access to applications and data bases while increasing the speed of applications development, improving the security and reliability of the applications, and reducing the cost of computing and ongoing administration. Fat and thin refer primarily to the amount of processing being performed. Terminals are the ultimate thin clients because they rely exclusively on the server for applications and processing. Standalone PCs are the ultimate fat clients because they have the resources to run all applications locally and handle the processing themselves. Spanning the continuum from all-server processing to all-client processing is the client/server environment, where there is a distribution of work between the different processors. Traditional Client/Server. A few years ago, client/server was thought to be the ideal computing solution. Despite the initial promises of client/server solutions, today there is much dissatisfaction with their implementation. Client/server solutions are too complex, desktops are too expensive to administer and upgrade, and the applications are still not secure and reliable enough. Furthermore, client/server applications take too long to develop and deploy, and incompatible desktops prevent universal access. As companies discover the benefits of private intranets and new development tools such as Java and ActiveX, as well as various scripting languages such as JavaScript and VBScript, they can use these tools to redefine the traditional models of computing and reassess their IT infrastructure. Java-Enabled Browsers Browsers that are used to navigate the World Wide Web are usually thin clients when they render documents sent by a server. The special tags used throughout these documents, known as the hypertext markup language (HTML),tell the browser how to render their contents on a computer screen. However, browsers can get very fat when other components are sent from the server for execution within the browser. These components can be specialized files with audio or video that are interpreted by plug-ins registered with the browser. When the browser comes across an HTML tag that specifies a file type that is associated with one of these plug-ins, the application is automatically opened within the browser, permitting an audio or video stream to be played instantly without the user having to download the file to disk and open it with an external player. Applets Another way that the browser can become fat is by absorbing Java applets that are downloaded from the server with the HTML documents. Applets are small applications designed to be distributed over the network and are always hosted by another program such as Netscape's Navigator or Microsoft's Internet Explorer, both of which contain a virtual machine (VM) that runs the Java code. Because the Java code is written for the virtual machine rather than for a particular computer or operating system, by default all Java programs are cross-platform applications. Java applications are fast because today's processors can provide efficient virtual machine execution. The performance of GUI(GUI) functions and graphical applications are enhanced through Java's integral multithreading capability and just-in-time (JIT)

3 compilation. The applications are also more secure than those running native code because the Java runtime system part of the virtual machine checks all code for viruses and tampering before running it. Applications development is facilitated through code reuse, making it easier to deploy applications on the Internet or corporate intranet. Code reuse also makes the applications more reliable because many of the components have already been tested. ActiveX and Java Another way the browser can be fattened up is by bulking up on components written in ActiveX, Microsoft's answer to Sun's Java. Like Java, ActiveX is an object-oriented development tool that can be used to build such components as Excel spreadsheet interpreters and data entry programs. Functionally, the two development tools are headed for increasing levels of convergence. For example, the Microsoft Java VM is an ActiveX control that allows Microsoft Internet Explorer 3.0 users to run Java applets. The control is installed as a component of Internet Explorer 3.0. The Java VM supports integration between other ActiveX controls and a Java applet. In addition, the Java VM understands the component object model (COM) and can load COM classes and expose COM interfaces. This means that developers can write ActiveX controls using Java. Scripting Languages Browsers can also fatten up by running functions written in scripting languages like Netscape's JavaScript and Microsoft's VBScript. VBScript is a Web-adapted subset of Visual Basic for Applications (VBA), Microsoft's standard Basic syntax. Both JavaScript and VBScript are used to manipulate HTML from objects like check boxes and radio buttons, as well as add pop-up windows, scroll bars, prompts, digital clocks, and simple animations to Web pages. The important thing to remember about these tools is that the features they create rely on scripts that are embedded within the HTML document itself, initiating extensive local processing. Browsers are becoming universal clients, so much so that Microsoft's next release of Windows 95 will even have the look and feel of a browser. Most PCs today come bundled with a browser. Several vendors, including Microsoft, have endorsed the idea of offering a new breed of computer that relies on a browser as the graphical user interface, Java or ActiveX as the operating system, and servers for the applications. With Java and ActiveX, a network-centric computing solution is emerging that can potentially offer major improvements in simplicity, expense, security, and reliability versus many of the enterprise computing environments in place today. Feeding Client Applications How fat the client is may be less important than how the code is delivered and executed on the client machine. Because Java applications originate at the server, clients only get the code when they need to run the application. If there are changes to the applications, they are made at the server. Programmers and network administrators do not have to worry about distributing all the changes to every client. The next time the client logs onto the server and accesses the application, it automatically gets the most current code. This method of delivering applications also reduces support costs. Fat may be interpreted as how much the client application has to be fed in order to use it. For example, a locally installed emulator may have the same capabilities as a

