Advanced networking for small business
Steve Cassidy
|
Sep 5, 2007 10:05 AM
Cutting edge technology is bringing powerful enterprise-grade solutions to the small and medium business sector. Read on for tips, analysis and tutorials about how you can take advantage.
Setting up Intel's Centrino Pro for the SMB
Intel’s AMT technology allows remote troubleshooting of PCs down to BIOS-level configuration, with ‘out of band’ access, now available via Wi-Fi. We explain how.
Intel’s Graham Tucker is a technology enthusiast. When PC Authority arrived to tour the new features of Centrino Pro, the notebook counterpart to Intel’s Vpro, he was full of excitement. Ordinary people may not become so excited about technology for desktop support and administration, but then, most people never rise to the position of Senior Technical Manager, for Intel Australia.
“Australia’s really embracing this (Vpro),” he enthused. “There’s real engineering behind the marketing,”
How does Centrino Pro differ from the pre-existing Intel Vpro, the tool for remote desktop administration?
“You can use wireless controllers for Out Of Band (OOB) access. That’s the difference with Centrino Pro.“ Says Tucker. Centrino Pro is also for notebook computers.
Running Out Of Band means that the Vpro functions can be activated in any power state, they are OS agnostic, they operate regardless of the state of the OS (including corrupted or non-functioning) and add an additional layer of security.
“You can’t hack the agent,” said Tucker proudly.
The Intel Management Engine uses an Xscale processor, which is an integrated microcontroller on the PC motherboard (independent of the computer’s CPU and main functions). This additional hardware on the motherboard that Vpro and Centrino Pro computers have added, which allows an administrator to remotely repair and update computers. This includes a small amount of flash memory, which stores the Windows Event Log and system configuration data. Again, that’s defended from interlopers.
“There’s an isolated piece of RAM that the microcontroller uses.” Says Tucker. “It’s not addressable; there’s no way to hack that,”
Mr Tucker also explained that using Centrino Pro in an enterprise setting, with software suites provided by Altiris or other providers, allows for each machine to be authenticated with public key cryptography.
Serial Over LAN (SOL) is the standard method of access, and all communications in the administration channel can be encrypted with Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An inside hacker trying to break into a machine’s AMT interface by guessing passwords is locked out after three attempts. These already fairly comprehensive security functions are set to be hardened in the short term.
“In the second half of this year (2007), we’re releasing AMT 3.0, with enhanced security and manageability. That’s in the road map,” said Tucker.
“LaGrande technology has now been renamed to TXT (Trusted eXecution Technology), in the marketing,” Tucker elaborated.
Extensive work has been done in ensuring Windows system compatibility. Referencing Microsoft Systems Management Server (SMS), MR Tucker gave PC Authority a rare insight into collaborative technology development between Intel and Microsoft.
“We did all the (integration) development for SMS. We wrote all the software and a stand-alone server. So Microsoft are right behind it. They’re a bit slow off the mark, but they’re right behind it.,” he said.
Remote repair with Vpro
Using the free AMT web interface
Accessing computers for AMT administration is as simple as firing up Internet Explorer, typing in the target computer’s IP address, and adding the port number 16992 (e.g. 192.168.0.12:16992). Graham made a point of accessing this on a the target computer that was in sleep mode, to illustrate that the AMT functions are completely independent of the PC’s resources. Instantly, the AMT interface appeared, much like a ROM-based web interface for a router or network switch. Logging in with the preset administrator’s password, you are forced to use a strong eight-character string. (this would be pre-configured on the target machine by accessing the MeBX, a BIOS-like pre-boot environment that services the Vpro configuration.)
A feature missing from the free AMT web interface is IDE redirection, which is included with the enterprise software suites, and the AMT Commander application.
Using Landesk Management Suite
Graham Tucker also gave us a short demo on the enterprise-grade Landesk Management Suite under Windows Server 2003, using SQL 2005 for the back end. It has the capability to automatically discover new systems added to the network.
