1 / 194

ICT Technician’s Update Conference

ICT Technician’s Update Conference. 17 March 2008. Introduction. Penny Patterson. You Tube and Schools. Penny Patterson. Network Access Control. Steve Hanna Juniper Networks. Network Access Control for Education. By Steve Hanna, Distinguished Engineer, Juniper

sakina
Télécharger la présentation

ICT Technician’s Update Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ICT Technician’s Update Conference 17 March 2008

  2. Introduction Penny Patterson

  3. You Tube and Schools Penny Patterson

  4. Network Access Control Steve Hanna Juniper Networks

  5. Network Access Controlfor Education By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF

  6. As Access Increases Mission-critical network assets Mobile and remote devices transiting the LAN perimeter Broader variety ofnetwork endpoints Faculty, staff, parent,and/or student access Implications of Expanded Network Usage Critical data at risk Perimeter security ineffective Endpoint infections may proliferate Network control can be lost Network Security Decreases

  7. Control Access • to critical resources • to entire network • Based on • User identity and role • Endpoint identity and health • Other factors • With • Remediation • Management • Consistent Access Controls • Reduced Downtime • Healthier endpoints • Fewer outbreaks • Safe Remote Access • Safe Access for • Faculty, Staff • Students, Parents • Guests • Devices Features Benefits Network Access Control Solutions Network access control must be a key component of every network!

  8. What is Trusted Network Connect (TNC)? • Open Architecture for Network Access Control • Suite of Standards to Ensure Interoperability • Work Group in Trusted Computing Group (TCG)

  9. TCG: The Big Picture • Applications • Software Stack • Operating Systems • Web Services • Authentication • Data Protection Desktops & Notebooks Printers & Hardcopy Security Infrastructure Storage TCG Standards Mobile Phones Servers Networking Security Hardware

  10. PDP TNC Architecture Overview Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) VPN Wireless FW Wired Network Perimeter

  11. Typical TNC Deployments • Uniform Policy • User-Specific Policies • TPM Integrity Check

  12. PDP Uniform Policy Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Remediation Network • Non-compliant System Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV - McAfee Virus Scan 8.0 • Firewall Client Rules Windows XP - SP2 - OSHotFix 2499 - OSHotFix 9288 - AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0 - Firewall Production Network • Compliant System Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV – Symantec AV 10.1 • Firewall Network Perimeter

  13. PDP User-Specific Policies Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Guest User Guest Network Internet Only Ken – Faculty Classroom Network Access Policies - Authorized Users - Client Rules Linda – Finance Finance Network Windows XP • OSHotFix 9345 • OSHotFix 8834 • AV – Symantec AV 10.1 • Firewall Network Perimeter

  14. PDP TPM Integrity Check Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) • TPM – Trusted Platform Module • Hardware module built into most of today’s PCs • Enables a hardware Root of Trust • Measures critical components during trusted boot • PTS interface allows PDP to verify configuration and remediate as necessary Client Rules - BIOS - OS - Drivers - Anti-Virus Software Production Network • Compliant System TPM Verified • BIOS • OS • Drivers • Anti-Virus Software Network Perimeter

  15. Integrity Measurement Collectors (IMC) Integrity Measurement Verifiers (IMV) TNC Server (TNCS) Collector Verifiers (IF-M) t Collector Verifers (IF-IMC) (IF-IMV) (IF-TNCCS) TNC Client (TNCC) (IF-PTS) (IF-T) Platform Trust Service (PTS) (IF-PEP) Network Access Requestor Network Access Authority Policy Enforcement Point (PEP) TSS TPM TNC Architecture in Detail Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP)

  16. TNC Status • TNC Architecture and all specs released • Available Since 2006 from TCG web site • Rapid Specification Development Continues • New Specifications, Enhancements • Number of Members and Products Growing Rapidly • Compliance and Interoperability Testing and Certification Efforts under way

  17. TNC Vendor Support Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) EndpointSupplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway AAA Server, Radius,Diameter, IIS, etc.

