1. Virtualizing Your Network Divide and Conquer EDUCAUSE & Internet2 Security Professionals Conference April 10-12, 2007 Copyright Robert E. Neale 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. www.ts.vcu.edu Agenda VCU’s “State of the network 2005” Why “virtualize” the network? Implementation at VCU –New network architecture and design –Network security enhancements –Implementation time frame Summary

3. www.ts.vcu.edu VCU Background Information Virginia Commonwealth University Located in Richmond, Va. Two campuses 30,300 students – 4,500 in VCU housing 9,000 faculty/staff http://www.vcu.edu

4. www.ts.vcu.edu Network Environment at the end of 2005 Nine Routers across both campuses 1800 layer two Cisco switches Internet firewall with many holes Router ACL security for subnets & servers. Rapid growth in network –new buildings –New connections –wireless

5. www.ts.vcu.edu

6. Why “virtualize” the network?

7. www.ts.vcu.edu Growing Complexity of Network Over 140 Buildings, 1800+ switches Need to segment users for better network security management DHCP vs Static IP issues Requirements for multiple VLANS across the network backbone infrastructure

8. www.ts.vcu.edu Mandate for Better Security New laws for protection of sensitive data Threats are becoming more sophisticated Resources stretched in attempting to address security problems Need to improve management of network to protect less secure systems

9. www.ts.vcu.edu QoS & Future Requirements QoS needed for Voice over IP project QoS planned for video locations Possible separate research VLANs Business Continuity - data replication Internal network SLA’s

10. www.ts.vcu.edu Implementation at VCU Outside Resources Partnerships Sycom –Network engineering resources –Architecture design with our staff Cisco Systems –Architectural review –Proof of Concept Center

11. www.ts.vcu.edu Design Goals Translation to private MPLS L3 VPN hierarchical design –Existing technology preserved and integrated into new design Allow for phased implementation Shared services virtualization and network segmentation Introduction of QoS into new design Simplification of security model

12. www.ts.vcu.edu Introduction: Terminology MPLS-VPN Backbone CE Site IGP C PE Access Layer P PE-CE Routing Protocol Virtual Routing and Forwarding (VRF) Tables C – Customer Router that sits at the Customer Site that peers with only other Customer devices. CE – Customer Edge Device that sits at the access layer. The CE could be a layer 2 or layer 3 device Site IGP – Site Interior Gateway Protocol. The IGP run at the Customer Site. PE – Provider Edge Router. The Provider Edge Router sits at the edge of the MPLS backbone. P – Provider Router that resides in the MPLS backbone. PE-CE Link – The connection between the PE and CE. PE-CE Routing Protocol – The dynamic routing protocol (EBGP, RIPv2, EIGRP, OSPF) or static routing protocol (Static, Connected) run over the PE-CE link VRF –A Virtual Routing and Forwarding table that exists at the PE that is used to provide a separate routing table for different customers or customer business units. CE

13. www.ts.vcu.edu High Level Backbone Logical Design

14. www.ts.vcu.edu SangerCabell Computer Center School of Business Sanger Main Hospital West Hospital McGuire Computer Center Cabell Siegel Lafayette School of Business

15. www.ts.vcu.edu Network Management VRF

16. www.ts.vcu.edu User Access To MPLS Network

17. www.ts.vcu.edu Firewall Services Module (FWSM) Design Traffic between VRFs or from a VRF to the internet must go through the Firewall Services Module (FWSM) located in one of the PE routers. Two FWSM are installed in a PE where High Availability is offered in an “active/standby” mode. Each FWSM runs in multiple routed mode, with a Virtual Firewall (VFW) Context for each VRF configured. Each VFW has three VLAN interfaces PE routers with FWSM originates the default route into each VRF, thereby attracting traffic that is destined outside the VRF.

18. www.ts.vcu.edu Network Mgmt SECNet RESNet VoIP SVRNet DMZNet FW Context FW Context FW Context FW Context FW Context FW Context Common Area Internet TempVCU FW Context

19. www.ts.vcu.edu VPN Perimeter Services and the FWSM Design All routing between the perimeter PE and VRF contexts is done using static routes. No dynamic unicast or multicast routing is run on the FWSM.

20. www.ts.vcu.edu QoS Design – High Level A five class model supported in the MPLS-Backbone –Voice –Business Critical data –Video/UDP – –Best Effort Data – –Scavenger Data – Access switches classify/mark traffic Edge Routers perform the following QoS Functions –Classification/Marking –Microflow policing and remarking to Scavenger –Copying IP DSCP into MPLS EXP Core interfaces have congestion management enabled

21. www.ts.vcu.edu Improve Management of Network Security Policies Problems with management of ACLs –Poor scalability –Increased management requirements –Increased troubleshooting complexity Solution is replacement of ACLs in routers with FWSMs

22. www.ts.vcu.edu Logical Representation of ACL Consolidation Switch Interfaces with ACLs Firewall ACL Clients Traffic to other VRFs or Internet

23. www.ts.vcu.edu Existing ACL Implementation Edge RouterActive ACL’sLine Count Gallium17610,246 Poca102497 Cabell22284 Seigel761 Lafayette10111 Business33334 Sanger29212 Main Hospital13161 West Hospital17150 McGuire35232 Total35214,288

24. www.ts.vcu.edu New FSM Implementation NameActive ACLLine Count Email44 MCVH28 Network5106 RESNet2102 ServNet416 TempVCU325 VCUSecure310 Voice5100 Wireless441 Total32412

25. www.ts.vcu.edu RESNet Example Total lines of RESNet ACL prior to consolidation: 2146 Total lines of RESNet ACL post-consolidation: 248 Percent of original line count: 11.6% Line reduction ratio: 8.65 times * Note that this data was extremely viable for consolidation due to the commonalities that could be extracted from all ACLs. This data should be viewed as a better-case scenario.

26. www.ts.vcu.edu Enhanced Network Security Groups of users: –Sensitive data PC network separate from PC labs and public PC connections. –Different policies applied according to groups of PC users. Groups of services: –IP Phone Services –Video Conferencing –Wireless VLANs implemented at switch port

27. www.ts.vcu.edu Other Network Security Enhancements Cisco Clean Access –RESNet, SECNet, Public Access, Wireless Implementation of IPS for ServerNet. Cisco VPN remote access to internal VCU server resources only. Implementing Cisco MARS –Monitoring, Analysis, and Response System Split DNS implementation

28. www.ts.vcu.edu Timeframe 12/05Initial partnership, planning, purchases 2/06Design reviewed by Cisco Adv Svrc 3/06 Cisco CPOC in Raleigh NC 5/06Core & Distribution switches in MPLS 5/06Started VoIP data remediation 7/06Basic VRF’s created 9/06RESNet VRF – Route ACL to FWSM 4/07ServerNet and DMZNet migration started 9/07Planned completion of ACL to FWSM 11/07Planned completion of VoIP project

29. www.ts.vcu.edu Summary Virtualization of your network can: –Provides flexibility –Reduce network complexity –Improve network management –Enhance network security Lessons learned: –Virtualize the network before VoIP –Assess your organizations ability to change –Outside resources critical to success

30. Questions?