Why you should care about your business network
Networks can often be over looked in a small business. You may be limited by your budget, don’t understand enough about networking to make the investment or simply believe that what you have in place today is sufficient and gets the job done. No matter your situation, even if you’re just a one person operation with only one PC, this article is meaningful to you and it is worth evaluating your network setup.
Your network is the gateway to the internet and may be what allows you to connect to things like your office printer, file server or smart devices like your thermostat. Your network equipment is playing traffic cop to ensure every device is able to negotiate the proper connection and can play a significant role in keeping you safe from modern cyber threats. If your equipment or configuration is not adequate, you could find that you’re not able to take full advantage of the internet speeds you pay for, may lose connection randomly, experience slow file transfers and more. When it comes to cyber security, most are familiar with anti-virus software on their PC, however AV software is reactive. By the time it responds, the threat is already on your PC and it is trying to subdue it. Not all network equipment is created equal, in fact many firewalls don’t offer any modern threat protection. By implementing a network firewall with active threat protection, you can stop threats before they reach your devices.
Reviewing Common Design Challenges
Using the ISP (Internet Service Provider) equipment for everything
When you sign up for internet service, most small business plans will come with all-in-one equipment. This may be one or two devices, depending on the provider, that include your modem, firewall/router & WiFi.
The first concern with this type of setup, regardless of your size or type of business, is that it does not provide any cyber security protection. In most cases the equipment is completely void of any firewall. When this all-in-one equipment does include a firewall, it’s very limited, focusing only on blocking a small number of ports. This type of firewall is known as a traditional firewall and is not capable of stopping viruses/malware or keeping you safe from harmful websites.
The most common challenge we see has to do with the number of devices this all-in-one equipment can support. In most cases, the router in this equipment is only capable of supporting traffic from 10-20 devices. If you’re a small operation, 10-20 devices may sound like a lot, but you’d be surprised how quickly devices add up. For instance one person could have their PC, desk phone, cell phone & smart watch all connected. Combine this with any office equipment like a printer, file server or smart devices and you could be over that threshold in no time.
How devices connect can be another common challenge with this type of configuration. These all-in-one devices generally have four ethernet ports on the back, but they don’t offer other features commonly needed by business equipment like PoE (power over ethernet) or traffic shaping/QoS (the ability to give priority to a device or service, like your phone system). The other potential challenge relates to WiFi, since the WiFi antenna is built in, where you place the equipment and how large your office is can effect the quality of WiFi you receive.
Using a consumer router and/or switches
When a business begins to have challenges with the all-in-one equipment provided by their internet provider, the next common move is to go to Best Buy and purchase a new router or network switch.
Purchasing a consumer router will often result in the same challenges as using the ISP equipment, with minimal improvement in a couple of key areas. These devices will not add any additional security, offering traditional firewall settings. Depending on the model router selected, you may see an improvement on the number of devices it can successfully support. Higher end solutions like the Eero Pro 6 boast supporting 75+ devices, however this is theoretical. In reality the best consumer device will often begin to bog down around 25-30 devices. Finally, you will still have ethernet port limitations and WiFi signal limitations. If you looked up the Eero’s mentioned above you may be wondering if that would solve your WiFi issue. Although great in theory, mesh systems like the Eero’s are hit and miss. The way mesh works is you have one device that broadcast the signal then each additional device has to pick it up and rebroadcast it. The further away from each other they are the weaker the signal is and the slower your speeds will be. To have a reliable experience and keep your WiFi speeds, mesh systems end up needing to be so close together that you lose the benefits.
When you need more ethernet ports, you may look to purchase a cheap network switch. A network switch is effectively an ethernet splitter, however business network switches offer important features that your cheaper consumer switches do not. The most popular option in the consumer space are the blue Netgear switches. This line of switches has somehow become the most well known and available type of switch. Additionally, they are dirt cheap. You can often get a 5 port Netgear switch for $15-$20 at Best Buy or Amazon. The challenge with a consumer switch is there is very little to no intelligence built into the switch. In a business network, we generally prefer to setup independent virtual networks for employees, guests and your phone system. These consumer switches do not support these virtual networks. When it comes to your phone system these switches often do not support PoE to power your devices like desk phones. Business switches will also offer other intelligent features and remote management/insights that we will cover some later in this article.