  18. TNC/NAP/UAC Interoperability • Announced May 21, 2007 by TCG, Microsoft, and Juniper • NAP products implement TNC specifications • Included in Windows Vista, Windows XP SP 3, and Windows Server 2008 • Juniper UAC and NAP can interoperate • Demonstrated at Interop Las Vegas 2007 • UAC will support IF-TNCCS-SOH in 1H2008 • Customer Benefits • Easier implementation – can use built-in Windows NAP client • Choice and compatibility – through open standards

  19. NAP Vendor Support

  20. What About Open Source? • Several open source implementations of TNC • University of Applied Arts and Sciences in Hannover, Germany (FHH) http://tnc.inform.fh-hannover.de • libtnc https://sourceforge.net/projects/lib/tnc • OpenSEA 802.1X supplicant http://www.openseaalliance.org • FreeRADIUS http://www.freeradius.org • TCG support for these efforts • Liaison Memberships • Open source licensing of TNC header files

  21. Summary • Network Access Control provides • Strong Security and Safety • Tight Control Over Network Access • Reduced PC Administration Costs • Open Standards Clearly Needed for NAC • Many, Many Vendors Involved in a NAC System • Some Key Benefits of Open Standards • Ubiquity, Flexibility, Reduced Cost • TNC = Open Standards for NAC • Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc. • Can Use TPM to Detect Root Kits • TNC: Coming Soon to a Network Near You!

  22. For More Information • TCG Web Site • https://www.trustedcomputinggroup.org • Juniper UAC Web Site • http://www.juniper.net/products_and_services/unified_access_control • Steve Hanna • Distinguished Engineer, Juniper Networks • Co-Chair, Trusted Network Connect Work Group, TCG • Co-Chair, Network Endpoint Assessment Working Group, IETF • email: shanna@juniper.net • Blog: http://www.gotthenac.com

  23. LGfL Network 2009 - 2012 Stuart Tilley Synetrix

  24. Technician Conference –Network overview and proposedenhancement 2008 - 2012 17th March 2008 Presented by :- Stuart Tilley - Network & Systems

  25. Overview • Introduction • Current Network Overview • Proposed Technology Refresh • Core Network • Access Network • Access bandwidth • URL filtering • Edge CPE • Summary

  26. Introduction • Current Network Implemented in April 2002 • Designed and Built by Synetrix a key LGfL service provider • Emerging Technology (MPLS) and vendor choice has provided a platform for; • Delivery of High availability and scalable Broadband services • Secure and safe educational environment • New service development and delivery • Shared community network (LPSN) • Network Refresh - keeping pace with technology to and beyond 2012

  27. The London Network – Physical Topology

  28. The London Network Physical Network Topology • 3 Core locations and 21 Aggregation Points serving 33 London Authorities • Resilient dark fibre connecting core locations (10Gb/sec – OC192 SDH) • AP’s connected to core by resilient nodal loops currently 1Gb or 100Mb capacity • Resilient Service Hosting – SLB • Resilient Tier 1 ISP’s (Thus, Abovenet, UKERNA, BBC) • Total Internet Capacity 6Gbps • All Broadband services delivered over fibre (scalable bandwidth)

  29. The London Network – Logical

  30. The London Network Logical Network • MPLS core network • Dedicated RFC2547bis Layer3 VPN’s • Provides fully routed Virtual WANs per ‘customer’ (LEA or LA) • Totally autonomous routing policy and access control per Virtual WAN – WMSv1 & v2 • Virtual WANs distributed across complete physical network • QoS Support

  31. Network Statistics • Total of edge bandwidth purchased 23Gbps • Total traffic transiting network 3Gbps (average) • Total capacity of Juniper access layer 228Gbps • Total Capacity of Juniper core 480Gbps • Total Internet Bandwidth - (Sept 2002) 30Mbps today averaging over 2Gbps • HTTP traffic via URL service 1.5GMbps • Requests served from Cache 400Mbps

  32. Proposed Core Technology upgrade • Upgrade existing Juniper M160 with Next Generation MX960 • Fully resilient chassis (redundant HW) such as; • Power Supplies • Cooling fans • Routing Engines (RE) • Switch Control Board • Fully resilient design/configuration • Dual Dense Port Concentrators (DPC’s) 10G + 1G • Support resilient backbone and core switching • JUNOS code – leading standards development • Low risk migration