4 network-delivered, Java-based emulator, but there is more work to be done in installing and configuring the local emulator than the Java-based emulator that is delivered each time it is needed. The traditional emulator takes up local disk space whether it is being used or not. The Java-based emulator, in contrast, takes no local disk space. ActiveX components are a cross between locally installed applications and network-delivered applications. They are not only sent to the client when initially needed, but are also installed on the local disk for future use. Local disk space is used even if the component was only used once and never used again. Updates are easy to get because they can be sent over the network when required. With Java, the component is sent each time it is needed unless it is already in the browser's cache. This makes Java components instantly updatable. Because Java is platform-independent, a Java-based T27 emulator for Unisys hosts or a 3270 emulator for IBM hosts, for example, can run on any hardware or software architecture that supports the Java virtual machine. This includes Windows, Macintosh, and UNIX platforms as well as new network computers. Thus, any Java-enabled browser has access to legacy data and applications. Cost Issues. As with most issues, the answer is it depends. There is no right answer for all applications and all environments. Each has advantages and disadvantages, so it is necessary to do a cost/benefits analysis first. Even if a significant number of desktops must stay with the fat-client approach, there still may be enough incentive to move the others to the thin-client approach. According to The Gartner Group (Stamford CT), the annual cost of supporting fat clients Windows 95/NT, UNIX, OS/2, and Macintosh is about$11,900 per seat. Substantial savings could be realized for as many as 90%of an enterprise's clients, with only 10% of users needing to continue with a fat client for processing-intensive applications. Thus, the support costs for moving from a fat-client to a thin-client architecture could be as much as $84.6 million annually for a company with 10,000 clients. Improving Network Performance Intranets are becoming pervasive because they allow network users to easily access information through standard Web browsers and other World Wide Web technologies and tools to provide a simple, reliable, universal, and low-cost way to exchange information among enterprise network users. However, the resulting changes in network traffic patterns require upgrading the network infrastructure to improve performance and prevent slow network response times. The corporate network may need to be upgraded to accommodate: The graphical nature of Web-based information, which significantly increases network traffic and demands greater network bandwidth. The integration of the Internet Protocol (IP) throughout the network. Easier access to data across the campus or across the globe, which leads to increased inter-subnetwork traffic that must be routed. New, real-time multimedia feeds that require intelligent multicast control. LAN switches traditionally operate at layer 2 of the OSI model, or the data link layer, providing high-performance segmentation for workgroup-based client/server

5 networks. Routing operates at layer 3, or the network layer, providing broadcast controls, WAN access, and bandwidth management vital to intranets. Most networks do not contain sufficient routing resources to handle the new inter-subnetwork traffic demands of enterprise intranets. The optimal solution intranet switching is to add layer 3 switching, the portion of routing functionality required to forward intranet information between subnetworks, to existing layer 2 switches. This solution allows network managers to cost-effectively upgrade the layer 3 performance in their networks. This is the approach being taken by new intranet switches and software upgrades to existing switches. Intranet Switching Intranets are increasingly being used to support real-time information, such as live audio and video feeds, over the network. These multimedia feeds are sent to all subscribers in a subnetwork, creating increased multicast traffic and impeding network performance by consuming ever-greater amounts of bandwidth. Intelligent multicast control provided by intranet switches helps organizations conserve network bandwidth by eliminating the propagation of multicast traffic to all end stations in a subnetwork. The intranet switches monitor multicast requests and forward multicast frames only to the ports hosting members of a multicast group. Most enterprise networks use multiple protocols. Intranets are IP-based, requiring IP on all intranet access systems throughout the network. To ease IP integration, intranet switching supports protocol-sensitive virtual local area networks (VLANs), which allows the addition of IP without changing the logical network structure for other protocols. By combining IP and ATM routing through integrated private network-to-network interface (I-PNNI) signaling, network management is simplified because only one protocol is managed rather than two. Providing this unified view of the network by implementing a single protocol leads to better path selection and improved network performance. To accommodate intranet traffic demands, increased switching capabilities must be added to both the edge of the network and to the backbone network. Many organizations are using intranets for mission-critical applications, so the backbone technology must deliver superior performance, scalability, and a high degree of resiliency. For these reasons, asynchronous transfer mode (ATM) may be the optimal choice for the core technology for intranet switches. Intranet Operating System As today's networks assimilate additional services originally developed for the global Internet, they are gaining new flexibility in the ways they provide access to computing resources and information. Network operating systems make this easier to accomplish greater information sharing by providing integral access to intranet resources such as Web servers, FTP (FTP) servers, and WAN connections to the Internet. Novell Inc.'s IntranetWare offering, which is built on the NetWare 4 network operating system, provides both IP and IPX access to intranet resources, for example. IntranetWare IntranetWare incorporates all of the networking services of NetWare 4.11,such as Novell Directory Services (NDS), symmetric multiprocessing (SMP),and core file and print services with new intranet and Internet capabilities. These solutions include a highperformance NetWare Web Server 2.5, FTP services(the Internet-standard method for