“Once it discovers a system, you add it to the inventory,” explained Tucker.
“This is the difference between the enterprise and SMB: you get these all-singing, all-dancing reporting functions,” he quipped.
“In enterprise mode, there’s an automatic setup process. In SMB mode, it’s all manual setup in the BIOS.” Hence, enterprise mode is the way to avoid repetitive deskside visits, even for initial Vpro configuration. Even and initial fifteen or twenty minutes per machine at the deskside can rapidly mount up for large rollouts, as anyone who has done it can attest. Do that for just three machines – that’s one hour out of the day. How many machines are you rolling out?
Remote Vpro access
One advantage of Vpro for SMB environment is for those companies that choose to have an IT department on contract, at an external location. They may already used in-band tools to configure systems at the client’s location, but Vpro allows them to extend their work on computers to the AMT’s Out Of Band functions, for repairing the drive image, operating system or BIOS settings.
For remote administration, the client’s firewall would of course have to allow the Vpro ports – 16992 and 16993 – traffic to flow freely. “You’d have to open those ports,” said Tucker.
For SMBs, most commercial broadband accounts will generally pass all ports by default, but of course the corporate firewall may not. You may also require a static IP address.
Console redirection
During boot, with console redirection you can view the remote machine’s BIOS output, even going so far as replicating the correct text colours. This view is fully interactive at about 15 fps. You can press keys at the appropriate times to enter various BIOS or MeBX menus, too. All this while the machine could be hundreds or thousands of kilometres away.
You can also elect to boot the remote machine from an ISO image in your local machine, for example, in the optical drive. Basically, you have maximum flexibility at every turn.
Throughout your remote control, the user’s keyboard can be disabled. There’s nothing worse than trying to compete with the keystrokes of a trigger-happy helpdesk customer, who wants to “help”.
“BIOS access can be locked from the user perspective,” said Tucker. However the controlled environment goes further, due to the inherent risk to modern companies from within. “There’s the potential for service guys to run amok here,” said Tucker. “You can set up access lists and permissions,” This would allow discrete access to the Vpro functions on various computers.
Another feature Tucker demonstrated was the PXE boot, (Pre-eXecution Environment) for situations where the hard drive has entirely failed. As this requires a deskside visit, the time spent can be minimised. The technician can simply replace the dead drive then walk away, as the system can be remotely set to automatically download a new OS image from the network.
Using the free AMT Commander tool
In an enterprise environment, you’ll likely be using an advanced software solution from Altiris or HP for remote system repair with Vpro. However, in the SMB environment, you can augment your functions (beyond the basic web-based AMT interface) by downloading a free tool from Intel, called the AMT Commander. This is available from this page: http://softwarecommunity.intel.com/articles/eng/1034.htm
It is listed on this page as the ‘Intel AMT Developer Tool Kit’, or DTK. Source code for the program is also available if you have the skills and inclination to extend it.
As it is officially a “demonstration” program, the AMT Commander doesn’t have enhanced reporting functions, nor is it particularly scalable. However, it does add network filters and policies. For example, this could be used to enforce automatic shutdown of a user’s virtualised NIC; to stop bandwidth hogs in their tracks.
The key additional legwork that SMB customers will be doing involves the initial BIOS and MEBx configuration of machines to allow Vpro administration. With an enterprise solution, this step is automated through AMT provisioning.
“Enterprise customers want to receive machines, and not have to fiddle around with BIOS,” said Tucker. The technician should be able to unpack the computer, plug it all in, and walk away.
The Vpro horizon
Obviously, to make effective use of technology like Vpro and Centrino Pro, the entire computer population or ‘fleet’ should have the Vpro technology in-built. Of course, not all companies are going to junk every system in the inventory, just to have Vpro functionality across the board. As a result, Vpro is only now starting to reach the installed numbers for IT departments to start treating it as the default.
“The fleets are growing,” says Graham Tucker. “No one replaces the whole fleet in one go. People are now switching it on (Vpro) and starting to use it,”.