Using outdated Equipment
If your business has been around for a while, you may have already invested in a business network. However, a network is not something that you just setup and leave alone. It requires management and regular maintenance to ensure your users stay secure and everything works at peak efficiency. Overtime manufactures will stop supporting a piece of equipment deeming it EOL (End of Life), EOS (End of Support), or potentially other descriptions depending on the provider and the equipment. If your equipment is no longer able to receive patches/updates, you may be vulnerable to modern security threats, or your device may be unable to work with modern equipment/systems. Furthermore, if you experience an issue with your equipment you will no longer be able to get support from the manufacture to solve the challenge.
Using inadequate equipment
Not all network equipment is created equal. Building the network to your business is important to ensure the best performance & security. Whether due to growth in your business or a bad network design, the most common issue I see with inadequate business network equipment relates to the firewall. Selecting a firewall requires many considerations, but when it comes to sizing the biggest factors relate to your internet speed and the number of devices on your network. I can’t tell you how many times I have worked with clients that had a 500Mbps+ internet bandwidth through their ISP, but their firewall was only able to support 200Mbps or less. It’s just as common to see an office running a firewall built for 50 devices and they have close to 100.
Designing your business network
Manufacturers
This is an area that no matter what stance you take, someone will disagree. At Lean On Me I.T. we are vendor agnostic and believe that the best solution for a business may not always be from the same manufacture and we believe it’s ok to have a mix of manufactures to build the best overall network. If you meet with other IT professionals or dig into the world of networking online you’ll find that people tend to hold very strong opinions one way or the other about each vendor. The list below is not a complete list, but does make up the large majority of equipment suited for a small business.
Meraki: Meraki is a line of equipment from Cisco and is one of the most well known manufacturers out there. They have great equipment, however it’s pricey and often recommended without properly considering other options. Meraki does require a license for each piece of equipment you deploy and that license must be maintained for your equipment to function. You should also be aware that often recommendations for Meraki are not made because it’s the best option for you, but rather because that’s the only option from the IT professional you’re talking to. Cisco is the only ecosystem taught in many tech schools these days, especially here in Central TX. This leaves students coming out of school with no knowledge of any other system, and therefore they recommend and sell Cisco. Additionally, to sell Cisco/Meraki, you must be a Cisco partner. When you become a partner you are given a sales goal that must be maintained. This causes many IT professionals to exclude other manufactures from their portfolio in an attempt to consistently meet that minimum requirement from Cisco.
Ubiquiti: Ubiquiti may be both the most loved and hated vendor in the small business network space. I personally think they have a great line of network equipment when used in the right circumstance. The firewalls are low cost and although they do not offer Next Gen threat protection, they are well suited for offices with less then five employees. Their network switches and wireless access points are very solid and have proven themselves time and time again when configured correctly. In addition to network equipment Ubiquiti has branched out to other areas including camera systems and access control, which people have strong feelings about. Their network equipment is targeted at ultra small businesses and the prosumer which means it is common for those with limited to no network training to attempt configuring equipment on their own. I believe that Ubiquiti gets a lot of bad press because of this. When configured by a network professional, the only challenges are equipment availability and their warranty/support.
Aruba: Aruba is an HP company known for their enterprise network equipment with Cisco serving as their largest competitor. Interested in the small business space, Aruba released their InstantOn line which is designed specifically to compete with Ubiquiti. Similar to Ubiquiti the biggest challenge since Covid is availability of equipment. When available, I now select Aruba InstantOn over Ubiquiti. The cost and technical capabilities are very similar and in most cases will serve businesses equally, however Aruba offers a lifetime warranty on their equipment vs Ubiquiti’s 1 year. Additionally as an Aruba partner, I have direct access to support at multiple levels, which cannot be said for Ubiquiti. During initial development of the InstantOn management system, Aruba even put me in touch with their product development team to provide feedback and recommendations. Within six months of that discussion my recommendations were a reality. That service and response to a small businesses recommendations cannot be said for any other network vendor.
Fortinet: Fortinet is my most common go to choice for a network firewall. Although Fortinet also offers switches and wireless access points, I generally stick with Aruba & Ubiquiti in those areas due to the cost/feature benefit. Fortinet’s firewalls are known as Fortigate’s. In order to get the full benefit out of a Fortigate firewall a license is required, however this differs from Meraki. If your license lapses, your hardware will still function, you will just lose the features covered by the license. The key purpose/benefit of the Fortigate license is that it enables “Next-Generation” threat protection. This allows your network firewall to protect you from viruses/malware as well as unsafe or questionable websites.
Firewall Selection
The firewall is the workhorse of your network and one of the most important pieces of the puzzle. Just be ready as this will likely be the most costly part of your new network as well. Here are some of the key questions or features to consider and look for in a firewall.