6 allowing users to download files on remote servers via the Internet), Netscape Navigator, an IPX-to-IP gateway to provide IPX users with access to all IP resources (including World Wide Web pages), and integrated wide-area routing to connect geographically dispersed LANs to a corporate intranet or to the greater Internet. At the heart of IntranetWare's management is NDS, which allows administrators to manage a network from any workstation and provides sophisticated access controls for all the resources on the intranet. With the centralized administration enabled by NDS, organizations can contain management and administration expenses, which are the primary costs of operating a network. IntranetWare also qualifies for C2 network security certification, enabling the complete network server, client, and connecting media to be completely secure. IntranetWare's routing capabilities let corporations extend their intranets to branch offices and to connect to the Internet via ISDN (ISDN), frame relay, ATM, or leased-line connections. Add-on software from Novell allows mainframe and midrange computers to become a part of the corporate intranet. IntranetWare provides comprehensive client support for DOS, Windows, Windows 95, Windows NT, Macintosh, OS/2, and UNIX workstations. The Ever-Present Firewall A firewall is server software that protects TCP/IP networks from unwanted external access to corporate resources. With a firewall, companies can connect their private TCP/IP networks to the global Internet or to other external TCP/IP networks and be assured that unauthorized users cannot obtain access to systems or files on their private network. Firewalls can also work in the opposite direction by controlling internal access to external services that are deemed inappropriate to accomplishing the company's business. Firewalls come in three types: packet filters, circuit-level gateways, and application gateways. Some firewall products combine all three into one firewall server, offering organizations more flexibility in meeting their security needs. Packet Filtering With packet filtering, all IP packets traveling between the internal network and the external network must pass through the firewall. User-definable rules allow or disallow packets to be passed. The firewall's GUI allows systems administrators to implement packet filter rules easily and accurately. Circuit-Level Gateway All of the firewall's incoming and outgoing connections are circuit-level connections that are made automatically and transparently. The firewall can be configured to permit a variety of outgoing connections such as Telnet, FTP, WWW, Gopher, America Online, and userdefined applications such as mail and news. Incoming circuit-level connections include Telnet and FTP. Incoming connections are only permitted with authenticated inbound access using one-time password tokens. Applications Servers Some firewalls include support for several standard application servers, including mail, news, WWW, FTP, and DNS(DNS). Security is enhanced by compartmentalizing these

7 applications from other firewall software, so that if an individual server is under attack, other servers/functions are not affected. To aid security, firewall offer logging capabilities as well as alarms that are activated when probing is detected. Log files are kept for all connection requests and server activity. The files can be viewed from the console displaying the most recent entries. The log scrolls in real time as new entries come in. The log files include: Connection requests. Mail log files. News log files. Other servers. Outbound FTP sessions. Alarm conditions. Administrative logs. Kernel messages. An alarm system watches for network probes. The alarm system can be configured to watch for TCP or user datagram protocol (UDP) probes from either the external or internal networks. Alarms can be configured to trigger , pop-up windows, and messages sent to a local printer, or halt the system upon detection of a security breach. Another important function of firewalls is to remap and hide all internal IP addresses. The source IP addresses are written so that outgoing packets originate from the firewall. The result is that all of the organization's internal IP addresses are hidden from users on the greater Internet. This provides organizations with the important option of being able to use non-registered IP addresses on their internal network. By not having to assign every computer a unique IP address and not having to register them for use over the greater Internet, which would result in conflicts, administrators can save hundreds of hours of work. Intranet Server Management Intranets bring together yet another set of technologies that need to be managed. Instead of using different management systems, organizations should strive to monitor and administer intranet applications from the same console used to manage their underlying operating system software and server hardware. This is a distinct advantage when it comes to ensuring end-to-end availability of intranet resources to users. For example, the hierarchical storage management capabilities of the Unicenter platform from Computer Associates can be extended to HTML pages on a Web server. HTML pages that are not accessed from the server for a given period of time can be migrated to less costly near-line storage. If a user then tries to access such a page, storage management directs the query to the appropriate location. Some enterprise management vendors are turning to partnerships to provide users of their management platforms with data on intranet server performance. For example, Hewlett-Packard Co. and Cabletron Systems, Inc. have joined with BMC Software Inc. to