As a smallish set of affordable components built into the motherboard, investing in Vpro-enabled computers will pay for itself, according to Tucker. “In the life of the machine, if you only save one deskside visit, you’ve paid for Vpro,” he said.
Finally, Mr Tucker gave PC Authority a glimpse into future Centrino standards, which will incorporate the final WiMAX standard for wireless broadband.
“We’ll have a WiMAX implementation on Centrino notebooks in Q1 of next year,” he said.
Centrino Pro Lingo
AMT - Advanced Management Technology
IPMI – Intelligent Platform Management Interface, a standard for remote systems administration.
ODM – Original Design Manufacturer (opposite of OEM)
MEBx - Management Engine BIOS eXtension, a pre-boot environment for configuring Vpro settings. This includes the settings for the TCP/IP settings for the virtualised network interface card (NIC), allowing the computer network access early in the boot process. The MEBx is accessed by pressing Ctrl-P at boot time.
SMS – Microsoft Systems Management Server
Vpro – Intel’s advanced remote desktop maintenance technology.
WiMAX – Worldwide Interoperability for Microwave Access, a new open wireless broadband standard being championed by Intel.
Setting up a Virtual Private Network (VPN)
Why do so many network administrators trip over the humble VPN? Steve Cassidy goes in-depth.
The devil inside hardware VPNs
I can’t think of a single area of computing that’s as nasty as the VPN for wrong-footing well-intended technical managers. This lamentable state of affairs was highlighted recently by someone who asked the charmingly simple question: “Where do I look for materials to help me set up my first VPN?”. The standard answer is that many technical authority figures like to wield to avoid being bothered by troublesome newbies is “off with you, read the relevant design documents and all will be revealed”, thus condemning the unsuspecting implementer to burial beneath a documentation tonnage equivalent to around half-a-dozen PhD theses.
Most design documents that relate to establishing a robust VPN don’t concern themselves with finding a good supplier, getting the right Internet connection or diligently training your users. In fact, they’re all about the strengths and weaknesses of various encryption algorithms, and in-depth critiques of VPN technologies that lie just around the corner, which never deliver any verdict on what we have available today.
I can now spot these simple souls, honest tradesmen with a basic job to do, who’ve been forced to negotiate this nightmarish combat zone. I was once stopped by a senior man at one of my client’s offices and asked whether the VPN I’d just put in for him “used IPSec”, as if this were some brand of petrol he’d prefer to have in his car.
The multi-talented ‘firewall’
Let’s get this canard out of the way as quickly as possible – yes, the boxes that operate VPN tunnels between sites are also called “firewalls”, but there’s nothing about the other jobs a firewall can do that makes it inherently suitable as a builder of VPNs. It’s just that one particular gateway in every LAN tends to collect all traffic-related tasks, and firewalls tend not to be fully occupied by keeping people out, so they’ve naturally ended up as the place to do such work (with certain exceptions). No, it’s not obligatory that your web-traffic firewall must also be your VPN endpoint terminus firewall. No, a “personal firewall” software application doesn’t qualify, even though various software vendors have been striving to get into this business.
Hardware VPN components
So let’s look at your archetypal twin-site, twin-device VPN. What does it need to contain? Each endpoint – I’m going to use that term instead of “firewall” to focus on the VPN architectural aspect – has a collection of IP addresses, some that define its position inside your LAN and some that define its accessibility from the rest of the planet. Ideally, each location participating in a VPN would have a globally visible, static IP address, but this isn’t an ideal world and it’s quite likely that a standard consumer Internet access contract won’t give you one. Don’t try struggling with dynamic or unrouteable IP addresses at both endpoints of your VPN – that’s a recipe for disaster. Almost all the VPN projects I’ve set up (or rescued) required a change of ISP to get the services required to support the biggest endpoint job.
