HKOM+ Marko Erjavec
Goals for HKOM+ Lower the connection expensess (today:lease connections) Lower the maintenace and managing expensess (goal: With one man maintain whole network) –Lower the needed human resources for network maintanance –Lower the complexity of configurations on remote locations: configuration standardisation – simplification of maintenance and management of configurationj –Rule optimisation: Rules on whoo, what and when someone communicate are located in one central point Enabling new services: –VoIP –Multicast Quality supervising on ousourcers and outtaskers Connection to remote locations should be posssible on every known – possible connection independent of connection povider –Frame relay (todays connectios) –Internet –MPLS –Leased lines(copper, optics) –Providers: Telekom, Volja, Amis, Mobitel, Satelite, Vimax …. Bandwidth increase –Possibility of application centralisation (SPIS) –Possibility of introducing and centralisation of VoIP Traffic restriction inside the HKOM+ with MPLS technology Security: Availability, integrity, confidentiality Preparation to EU presidency – process audits an security reqirements in year 2007 Akreditation to security level - restraint Redefinition of procesesses for building, maintenance and manage of network in accordance to appropriate standards and best practices Virtualisation of devices and connections
Present production state 800 locations 80 pops Ljubljana users 1600 LANs
Future production state 800 end locations 1600 LANs users Ljubljana Internet Satelite Telekom Mobitel
Goals enabling Increasing altogether bandwidth from aprox. 1Gb/s to 8Gbit/s, by changing from leased lines to flat rate. Lower the connection expensess –Tender for Providers ability to provide different bandwidths on different locations(800) Informational request to all (15) providers gave us following results:
Informational request
Goals Enabling Security: –Availability: Every remote location is connected to two independent providers NIC Maribor – backup location with all functionality as Primary location in Ljubljana Every provider is connected to Ljubljana and Maribor –Integrity, Confidentiality: All traffic to remote locations is crypted (certificates SIGOV-CA) Preparation to EU presidency – preparation of security procesess according to standard ISO and special EU security standards Collaboration with security agency to get knowledge of special requirements and influence on creation of security requirements.
Goals enabling On all remote locations standardised interface is ethernet (UTP cable, RJ45 connector) Some remote locations have more than one LAN Every LAN has three ethernet connections: –Data –VoIP –DMZ – for larger agencies that have their own IT department and internet applications All configurations on remote locations have the same configuration except IP address and name
How we started Negotiating with Telekom –We got good negotiating position with results from Informational request Equipement purchase Designing and building LAB LAB connection to the production network – it is now part of production Making pilot instalations on existing leased lines and new flat rate connections Large deployment to existing leased lines and new flat rate lines –In two months all 600 routers will be placed on site
LAB design
Production state
Physical/Logical Topology MPLS VPN GRE over IPsec
Logical Topology
Detailed LAB picture
Configuration standardisation Every remote LAN has three ethernet connections –Data –VoIP –DMZ – just for some organisation If some exception exist, it must become standard configuration in at least two months. That implies that in two months we have to change “configurator” application Configurator will became center point of provisionng and maintenace of whole HKOM+ network We expect new revisions every two months. Now it covers five differrent Cisco routers and switches that we use in HKOM+ Daily configuration on firewall must be done through CSM – command line is not permited
Configurator
Other tools MARS –Analitical – corelation tool to predict possible problems in network - Netflow CSM –Cisco firewall GUI configuration tool Cisco works - configuration management on end routers Monitor –Custom designed HW and SW for larger (important) remote locations to measure availability of services and SLA OpenView Help desk software –Registering every incident –Making reports, knowledgebase IDS/IPS: ISS products (Proventia, Black ice…) Conclusion: –Everyday work on network is done by CSM and Help desk. Other tools are for alarming and observing network.
