IT Briefing - PowerPoint PPT Presentation

About This Presentation

Title:

IT Briefing

Description:

* Academic Firewalls Migrated A second firewall cluster was installed using our lab gear pending replacement by Juniper in order to expedite the project. – PowerPoint PPT presentation

Number of Views:106

Avg rating:3.0/5.0

Slides: 31

Provided by: DonnaP151

Learn more at: https://it.emory.edu

Category:

more less

Transcript and Presenter's Notes

Title: IT Briefing

1
IT Briefing

April 2007

2
IT Briefing March 15, 2007

Gartner Demonstration
Computer Ordering Emory Express Demo
Blackboard Upgrade
Firewall Migration Update
Announcements/Updates

John Kazmin
Loette King David Thurston
Julia Leon
Jimmy Kincaid
Jay Flanagan

3
Gartner

John Kazmin
John.kazmin_at_gartner.com
Tel 239-995-2077

4
www.gartner.com access page

http//it.emory.edu/showdoc.cfm?docid2465
Questions or issues email
gartner_at_listserv.emory.edu

5
Computer Ordering Emory Express

Loette King
David Thurston

6
Blackboard Upgrade

Julia Leon

7
Whats New

Discussion Board revamped
Improvements to Tests and Gradebook
Visual Textbox Editor in more places
more features
More robust technical architecture

8
Architecture-Now
9
Architecture-Upgraded
10
Schedule
11
Firewall Migration Update

Jimmy Kincaid

12
Presentation Structure

Brief Project Overview
Diagram of Legacy Firewalls
Diagram of New Firewalls
Implementation Issues and Fixes
Logical Diagram of Modified Design
Remaining Steps and Timeline

13
Brief Project Overview

Emory needed a new firewall solution.
A cross-organizational evaluation team was put
together consisting of AAIT Security, IS
Security, and Network Communications.
Candidates were Cisco/FWSM, Checkpoint/Crossbeam,
and Juniper/Netscreen.
After extensive testing and evaluation, the
Juniper Netscreen 5400 was chosen as Emory's new
firewall platform.

14
Legacy Checkpoint Firewalls

Multiple single points of failure
No site redundancy
Software (CPU) based
External third-party load balancers
Physical hardware per-firewall

15
New Juniper Firewalls

Site redundancy
Stateful HA via NSRP and OSPF
Hardware (ASIC) based
Virtual firewalls
No external load-balancers

16
Implementation Attempts

ResNet was migrated without issue.
Several attempts to migrate the Academic
firewalls were unsuccessful due to high CPU
utilization and instability.
We worked very closely with Juniper and
determined the root causes of the issues.

17
Implementation Issues

TCP sessions were not removed from the
firewall's session table when the sessions were
finished
All RTSP (Real Time Streaming Protocol) packets
hit the firewall CPU
OSPF (Open Shortest Path First) LSA (Link State
Advertisement) database limitation of lt 2048

18
TCP Session Issue Fix

The TCP session issue was identified as a
software bug and was fixed in software release
5.4.0.r3.
A software bug that prevented us from loading
5.4.0.r3 was fixed in release 5.4.0.dm2.
The 5.4.0.dm2 software was loaded, and the TCP
session issue was corrected. ResNet showed
immediate improvement (gt 50 session table
reduction).

19
RTSP Issue Fix

The RTSP issue only occurs when the streaming
media traffic uses the same session (TCP/554) as
the control traffic instead of a secondary UDP
session for the media stream. AOL was a big
offender.
The RTSP ALG (Application Layer Gateway) that
handles these secondary sessions was disabled.
ResNet showed a dramatic improvement in CPU
utilization.

20
OSPF LSA Database Fix

Redesign OSPF so that each internal core has its
own unique stub area.
An OSPF stub area dramatically reduces the size
of its LSA database by filtering out LSAs from
other external areas.
OSPF stub areas have been implemented for ResNet
and HIPAA.
LSA count for these networks has been reduced
from nearly 1200 to under 100.
IP route count for these networks has been
reduced from nearly 900 to under 100.

21
Additional Hardware Required

Even with all issues identified and resolved, it
was determined that a single pair of 5400's did
not have the resources to handle Emory's existing
traffic.
Juniper agreed to provide two additional pairs
of 5400's (800k list price) free of cost to
make up the difference.
The additional hardware gives us room to
implement our planned virtual firewalls with
resources left over to grow.

22
Academic Firewalls Migrated

A second firewall cluster was installed using
our lab gear pending replacement by Juniper in
order to expedite the project.
ResNet was moved from the original cluster to
the new cluster Mon 04/09 6AM - 7AM.
The Academic firewalls were successfully migrated
to the new cluster Wed 04/11 between 5AM 7AM.
The Academic firewalls are stable and are
performing as expected.

23
Logical Diagram
24
Remaining Steps

SecureAdmin/DMZSA prep including rulebase
conversion Mon April 30 Fri May 4
SecureAdmin/DMZSA go-live Mon May 7 (5AM
8AM)?
SecureAdmin/DMZSA OSPF stub area conversion TBD
Academic OSPF stub area conversion Wed May 16
(5AM - 7AM)?

25
Remaining Steps 2

SPH will be split up behind several of the new
core firewalls including Academic, SecureAdmin,
DMZSA, and HIPAA.
There will not be a SPH virtual firewall.
The timeline and details are still TBD.

26
Remaining Steps 3

Healthcare has several additional prerequisite
steps before their firewalls can be migrated.
Those steps include rulebase conversion, border
BGP project completion, OSPF padding, static
routing VPN's, Pool NAT for SecureRemote, and
OSPF stub area conversion.
The timeline for all of these items is still TBD.

27
(No Transcript)
28
Announcements Updates

Karen Jenkins

29
Remedy

First two training sessions well attended thank
you!
Additional general training overview 4/26 100pm
230pm NDB Enterprise Room 230
Application functioning as designed with
out-of-the box capabilities plus some
customizations
Please submit feature requests using the
application
Current top priority customizations
Inbound email (working with vendor)
Data migration (v5.6 custom fields need to be
imported)
Suppress notifications flag

30
Others