VPN configuration
Each endpoint also has a management interface, and the most common way to deliver this is via a little website that appears on the internal Ethernet port of the box in question. There are some boxes that are simpler and you set them up via Telnet; there are others that are more complex and build the configuration in a program running on your PC, then bulk-upload it to the endpoint box. Since these endpoints also act as firewalls, there are usually heavy limitations on these management interfaces. I won’t identify the client who bought some firewalls to make a VPN and sent them off to each branch still in their boxes, confident they could log in to configure them from their external interfaces across the net. Needless to say, if a firewall were to allow such access when it starts up, virginal and factory fresh, it would be compromised by malware in a matter of minutes.
Inside the management interface then, reached from a simple, clean PC located within your network, is where you set up the attributes of your new VPN. Astute readers will have spotted that if you set up the two endpoints fresh from their boxes, each one will start out with the same internal IP address, which means you inevitably have to change the IP address of each device while being logged into it at its old address. All endpoint devices and firewalls can cope with this perfectly well – you just have to be ready to change the IP address of the PC from which you’re accessing them to match, to remain within the subnet that the devices are prepared to converse with.
Once you have the same VPN parameters in both endpoints and you’ve configured the LAN and WAN sides of each device to match the LAN and WAN IP ranges in each site, you’re ready to ship one of the endpoint devices to the remote office that comprises the far end, and try your first baby steps to a two-location hardware VPN.
Software VPNs
On to my summary of software VPN network designs. This isn’t going to be simple a roll call of product designs, inventors, RFCs or IEEE standards subcommittee designations. We’re an awful long way from the cosy meeting rooms of those standards committees, stuck in a world in which the majority of home PCs already have a virus or trojan infection; where wireless networks that are alleged to be secured take five minutes to crack so long as traffic keeps moving through them; and where identity theft is rapidly becoming the most frequently encountered criminal intrusion into our lives. The global slowdown in passing through airports, plus what appears to be a steep increase in hotel-based working, has put pressure back on to implement software VPNs mounted on the user’s laptop, so let’s have a look at your options.
1. Software VPN client to hardware product
This is the method of choice for larger networks afflicted with roaming users. A dedicated gateway device receives connections across the Internet from machines set up with the matching software client, generally by the central networking support group of the big corporation in question. The methods of hand-shaking and authentication can be elaborate, verging on the paranoid. RADIUS is the buzzword here, which covers a whole universe of ways of verifying that the guy connecting from a software client really is “one of us”, and what the user sees happening at their end is nothing to the blitzkrieg of lookups, key exchanges, proxy configurations, licence checks, and access rights assignments that then ensue at the far end.
2. Software VPN client to software product
With most of these systems, the laptop user runs a small local utility that sets itself up with a local private Ethernet address and then makes a connection through the Internet (however that may be presented – wired, wireless or cellular) back to the office LAN. The actual difference is that the end point for that connection isn’t the firewall or router that forms the remote LAN’s border device: it’s actually a full remote server that runs the company’s normal server operating system, but with an extra service installed dedicated to the business of receiving calls from VPN clients. With the dedicated hardware option, it’s generally the case that one very smart gateway device handles all the work, but in this case the gateway simply hands traffic on to the server that then handles authenticating the remote user and spoofing their traffic, so that the rest of the LAN users think they’re talking to a local machine.
I hate this option, not because there’s anything wrong with the design in theory, but because of what actually happens in practice. This design is frequently chosen by middle-sized businesses, because their tech team doesn’t fancy scaling the learning curve of a dedicated hardware device, or because they’re religious about following the Microsoft One True Way. Most commonly, these guys look rather askance at the admittedly difficult-to-master Internet and firewall standards, and hence make use of as few features in their Internet gateway as they can get away with.
3. Software VPN client and single Small Business Server
Here, the notion that a server makes a good recipient for VPN traffic is pushed about as far as it’s possible to push it. In a small business, (which I’d define as fewer than ten machines, although some truly boggling design documents on Microsoft’s site punt numbers like 100), so the story runs, it’s best to have every single job the company needs running inside one box. So you have – take a deep breath now – DHCP, DNS, AD, SQL, Exchange, ISA (Proxy), VPN and AV (anti-virus), file and print, and quite possibly a stunning OpenGL 3G screensaver, all hammering away at once, with all the LAN’s users dependent on every single one of those services (except perhaps the screensaver).
