Delivering a Network Services Portfolio to Ireland’s Schools Network TERENA Networking Conference 2006 17th May 2006 Ronan Byrne, Senior Project Manager, HEAnet
Presentation Structure BACKGROUND WHO IS THE USER? PROJECT DELIVERY APPROACH NETWORK DESIGN PRINCIPLES NETWORK MANAGEMENT SYSTEMS PROVISIONING SECURITY & CONTENT FILTERING EMAIL SUPPORT SERVICES
Background: Ireland’s Schools Network Free services for approx 4,000 schools 3 Year Agreement - Joint Government & Industry Funding HEAnet provide & manage Backbone Network HEAnet Network Services: Managed Network; Security; Filtering; E-Mail; etc. 6 x Access Broadband Providers interconnect with HEAnet 1 x School Router Supplier 1st Line NCTE Service Desk & 2nd Line HEAnet Schools NOC
To whom are we delivering our services? “Follow the User” Who is the user? To whom are we delivering our services? Government Stakeholders Telecoms Industry Contributors 1st Line Support Desk Interconnecting Broadband Access Providers Schools: Primary & Post Primary Teachers & Students
Broadband Tender Evaluation Approach Objective to deliver best possible broadband solution for each school Evaluation on a “per-school” basis: Not single supplier driven Not geographically driven Tenders requested ‘technology’ & ‘cost’ for each school: 100+ broadband technologies evaluated 80+ router models evaluated School user-driven but resultant extra overhead to manage
HEAnet: Central Role Management of Backbone Network Management of Centralised Services Categories: Network Monitoring Centralised Security Content Filtering Email Services Interconnectivity With 6 x Broadband Access Providers Monitoring of their Service Level Agreements Schools Support: HEAnet 2nd Line Technical Support
Project Management Approach
Project Management Approach Project Scope: Define ‘Initial’ and ‘Later’ services Constraints & Dependencies Indemnity: From Consequential Loss (NREN delays) Against Claims for Damages (Content filtering gaps) Project Documentation: Project Initiation Document (Sign-Off by Customer) Financial Budget – based on Tender outcome scenarios Issues Log & Risk Register Security Design Proposal (Sign-Off by Customer) Email Policy (NREN advise but owned by Dept. of Education) Security Policy (NREN advise but owned by Dept. of Education) Project Organisation: Working Groups created for key project deliverables
Network Design
Schools Network Design Principles Interconnectivity: Layer 2 presentation (Tender requirement) Specific Presentation Standards (Tender requirement) School Router Specification: Specific Router Protocols to be supported (Tender requirement) Ability to Centrally Manage (Tender requirement) Centralised Approach to Management of Services: Limited technical resource & equipment at schools Centralised content filtering (up to 4,000 school policies) Centralised firewalls (e.g. P2P on/off) Centralised email (Webmail) Public IP Addresses Layer 2 service exists between schools CPE and the HEAnet network. This is achieved via PPPoE over L2TP, VLAN’s or ATM Virtual Circuits Authentication and Authorisation is performed via Radius HEAnet have full remote manageability of schools CPE which is uniformly a Cisco 871 next generation router Each device connecting to the schools network is given its own Public IP Address from a /12 pool allocated by RIPE Later services to be offered will include IPv6 and multicast services.
Schools Network Topology This diagram shows the schools network in simplified form Starting with schools’ connecting into one of the six broadband access providers awarded as part of the Request For Tender (RfT) These Access Providers then interconnect into one of two PoP’s in Citywest or Kilcarbery. Resilience is provided between PoP’s via the National Backbone Extension Onwards Internet connectivity is then provided via the HEAnet backbone
IP Addressing Very Large Post-Primary (>1000) /23 (510) /24 (254) Medium Post-Primary (100-499) /25 (126) Small Post-Primary (<100) /26 (62) Large Primary (500-999) Medium Primary (100-499) Small Primary (50-99) /27 (30) Very Small Primary (<50) Based on numbers of students, schools were separated into different tiers, shown in the left column of this table A subnet of IP space was then allocated to each school (out of a /12 range) based on this tiering level. 4/1 ratio????
Network Design Scalability Requirements Content Filtering: scalable up to 3.6Gbps with current infrastructure + expandable Email: up to 800,000 mailboxes IPv4 /12 Address (over 500,000 IP hosts) IPv6 ready / road map Layer 2 service exists between schools CPE and the HEAnet network. This is achieved via PPPoE over L2TP, VLAN’s or ATM Virtual Circuits Authentication and Authorisation is performed via Radius HEAnet have full remote manageability of schools CPE which is uniformly a Cisco 871 next generation router Each device connecting to the schools network is given its own Public IP Address from a /12 pool allocated by RIPE Later services to be offered will include IPv6 and multicast services.
