Network Performance
University switches IPS
Campus-wide network overhaul replaces
aging switching and security systems.
“We wanted a high-availability
infrastructure that would support data,
voice and video applications, new IP
services and a wireless canopy.”
Howard University–a research-oriented
college in Washington, D.C.–has a propensity
for embracing new technology. The
140-year-old private university was a higher
education leader with its campus-wide FDDI
network and distributed Internet connections
in 1992 (HUNet1). Its innovation continued
with the adoption of the Mosaic browser in
1994 and dormitory Ethernet multimedia
connectivity in 1999 (HUNet2).
By 2003, Howard was ready for widespread
campus technology that would enable a
collaborative culture and navigate the
university past a period of frequent network
failures and islands of LANs. The network
connected 72 buildings on the main campus
and eight off-site buildings, and it had
evolved into a mismatched jumble of
components. The university’s campus-wide
fiber-optic network, Internet connections,
and Microsoft Outlook and Exchange Server
e-mail system availability often were
unreliable; in response, academic
departments and students set up their own
LANs and wireless access points. A shortage
of campus network storage limited e-mail
accounts to 25 MB.
Howard’s network was also vulnerable to
security attacks–more than 90 percent of
them caused by student’s peer-to-peer
downloads and internal hackers who exploited
an outdated, unsupported Microsoft Exchange
environment. Network authentication was also
based on software that was two generations
behind current corporate standards.
Howard chose advanced 3Com security and
switching solutions to increase the
availability of networked applications,
reduce complexity and associated cost, and
produce fast return on investment. Within
two weeks of the 3Com intrusion-prevention
system (IPS) deployment, the network’s
performance and availability improved
dramatically, according to John Shettel,
HUNet3 project manager.
The university needed to recalibrate the
network and the user community’s
expectations to a higher level. The value
proposition of the new network would need to
align with the University Presidents’
Strategic Framework for Action (SFA)
planning document, and be the technology
catalyst for realizing SFA business and
academic objectives, including:
- Provide a network able to support
secure high-end research projects.
- Realize ubiquitous connectivity
through a campus-wide wireless canopy.
- Increase collaboration and linkages
with other universities.
- Join the Internet2 Consortium.
- Conduct more administrative and
student support operations over the
Internet.
"We must begin to see the campus network
as a strategic thread in the fabric of
teaching and learning," Shettel says. "The
network infrastructure must be a platform
for university-wide collaboration such as
messaging, conferencing and document sharing
among communities of interest."
Three community needs
Each of these communities–including
students, teaching assistants, faculty and
staff, as well as external members–has its
individual network requirements.
Researchers, for example, need support for
inter-university collaboration, management
of intellectual property rights, and network
applications for astronomy, biology,
engineering, pharmacy, physics and other
research.
"Even though a researcher, administrative
staff person and history student may all be
physically at the same location, the network
has to provide the researcher with much more
bandwidth," says Tyrone Boyd, associate
director of network services.
Howard’s 11,000 students need secure,
high-availability network connections,
whether they are in a classroom, computer
lab or residence hall. Because students come
to school each year with their own
communications and computing devices,
applications and Internet accounts, the
university network must integrate them,
secure the students’ connections and prevent
access to unauthorized resources. The
university’s existing network security
system–based on firewalls and
device-identity access–had been vulnerable
for years; illegal downloading and file
sharing were rampant.
To increase productivity, staff required
the support of high-availability connections
for networked applications. Howard
particularly wanted enough network capacity
to replace its old enterprise resource
planning software with enterprise resource
planning (ERP) applications that are
Web-based and network-centric.
"We wanted a consolidated,
high-availability campus network
infrastructure that would support data,
voice and video applications, new IP
services and a wireless canopy," says Boyd.
"It would have to create a secure
environment, using technologies such as
role-based access. It would take advantage
of our existing systems, such as SONET. And
we placed a premium on the cost of
ownership, operational flexibility and
simplicity."
After reviewing industry analysts’
reports and evaluating the best network
practices being used by other leading
universities and financial services
enterprises, Howard selected 3Com switching
and security solutions.