In one way, I absolutely love this design philosophy, because without it I wouldn’t have nearly so many clients, poor wretches who’ve fallen foul of one or another of these dodgy assumptions. But at another, less cynical level, I think it’s completely awful.
None of this has yet got around to talking about actual VPN products. You can always say with some degree of truth that all VPN client software does the same job: it tunnels through the net to shake hands with the exposed address of the gateway. But there’s a good deal of usability testing that you’ll need to undertake before you plump for any specific product. Systems that work well at home don’t always work so well for genuine roaming users.
As I’ve mentioned in the past about hardware-mediated VPNs, so far nobody has come up with a VPN client that knows how to preserve the integrity of a file you’ve opened for editing remotely, without the protection afforded by Terminal Services or Citrix Metaframe. Beware the creeping budget-buster – that sudden, horrid realisation that your “remote working project” needs a whole new technology platform to actually operate safely, over and above a VPN pipeline and some laptops – which has scuppered many a hopeful project manager.
Common DNS pitfalls explained
The fault tolerance that founding fathers like Vint Cerf built into the Internet has the unfortunate side-effect of allowing small businesses to run Windows Server 2000 networks with broken DNS definitions. They can’t migrate up to Server 2003 with such a broken system, as all manner of things will fail to complete properly during the upgrade or, more peculiarly, the old network will continue to run even when it has no right to be doing so, according to the documentation.
In one case I saw recently, a Windows 2000 network was running – and doing so quite nicely – with an external domain name as its internal zone. This meant that every time a workstation tried to start up and make itself known to the internal Active Directory and Domain Name Server, it instead spotted the (correct) record for that domain in the cache, pointing outside at the company’s website host. Which in this case is dormant, so little happens except that a bunch of traffic hits it, possibly to the extreme puzzlement of the domain administrator of the server in question.
In side the network, however, the impact is rather subtle: whenever a client PC or registered server logs in, Active Directory will update the relevant records in the DNS for that domain, and that means both the zone we all tend to think about, the one that translates to IP addresses, and the one that almost nobody brave enough to hold forth on the topic at all talks about, the one that takes an IP address as an input and returns the machine name of the device claiming that address.
This is the reverse lookup zone, and if yours isn’t tidy and well kept – preferably using various bodges in Microsoft’s approach to Vint’s original architecture – then, while you may get away with it under the lazy behaviour of various functions in Windows 2000, you certainly won’t see a smooth transition to Server 2003. When working out conversations with existing Domain Controllers and targets for promoting and demoting servers, various wizards and setup routines like to be able to query the DNS to discover everything they need to know to reach other servers on the network, and any problem concerning choices of domain names, or servers that present overlapping records, will bring your operating system upgrading exercise to a grinding halt.
So how can you tell before you start that you might have a problem? Unfortunately, it appears that all the good diagnostic tools live in Windows XP and Server 2003, which is where you’re trying to go, not where you are: DNSDiag, NETDiag and their friends may only run from the command line (which for old VAX/VMS hacks like me represents a real step back in time to utilities with 20 different verbs and 30 switches per verb), but at least they’re there in the newer operating systems, but not the one that you’re trying to replace. However, you can get a couple of easy indications from the simplest tools in the TCP/IP toolkit. Equipped with just ping and nslookup, you can tell whether your DNS is worth persisting with, or whether you’re better off starting from scratch.
1. Ping
Ping is a faithful old command-line tool present in every operating system. Open a Command Prompt windows and (assuming your server is called “myserver”) type “ping myserver”. You’ll see something like “reply from 10.0.0.1” because the ping utility has first looked up the name you entered into DNS, then pinged the number it retrieved. Now type “ping 10.0.0.1” (substituting the address actually returned by your server). Does ping correctly name the machine, in brackets, after those numbers? If it doesn’t, you most likely don’t have your reverse lookup zone properly configured.