Network Management Systems
HEAnet: Centralised Network Services Monitor schools’ connectivity Generation of intelligent alerts Monitor services Graph network usage Capacity planning Access Provider measurements vs. SLAs: Latency (RTTs) Packet loss Network availability HEAnet provide a number of centralised Network Services for use by both the NCTE 1st line Service Desk and HEAnet
SmokePing Cricket These include Nagios For monitoring schools connectivity, core routers, as well as services such as DNS. This tool generates intelligent alerts regarding the health of the schools network Cricket For providing a graphical view of network usage vs maximum bandwidth over time, including historical view. This can be used to determine if schools require additional bandwidth based on their usage. Smokeping To graphically monitor packet loss and latency, with granilarity ranging from the last 5 minutes upto the last 400 days. This tool is also used for Lot 1 acceptance testing by the NCTE Service Desk – ensuring that access providers are meeting SLA’s on the quality of their schools circuits. Nagios
As can be seen on this final Map, the view can become quite unusable at this level once all 3925 schools are displayed. As such it will be possible to refine views based on both the Access Provider and Access technology, as well as the ability to zoom on specific areas. This can be useful in diagnosing network issues such as a particular wirelss base station of a provider going off air.
Another tool currently in development by HEAnet may look familiar to anyone that has used Google Maps in the past Each button represents an individual school, and gives an indication as to the health of the connection. Clicking on a specific school will allow the operator to select from either smokeping, nagios, or cricket, launching the application in a new window, giving direct visibilty of that school.
As can be seen on this final Map, the view can become quite unusable at this level once all 3925 schools are displayed. As such it will be possible to refine views based on both the Access Provider and Access technology, as well as the ability to zoom on specific areas. This can be useful in diagnosing network issues such as a particular wirelss base station of a provider going off air.
As can be seen on this final Map, the view can become quite unusable at this level once all 3925 schools are displayed. As such it will be possible to refine views based on both the Access Provider and Access technology, as well as the ability to zoom on specific areas. This can be useful in diagnosing network issues such as a particular wirelss base station of a provider going off air.
Provisioning Systems
Schools Roll-Out: Sept 05 to Apr 06
Aggressive Roll-Out Challenge! Approx. 500 Broadband installs per month since July 2005 Approx. 500 School Router installs per month since Sept 2005 Broadband and router installs happening in parallel School specific router! Automated generation of configs: School Routers; DNS; Radius; Smokeping; Cricket; Nagios; Radius; TACACs; Maps; etc A provisioning system has been developed to generate not only the CPE router config’s, but to enable a variety of services also A postgresQL database backend maintains a repository of schools information, searchable via a PHP/Web front end
Push Provisioning to 1st Line via Web Tools Acceptance Test URLs Broadband Installation Test School Router Installation Test If “PASS”, Auto-Enablement of Network Management Configs Smokeping Cricket Nagios Add Future Provisioning Needs Content Filtering Options DHCP On/Off Static IPs Email Service Provisioning Router Configs posted to Secure Web Site for download A provisioning system has been developed to generate not only the CPE router config’s, but to enable a variety of services also A postgresQL database backend maintains a repository of schools information, searchable via a PHP/Web front end
Security Design
Schools Network Security Design Providing security to schools is an important element of the Broadband for Schools project, with security being enforced at 3 levels At the school router level, ACL’s have been defined to protect the schools LAN. These are rules that would generally remain static over the long term, reducing the risk of having to perform config changes across large numbers of devices. Security rules that are more likely to be dynamic are bought back into the centralised system. Inbound traffic is generally restricted to established sessions and icmp services. Ports have also been opened to allow HTTP and SNMP traffic to two specific IP addresses within the block assigned to the school, to allow the school to locally host web and mail servers. ACL’s are enforced at the aggregation router to protect inter schools traffic
Centralised Content Filtering Dept of Education Requirement Fortinet solution Security node at two HEAnet PoPs Currently 500Mbps capable “in-line checking” Content filtering capability: In-Line Anti-Virus blocking White List Black List 56 Categories Database of 28 million rated URLs 24x7 Managed Service “Security Profiles” set by Dept of Education The centralised security solution is a DES requirement and provides inline content filtering, antivirus, IPS/IDS, as well as firewalling. Content filtering is configurable via white list/black list and also category blocking. Currently 56 categories are defined by Fortinet, supported by a database of over 28million rated URL’s. Security profiles are set by the Department of Education, and a school must sign up to a specific profile before Internet connectivity via HEAnet is permitted.
E-Mail Services
Schools E-Mail Service Webmail front end - Basic & Advanced Interface Opensource components (Horde IMP) LDAP foundation Anti-Spam & Anti-Virus blocking Calendar & Address List facility Autonomy at school level to administrate some email services (e.g. new mailboxes; password changing) Scalable to accommodate all staff & pupils Dept of Education set email policy
School Support Services
Schools Support Escalation Channel
HEAnet Support for 1st Line Service Desk Acceptance Test Tools Front-end Service Provisioning Documentation (Wiki) Installation Guidelines Troubleshooting Guidelines School LAN Connection Guidelines FAQs Training Technical Advice & Consultancy Schools Network Reporting
HEAnet: Proactive Network Management Network Outage Alerts Service Outage Alerts Virus Alerts Security Alerts (e.g. CERT) Latency & Packet Loss Depreciation Router Mis-Configurations (e.g. IOS) LAN Mis-Configurations (e.g. Active Directory) Interconnect Errors /Flapping
Delivering a Network Services Portfolio to Ireland’s Schools Network TERENA Networking Conference 2006 17th May 2006 Ronan Byrne, Senior Project Manager, HEAnet