To achieve HUNet3’s mission, Siemens
designed a multi-tiered infrastructure: a
fiber-optic dense wavelength-division
multiplexing backbone; SONET ring core; a
gigabit and 10-gigabit core; distributed
LANs for applications access; a wireless
canopy with 3,000 access points; and
centralized management of the network and
its security core.
Two-phase deployment
The company was able to use network
solutions from a variety of vendors,
including products from Siemens, ADVA, EMC,
Juniper, Microsoft, Voyence and 3Com. The
interoperable, standards-based 3Com
solutions featured intrusion-prevention
systems and core, distribution and access
layer switches.
"We chose 3Com switches and security for
three major reasons: total cost of
ownership, enterprise reference
architectures and 3Com proven service and
support," Boyd says.
The deployment occurred in two phases,
the first focusing on the network core and
the second on the network edge. Phase one
included redesigning and upgrading six core
sites’ existing fiber connections, routers,
switches and security systems to increase
capacity and improve resiliency and control;
connecting strategic locations to support
mission-critical applications; and improving
network connectivity in four buildings that
account for substantial ERP data and
communications loads on the existing
network.
During phase one, the old and new
networks ran in parallel from the data
center. Phase two would complete the new
network infrastructure, cut it over to
connect Howard’s remaining 74 sites,
complete the migration of ERP application
servers and Microsoft identity management
and collaboration applications, install the
EMC storage network, and build the wireless
canopy.
In phase one, the university installed
the IPSs and two 3Com TippingPoint Security
Management System servers in the data
center, using a resilient configuration on
existing fiber-core segments. Monitoring of
the first week’s traffic through the IPS
revealed more than one million
denial-of-service (DoS) attacks thwarted.
When students returned to school for the
spring semester, the IPSs blocked them from
using peer-to-peer connections to illegally
download music. Howard had received 604
complaints from the Recording Industry
Association of America during the 2005-2006
academic year. After the IPS deployment, it
received just three.
DoS and buffer overflow attacks stopped,
but the inspection process did not degrade
network performance. "The 3Com IPS
eliminated malware, which immediately
increased the whole campus network’s uptime
and availability," says Boyd.
The IPS also showed the IT team what
devices were on the network, and when
devices were removed or added. "We’re no
longer blindsided by someone installing an
access point in their office," says Boyd.
"Now there’s accountability."
The university had not planned to deploy
the IPSs until the end of phase one, but
changed course. "Seeing the powerful effects
within just two weeks, we brought the
investment forward and deployed the IPSs on
the entire legacy network," says Shettel.
Ten TippingPoint 2400E IPSs were installed
in resilient formats on segments coming into
the other five core sites, preventing
threats before they hit the core.
One-vendor approach
As part of the network design, Siemens
recommended Howard emphasize high
availability and scalability, and
standardize its switching infrastructure on
one vendor. The university needed the
flexibility to adjust and upgrade its
network to proactively address users’ needs,
and to have the bandwidth and performance to
carry the traffic from emerging
applications–without forklift upgrades.
Siemens recommended that Howard standardize
on a 3Com switching infrastructure.
Fourteen 3Com Switch 8800 modular
switches–four in the data center and two in
each of the other five core sites–were
deployed in phase one to establish resilient
10-gigabit switch connections in a full mesh
network. The 1.4-Tbps switch features dual
load-sharing switch fabrics that add
resiliency while doubling switch
performance.
For resilient distributed switching,
approximately 20 stackable 3Com 5500G Layer
2/3/4 gigabit switches were deployed in the
core, with about 100 more placed in other
campus buildings during phase two. The
scalable switch includes advanced security
features and uses 3Com XRN technology to
provide resiliency and single-entity
management control of up to 448 stacked
Gigabit Ethernet ports. Advanced Layer 3
routing–including OSPF, PIM-SM, PIM-DM and
RIP v1/v2–helps deliver optimal performance.
For secure, high-performance 10/100-Mbps
access layer (wire closet aggregation)
switching, about 75 3Com 5500 switches were
deployed in the initial ERP buildings;
hundreds more will be deployed during phase
two to the remaining buildings. The
stackable switch includes dynamic Layer 3
routing, rate-limiting features and Layer
2/3/4 quality of service for voice, data and
video applications.