2. Nslookup
This is only scraping the surface of what can be done with this utility, and I can hear the big-iron networking guys flexing the elastic on their catapaults for even mentioning it, but the syntax of nslookup is appealingly simple for the purposes of a small network test. In a command window, type “nslookup and press enter, and you’ll see an empty > prompt. Nslookup should tell you the name of your default server as soon as it starts and, if it can’t, then again your reverse lookup zone is incorrectly built. Either way, at the > prompt just type “server” and nslookup will tell you the address that the server is found at. Type this address back in and you should get the name associated with that address. (to quit the nslookup interface, type “exit”)
If you don’t see either of those behaviours, your DNS is broken, and many network operations that should complete in the blink of an eye will be subject to two-to-four-second delays, which doesn’t seem like a big deal the first time you experience them, but become amazingly frustrating when repeated several hundred times a day, for every PC in your network, day in, day out.
Choosing the right email infrastructure
The way people think about email has always left me deeply puzzled. There seems to be a multiplicity of “tribes” who have unchanging and unchallengeable views about email infrastructure, but no real idea why they settled in one group or another. See if you recognise yourself in any of these tribal descriptions:
1. The Pack Rat
The person who uses email as a structured store for the unstructured thinker, squirrelling away gigabytes of junk in hidden files, deep in the boot drive of the typical home PC. Nearly always, such systems are just waiting for No-I-don’t-have-a-backup Day and that mortally wounded look that every small-systems support person knows and dreads. Sadly, this species is not confined to the home – small-to-medium businesses harbour many people working this way too, with the attendant nightmares as soon as the PC goes down.
2. The Massive Corporate
A 100,000 seat wide-area network where a 50MB mailbox is the norm and a 100MB one a privilege. Unlike the Pack Rats, these users will be very tightly tied to one another via centralised contact lists, shared diaries and automatic scheduling, but they can’t alter a single setting – either in the software or their position within that massive corporate structure – without a week of exchanging (paper!) memos to requisition a redesign. Frequently, a virus that enters such a network through the corporate-maintained IT department anti-virus scanner will result in the disciplining or firing of the user that receives it – a fine logic now only to be found in corporate IT since the demise of the late Roman and Mongol empires.
3. The Giant Academic (or its imitator)
These environments talk about standards are great deal as an easy way of hiding their lack of ability to manage change or research alternatives. Many of them make it a virtue to run a variety of clients, or to allow end users to hook up to a core service backbone with whatever they’ve got, treating the central mail hub as if the first half of “store and forward” meant nothing. Having fared pretty well back in the early days of email, this kind of site is now in deep trouble, finding it very hard to enforce anti-virus measures and not holding any central store of the traffic it passes on to the users.
This is mostly because they’re such large institutions that the contributing divisions can’t figure out how to club together to sensibly purchase a central resource (and their networks are overflowing with virus and trojan traffic).
4. The Virtual Company
These tend to be very young companies, both in terms of corporate lifetime and staff. The office system looks like a loose collection of this year’s coolest laptops, with an open wireless base station and a printer, and that’s it. There’s no centralised information gathering at all – everyone either has a POP account on the server that holds the company’s website (which is in perpetual redesign), or uses Gmail accounts handed out by the core staff of the company. Very little information moves by email internally, because this type of firm is also deeply addicted to instant messaging, mainly because the staff imagine they can thereby avoid having their words recorded in any way. The main issue facing such firms is that staff appear far more concerned their own personal careers than expanding the company – the lack of a central repository of checkable mail and the culture of just throwing around one-line messages and SMSes acts as a natural brake on growth. People retain customers and suppliers as personal contacts, so that on leaving their contacts leave with them, because there’s no record other than a bunch of IM messages “somewhere out there”.