Services HKOM offer different services to its users HKOM need different services to function properly Services must never go down (24/7)
Services HKOM services: –DNS – inside and outside, registrar –Proxy –Remote access for outsourcers –Remote access for users –Authentication, authorisation, accounting –Video conferencing, Video streaming –Syslog –Radius –IPS for all agencies on central point –Firewalling for all traffic that comming or leaving HKOM (internet, ousourcers, some gov. Agencies, EU netw., Data center) –SecurID issue –Mail for some organisations –Access for concessionaires –Load balancing for different web applications (content manager) –Connection to EU networks –Voice (telephone)
EU networks Network H K O M Network C C N Network E X T R A N E T Network T E S T A I I
EU networks CCN – Common Communication Network Network CCN is under the jurisdiction of EC, DG TAXUD (European Commission, Directorate General for Taxation and the Customs Union) Network CCN has been established for interchange of regular customs and taxation data Over network CCN also special data are interchanged - AFIS (Anti-Fraud Information Systems) under the jurisdiction of EC OLAF (European Commission, European Anti-Fraud Office) Primary connection: leased line -> 256 kb/s Secondary connection: ISDN Data crypting: yes Network C C N
Network H K O M Network C C N EU networks CCN – Common Communication Network Ministry of Finance Customs Administration Ministry of Finance Tax Administration Ministry of Finance VIES (VAT Information Exchange System) – system for VAT number validation NCTS (New Computerised Transit System) CIS (Customs Information System) - TARIC (TARif Intégré Communautaire), QUOTA,… AFIS (Anti-Fraud Information Systems) – systems for detecting and preventing frauds, corruption and other illegal activities with financial consequences
EU networks TESTA – Trans-European Services for Telematics between Administrations Network TESTA II is under the jurisdiction of EC, ENTERPRISE DG (European Commission, Enterprise Directorate-General) Network TESTA II is one of the generic services of the Programme IDA (Interchange of Data between Administrations Programme: a European Community Programme) Projects using network TESTA II: 14POINTS, AFIS, CARE, CIRCA, DUBLINET, ECB.NET, EUDRANET, EUPHIN, EURAMIS, EURODAC, EUROSTAT, FIDES, FIUNET, INTRACOM, PROCIV-NET, SAFESEANET, SFC, SIGL, TACHONET in TESS (most of them are projects of common interest) Network T E S T A I I
EU networks TESTA – Trans-European Services for Telematics between Administrations Network H K O M Network T E S T A I I Office for Money Laundering Prevention Ministry of Finance Ministry of the Interior Ministry of the Economy Administration for Civil Protection and Disaster Relief Ministry of Defense Ministry of Transport Primary connection: leased line -> 256 kb/s Secondary connection: leased line -> 256 kb/s Data crypting: yes
FIU.NET (Financial Intelligence Unit) – system for money laundering detection and prevention EURODAC – system for fingerprints comparison (identification process of the asylum applicants) DUBLINET – system for interchanging data about the asylum applicants (DUBLIN II regulation) SIGL – system for textile and steel import quota checking (before issuing the import documentation) PROCIV-NET (Civil Protection and Environmental Emergencies European Network) – system for interconnecting national civil protection institutions; essential information interchanging (CECIS - Common Emergency Communication and Information System) TACHONET – system for interchanging data about professional truck drivers and truck journey (digital tachograph) Network T E S T A I I EU networks TESTA – Trans-European Services for Telematics between Administrations
I N T E R N E T (VPN, Crypto) EXCEPTION: EUDRANET – system for interchanging data about pharmaceutical products (competence: Agency for Medicinal Products and Medicinal Devices of the Republic of Slovenia, Ministry of Health)
EU networks EXTRANET – Extranet Network Network EXTRANET is under the jurisdiction of the General Secretariat of the Council of the European Union Network EXTRANET has been established for interchanging documents in electronic form (sent from the GSC EU to the EU member states) Primary connection: leased line -> 256 kb/s Secondary connection: ISDN (4 channels) Data crypting: yes Network E X T R A N E T
EU networks EXTRANET – Extranet Network Network H K O M Network E X T R A N E T EU-Portal U32Mail - in Slovenia documents are available over dedicated EU-Portal application