Traditional vs Next-Generation: We covered this some above, but this basically comes down to the type of security your firewall uses. A traditional firewall is your old standard, allowing you to block or allow specific network ports but offering little to no intelligent threat protection. The benefit of this style is they are going to cost less and generally do not require any licensing. A Next-Generation firewall (NGFW) will require a license and uses artificial intelligence (AI), machine learning and/or a global repository to make decisions on whether or not network traffic is safe. These types of firewalls check the SSL certificates, DNS and content relating to traffic passing through your network. As an example, lets say your user is trying to find information on Google and clicks a link to a site that is not safe, your firewall can identify the threat, stop the user from accessing the site and warn them of the threat. Cyber threats are more prevalent then ever and on the rise. Furthermore most threats today are not targeted, meaning you could be at risk no matter your business industry or size. I recommend all businesses implement a Next-Generation firewall.
Internet Bandwidth: Consider your internet speeds when selecting a firewall. If considering a NGFW, you’ll see there are several bandwidth limits listed, be sure to look at the speed supported when all security features are enabled. The last thing you want to do is throttle your internet speeds by selecting an undersized firewall.
Internal Network Speeds: Do you have resources on your network that users will need to access, like a file server? If so, you’ll want to consider those speeds as well, similar to the internet bandwidth speed. The most common goal for internet network speeds is 1Gbps, but it is possible to configure faster speeds in certain circumstances. Depending on the rest of your design, this traffic may or may not pass through the firewall, but if this is something you need, you’ll want to ensure your equipment can support it.
Number of devices: You’ll want to make sure the firewall you select can manage the number of devices in your office without getting bogged down. You should also take into account any future growth over the next 3-5 years.
Static IP’s: All firewalls should be compatible with a single static IP, however if you receive a block of IP’s (usually in blocks of five), you will need to take that into consideration when selecting a firewall. Not all firewalls are capable of supporting multiple IP’s.
Redundancy: Will you have a secondary internet circuit, or secondary power coming in? If so, you’ll need to take that into account. Not all firewalls can support a second WAN connection, and generally only higher end models will have a secondary power supply. You may also consider redundancy with a second firewall. If you configure two firewalls in HA, you can choose to have them work together and/or have the second serve as a failover option.
Rackmount: You’ll want to consider where you will put your firewall and if it needs to be rack mounted. Most of the small business firewalls from Fortinet and Meraki are not built to be rack mounted natively, but there are rack mount kits available for them.
VPN: Do you need a VPN to allow users to connect to an on-site resource while out of the office, or to connect two branches together? Different firewalls will support different types of VPN’s. Generally your lower end firewalls will support L2TP while your NGFW and higher end traditional firewalls often support SSL VPN. In addition to the type of VPN, you’ll want to consider how you’ll manage VPN users. If you have an active directory server or use Azure AD, you could simplify the user experience by integrating your SSL VPN with these services, allowing the user to log in with their existing credentials. Without this type of integration, you’d need to setup independent VPN users on the firewall.
QoS / Traffic Shaping: QoS (Quality of Service) or traffic shaping is a way to give priority to certain services or networks. The most common uses of this include giving priority to your phone system and limiting bandwidth available to guests. By giving priority to your phone system, you insure that someone streaming Spotify or watching YouTube video doesn’t impact your call quality or cause dropped calls. Similarly, limiting your guests bandwidth ensures that your employees still have plenty of speed to effectively do their job. Although most business firewalls offer some form of these features they are not all created equal. As an example, Ubiquiti’s Unifi firewalls have what they call Smart Queue which saves some of your bandwidth for emergency use, but you are not given any control over how it is used. On the other end of the spectrum, Fortinet offers what they call Traffic Shaping, which allows you to fully customize policies for services, applications or virtual networks.
Switch Selection
At its simplest form, a network switch provides ethernet connections for your office. Often cables that go throughout your office to wall plates will come back to a central point and connect to your network switch(s). Even in the smallest networks a network switch may be needed to properly route traffic or provide power to your devices.
Managed vs Unmanaged: Business network switches will always be managed. What this means is that there is an administrative interface to use for configuring switch ports and other settings. This is important to support VLAN’s (virtual networks) and mange other settings like power. Most quality switches will offer the option for remote management, allowing you to access insights, make changes or receive alerts when you’re not at the office.
Layer 2 vs Layer 3: In small businesses you’re almost always going to use a layer 2 switch. A layer 3 switch can do routing and IP assignments without having to send traffic through your firewall. This is beneficial for offices that have a large number of network switches or require complex routing rules for their network because it shortens the path network traffic has to follow. A layer 2 switch will identify the device and the assigned VLAN, then send the traffic to the firewall for routing.