  33. Proposed Core Technology Upgrade Proposed MX960 core build

  34. Proposed Access Technology Upgrade • Replace Existing M10 with Juniper M10i • Fully resilient chassis (redundant HW) such as; • Power Supplies • Cooling fans • Routing Engine (RE) • Forwarding Engine Board (FEB) • Fully resilient Design/Configuration • 2 x 1Gbps Nodal loop Interfaces • 2 x 1Gbps Virtual switch uplinks (initial deployment)

  35. Proposed Access Technology Upgrade • Replace Existing Extreme S48i aggregation switch with Juniper EX4200. • Redundant Power supply • Virtual Chassis Configuration (max 10) • 48 port 10/100/1000 capability • Architecture design based high end core routing products • Packet Forwarding Engine • Routing Engine

  36. Proposed Access Technology Upgrade • Fully resilient design\configuration • Virtual chassis deployment • Multiple 1Gbps uplinks (resilience)

  37. Access Bandwidth Upgrade • All current 100Mbps nodal loops upgraded to 1Gbps • Merton – Croydon • Merton – Earls Court • Bromley - Croydon • Bromley – Welling • Lewisham - Welling • Welling – Bexleyheath • Romford – Bexleyheath • Romford – Telehouse • Waltham Forest – Camden • Haringey – Camden • Haringey – Barnet • Hayes - Harrow • Prevent degradation of service in the event of primary loop failure • Enhanced Traffic Engineering capability

  38. Access Bandwidth Upgrade

  39. URL Filtering Platform Enhancements • Evaluation exercise underway “Squid MkII” vs Bluecoat 8100. • Scaled to 2.5Gbps (N+1 resilience total 5Gbps) • Additional Active/passive F5’s deployed to scale beyond 2.5Gbps • Current total filtered traffic 1.5Gbps • Expect 500Mbps year on year increase

  40. URL Filtering Platform Enhancements

  41. Replacement CPE • Extreme 24e3/S200 replaced with Juniper J2320 • Features • Forwarding performance IMIX 400Mbps • 3DES performance 170Mbps • 4 onboard 10/100 ports • 3 Physical Interface Card (PIM) slots • ES code • Combines session state information/next hop forwarding • MPLS support fast reroute (resilient fibre services)

  42. Summary • High availability, scalable future proof infrastructure • Low risk implementation/migration • Continued delivery of existing Network Centric services such as; • Securestore • Desktop Content Control (DCC) • Campus Monitoring Protection (CMP) • High Definition Video Conferencing (HDVC) • Secure Remote Access (SRA) • Broadband Resilience Service (BRS) • Enhanced distributed functionality – enabling new service developments such as: • Virtual Private LAN Services (VPLS) • Broadcast video • High capacity Resilient Broadband Services • Security Services

  43. Per-User URL Filtering Stewart Duncan Technical Manager

  44. Current URL Filtering • LGfL URL Filtering Service is based around the NetSweeper Product • Policies can currently be configured by IP address and time of day • Reporting features are available to report on IP based sessions

  45. What is required? • Schools and LAs would like to identify end users for reporting • Have the ability to setup different policies for individual users or groups of users • IT Managers and Head Teachers need the ability to track URL traffic for an individual rather than a specific IP address

  46. What are LGfL doing to help? • LGfL working with Synetrix and Atomwide to enable the platform to offer Per-User /Group level Filtering • Enabling the USO to link with the NetSweeper Platform • Allow local management of User Policies through a web based front-end

  47. Where we are so far • A trial is currently taking place in various locations across London • So far the trial is going well and bugs are being identified and cleared up

  48. What does it Look like? The new front end allows configuration of multiple groups each with a separate policy.

  49. What does it Look like? Here you can configure which users belong to which policy within the USO.

  50. What does it Look like? Users are then prompted to log in when they run Internet Explorer and try and access the web.

More Related