When phase one deployments are complete,
the IT team will assume day-to-day control,
facilitated by a single operating system for
all the 3Com switches and use of a single
3Com Enterprise Management Suite SNMP
platform for edge-to-core visibility and
control.
"It takes us less than 90 minutes to
deploy a TippingPoint IPS," says Boyd. "And
each time 3Com releases a new Digital
Vaccine, we instantly install it. Even
without using the auto-update, it takes only
a few minutes." The servers offer Howard
centralized, comprehensive, yet simplified
monitoring, configuration, diagnostic and
reporting capabilities for all its IPS
devices.
For more information
(click here)
Technology
secures border
Linking
the two sides of the Niagara Falls region,
the Niagara Falls Bridge Commission (NFBC)
is a joint U.S. and Canadian agency that
owns and operates three bridges that
traverse the Niagara River. The organization
is charged with keeping the Niagara Falls
bridges safe and ensuring that traffic flows
efficiently and unhindered between the two
countries.
Network security and traffic management
functions are overseen remotely from NFBC’s
operations center at the agency’s
administrative headquarters in Lewiston,
N.Y. From this center, NFBC management and
staff analyze information streaming in from
160 video cameras, 96 access-control points
and six U.S./Canadian customs plazas
distributed along the bridges.
Due to the critical nature of maintaining
unimpeded traffic along the U.S.-Canadian
border crossings, NFBC required a converged
network and security solution to automate
consolidation and interpretation of a wide
array of disparate data sources, such as
switch/router interface logs, user
activities, network traffic statistics,
log-in/log-out logs, host behaviors and
other systems.
The goal of this communications and
security solution was to cost-effectively
automate once-manual correlation efforts in
order to reduce the time to resolution of
both network and security incidents. "We
needed a network infrastructure capable of
supporting our intensive environment, but we
also wanted a network behavior-analysis
solution that would allow us to view
information about that network more
efficiently," explains Dave Woods, manager
of IT.
With a 10-Gigabit Ethernet network with
more than 500 nodes across seven locations,
the NFBC found that network management was
taking up more time and becoming more
complex. As the network grew, network and
host behavior anomalies became harder to
detect. The agency needed a solution to
ensure that its network securely supported
its high performance requirements.
Foundry Network’s converged network
solution and Lancope’s StealthWatch Network
Behavior Analysis (NBA) software met each of
NFBC’s requirements. Foundry’s networking
and wireless hardware transports on-demand
data, voice and video throughout the
agency’s operations. Lancope’s StealthWatch
System integrates security awareness with
Foundry’s network infrastructure to reduce
network risks and maximize network
availability. This joint solution
identifies, prioritizes, mitigates and
resolves critical network and security
incidents and threats, regardless of
signature availability.
The joint solution includes: Foundry’s
sFlow-capable BigIron RX backbone switches,
sFlow-capable FastIron family of
power-over-Ethernet (PoE) switches,
IronPoint Mobility Series and IronView
Network Manager (INM); and Lancope’s
StealthWatch Xe for sFlow to collect and
analyze Foundry-sourced raw sFlow data,
StealthWatch Identity-1000 IP-to-ID
appliance to track user behavior, and
StealthWatch Management Console to correlate
network and security activity across
critical segments of NFBC’s network.
"Our Foundry network has delivered solid
performance and reliability for the agency
since day one," says Woods. "The Lancope
solution complements our investment in
Foundry by adding the visibility we need
into the network to ensure we continue to
meet our complex networking needs moving
forward."
StealthWatch provides immediate
notification of security issues, helpful
troubleshooting data, and detailed insight
into network, host and user problems. NFBC
uses StealthWatch as a monitoring and
troubleshooting solution that detects and
identifies problems with network users. It
also allows NFBC to keep track of transient
hosts, outside users and contractors dialing
into the network, and inside contractors
plugging in laptops or other devices.
From within the operations center,
management and staff are able to analyze the
information from numerous PoE IP video and
CCTV cameras and secure wireless access
points placed at strategic locations along
the bridges, as well as at the U.S. and
Canadian customs plazas and the NFBC’s
headquarters. The information from the
cameras is sent through Foundry’s network
infrastructure and is used to monitor
traffic in each lane, and locate traffic
accidents and any unusual activities or
incidents remotely.
For more information
(click here)