8 provide application management software that monitors Web-server performance and use. The software forwards the data it collects to management consoles, such as HP's OpenView and Cabletron's Spectrum, in the platforms' native format or as basic SNMP(SNMP) traps. Instead of looking at their internal Web sites in an isolated way, this integrated method allows full-fledged enterprisewide applications management. IBM's Tivoli Systems unit provides Web server management through a combination of its internally developed applications and software from net.genesis Corp. Tivoli is also working with IBM Corp. and SunSoft, Inc. to develop the Internet Management Specification (IMS) for submission to the Desktop Management Task Force. IMS would provide a standard interface for monitoring and controlling all types of Internet and intranet resources. IP Administration Managing Web servers is only one aspect of keeping an intranet up and running. IP administration can also become unwieldy as intranets lead to a proliferation of devices and addresses. Intranet-driven IP administration can be facilitated by dynamic host configuration protocol (DHCP) software, which streamlines the allocation and distribution of IP addresses and insulates network operators from the complexity of assigning addresses across multiple subnetworks and platforms. Because intranets depend on the accurate assignment of IP addresses throughout a company, such tools are invaluable to ensuring the availability of resources. Managing Bandwidth Intranets also have the potential to significantly increase traffic, causing bandwidth problems. For some technology managers, the obvious concern is that bandwidth for vital business applications is being consumed by less-than-vital intranet data. Users access files that may contain large graphics files, and that alone has created a tremendous bandwidth issue. As Web servers across an enterprise entice users with new content, intranets also can alter the distribution patterns of network traffic as users hop from one business unit's intranet server to another's and as companies make it easier to access information and applications no matter where they may be located. A Policy-Based Solution More servers and bandwidth can be added and the network itself can be partitioned into more subnetworks to help confine bandwidth-intensive applications to various communities of interest. But these are expensive solutions. A policy-based solution can be just as effective, if not more economical. To prevent these applications from wreaking too much havoc on the network infrastructure, companies can issue policies that establish limits to document size and the use of graphics so that bandwidth is not consumed unnecessarily. These policies can even be applied to servers, where the server can be instructed to reject messages that are too long or which contain attachments that exceed a given file size. Conclusion Companies that have implemented intranets are gradually finding that they are able to use Internet technologies to communicate and link information internally and externally in ways that were not possible before. Many other companies may be tempted to jump on the

9 intranet bandwagon using the fastest means possible. This tactic may meet basic requirements, but it often does not take into account future network growth, the advantages gained by leveraging existing data and resources, or how to add new intranet-enhancing products as they become available. These considerations demand that intranets be flexible, open, and integrated. Any time a company makes information accessible to a wide group of people or extends an intranet to suppliers or vendors, it must establish appropriate security mechanisms, ranging from firewalls to access control to authentication and encryption. In addition, network manager upgrade the network infrastructure to support the increased traffic that will flow over the intranet and maintain acceptable network response times. Despite the allure of corporate intranets and their benefits, companies will not be able to move rapidly toward the kind of full-fledged intranet being predicted by some vendors, with a single browser-type interface and thin clients that download applications and data all at once. For some considerable time to come, intranets, as defined by the browser suppliers, will be distinct from and complementary to existing systems. Author Biographies Nathan J. Muller Nathan J. Muller is an independent consultant in Huntsville AL specializing in advanced technology marketing and education. In his 25 years of industry experience, he has written extensively on many aspects of computers and communications. He is the author of 12 books and more than 1,000 articles. His latest book is Network Planning, Procurement& Management (New York: McGraw-Hill, 1996).