Auto VLAN for Voice devices: This is a feature that even many IT professionals are not aware of, but for a small business is a must have. Often a users workspace will only have one network drop, but they need to connect their desk phone and PC. Most desk phones allow passthrough, where you connect the phone to the wall jack, then connect your PC to the phone. This allows both devices to share the single ethernet jack. The challenge with typical VLAN assignments on a switch port is that it would then put the phone and PC on the same VLAN. In the firewall section we covered the idea of QoS/Traffic Shaping, where we give priority to the phone system. In order to accomplish this the phones need to be on their own VLAN. Enter Auto VLAN assignment for voice devices. Different manufactures have different ways of configuring this, but the idea is the same across the board, the switch will use LLDP (link layer discovery protocol) to identify phones when they are connected and will then place them on the proper VLAN automatically. Going back to our example, where the PC and phone are sharing the same connection, the PC will join the untagged (default) VLAN for that port, while the phone will be assigned to the Voice VLAN and take part in any QoS/Traffic Shaping policy you have set.
PoE (power over ethernet): PoE or power over ethernet is exactly what it sounds like. A standard that allows power to be supplied to devices via ethernet so that you don’t have to use a separate power adapter. PoE is commonly used for wireless access points, desk telephones and surveillance cameras, but could be used for a wide array of other devices. There are different PoE standards, so when selecting your network switch you’ll need to ensure it is capable of supplying the correct PoE for your devices. One fun challenge is that each PoE standard can go by different names. The most common types of PoE these days are backwards compatible and are measured by the wattage output, however there is an older passive PoE standard still in use by many devices today that is not compatible with the others.
PoE Types:
- 802.3af (802.3at Type 1), PoE
- 802.3at Type 2, PoE+
- 802.3bt Type 3, PoE++
- 802.3bt Type 4, PoE++
- 24v Passive
Additional ports: Many business network switches will have additional ports beyond the 1Gbps ethernet ports. It is most common to have an SFP or SFP+ port, although some devices offer a 10Gbps ethernet port. These ports, especially the SFP+ & 10Gbps ethernet, are great for connecting other switches together or for any devices that may need faster throughput to support traffic from multiple sources.
WiFi Selection
WiFi in a business network is provided by one or more wireless access points. These devices often mount to the ceiling with ethernet cables run back to your network switch. Access points (AP’s) can be placed where ever you need to fill in your wireless signal, ensuring your users/devices always maintain a strong connection.
Form factor: Although the most common form factor mounts to the ceiling, there are specialty models available that may suit your environment better. One example is a wall mount style originally designed for hotel rooms. This style mounts to a common electrical box in the wall and often serves as a small network switch as well. This gives a small broadcast pattern, providing WiFi for a single room, while also allowing a user to plug a device in via ethernet without requiring a second network drop. Generally speaking, a ceiling mount AP will be the best option to avoid obstacles and offer the best signal across the widest area.
Wireless standard: WiFi standards are split into two core categories these days, WiFi 5 and WiFi 6. WiFi 6 is going to support faster speeds and utilize less power doing so, so it is a no brainer for any new deployments or upgrades.
Number of devices: You’ll want to consider how many devices may be connecting to a single AP at any given time. Most AP’s are designed to support 50-100 devices. If the device does not explicitly tell you how many devices it will support, you may see a spec of 2×2 or 4×4 MIMO. For more dense environments 4×4 MIMO will ensure you are able to support as many devices as possible although most small businesses will be best suited with 2×2 MIMO.
Long Range AP’s: You’re bound to see AP’s that are classified as long range. This sounds like a great concept as it would minimize the number of AP’s needed to accomplish full coverage. The challenge is that WiFi is two way. Your devices have their own WiFi antenna in them that can only travel so far, meaning you may not see the benefit out of a long range AP that you expected.
Placement: A lot of professionals will walk an office and decide where to place AP’s based on feeling and experience, however there are great tools out there for heat mapping and I recommend using them. These tools allow you to upload an image of your floorplan and estimate your WiFi coverage. Often these tools even let you draw your walls and other obstructions to get an idea of how that will effect the signal.
Closing thoughts
The proper combination and configuration of a network firewall, switch and access point(s) can help fortify your cyber security and increase overall efficiency and productivity in your office. Many small business owners are hesitant to invest the money in a properly designed network but not doing so could easily cost you more in the long run.
Are you ready to upgrade your network? Email us at info@leanonmeit.com