5. Custom Workflow Cultists
These guys have taken a message-passing platform and built a customised workflow system on top of it. Like most custom builds, it tends to take over the entire purpose of the system, so that while the activity the workflow controls gets served very well, all other uses for email tend to shrivel and die because “we don’t have the system for that”. Curiously, this is the closest thing to a crossover between tribes, because a lot of these operations (especially tech support and sales operations working via the net) often adopt IM software as in scenario 4, to get out from under the remorselessness of their fully developed workflow and email “solution”.
These tribes are easy to distinguish because they never look over the fence at once another, and all of them swear blind that their use of the same basic technology – the email client – is the only possible way to work and the only true path for their type of business. As Microsoft found when trying to wean people off Outlook 98, there’s nothing like an email program to uncover just exactly how far inside people’s heads your product has penetrated.
Should you go Gigabit?
The promise of a quantum leap in network performance is matched with a considerable price increase. Is Gigabit Ethernet right for you?
Do you find that many SMB customers are rolling out Gigabit networks?
Graeme Reardon: More and more so. The takeup of Gigabit Ethernet (GE) networks has now overtaken Fast Ethernet (FE), and the price per port is now so low, that it makes good sense for SMB's to move to Gigabit networking equipment for the infrastructure needs.
What kinds of businesses are rolling out Gigabit Ethernet?
GR: Just about all small businesses, for the reasons above and below.
What kind of problems will going Gigabit ideally solve?
GR: On moving to a Gigabit based network, the SMB will immediately see faster file retrieval from across the network as well as much faster backups to NAS and Storage devices on the network. In some instances, faster application opening times will be seen, and for those SMB's using a dumb client / smart server based setup, appreciable differences will be noticed.
What are the advantages of going Gigabit in an SMB environment?
GR: Apart from the above, with the vast amounts of digital media and applications now in the office (scans of paperwork, invoices, documentation, images, drawings, sketches and schematics, diagrams, receipts, email files and backups) and with these files getting continuously larger, it makes sense for an SMB to begin their new office infrastructure with a GE solution. Combining these traditional office requirements with 'newer' applications such as VoIP, network faxing, network scanning and so on, having a Gigabit solution within the SMB premises eliminates bottlenecks across the entire network. One of the other advantages (whilst not necessarily specific to Gigabit) is the option of Power over Ethernet (PoE) which is very useful in deploying peripheral devices such as IP Phone handsets without the need for multiple and separate power supplies for each handset. All the power for the device is supplied over the Ethernet cable from the switch.
Are there special considerations that IT personnel should be aware of in deploying a Gigabit infrastructure?
GR: It really depends on the requirements of the SMB. Small offices sometimes simply need an Unmanaged GE infrastructure to help eliminate current bandwidth bottlenecks, in particular in the backbone of the office network. That being said, more and more SMBs are taking advantage of applications such as VoIP, hosted voice solutions and video solutions, and these applications demand some level of prioritisation, management or monitoring. In these cases, then a managed switch will meet their needs. Where this is required, some thought needs to go into the planning, design, and topology requirements for the network, as well as the VAR (Value-Added Reseller) having the necessary training and expertise in actually configuring and optimising the network to effectively manage these applications and solve the SMB's problems. Smart solutions, such as the Linksys One communications platform, actually prioritise and manage data, voice and video seamlessly in a plug and play fashion.
What kind of cabling is ideal for delivering Gigabit Ethernet to the desktop? Is Cat-5 sufficient?
GR: Cat-5e is the base requirement for a GE network.
For the future, what lies beyond Gigabit Ethernet, and will we see faster technologies in the consumer/SMB space anytime soon?
GR: Linksys believes that a combination of media, including Ethernet and Wireless technologies are what SMB customers need to solve their business requirements. Gigabit across the backbone and to the desktop makes a lot of sense in a fixed environment, but more and more uses for wireless are now available, from cafes with handheld wireless devices, to wireless meeting rooms enabling teams to collaborate effectively.