Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

IWG Meeting Presentation 04 02 2015 FINAL

advertisement 
Division of Information Technology
IT Infrastructure Working Group (IWG) Meeting
April 2, 2015
Computer & Space Sciences Building, Room 4402
Action Item 1: Quality of the Wireless Network
Division of Information Technology
Wireless Coverage Map
Division of Information Technology
UMD Network
Division of Information Technology
Scope and Scale
•
5 Wireless SSIDs
•
•
•
•
2 Cisco 6500 Switches in NCT Network Hubs
• css-wireless-r1
• ptx-wireless-r1
5,500+ Wireless Access Points
• Cisco 3600 for 802.11n
• Cisco 3700 for 802.11ac
• Cisco 1520 for Outdoors
22 Cisco 5500 Wireless Controllers
•
•
•
•
UMD, UMD-Secure, Eduroam, UMD-Util1 and UMD-Dev
11 in CSS
11 in PTX
HP Tipping Point IPS protect Wired Network from Wireless Network
Utilizes Cisco ASA Service Modules to provide NAT
Division of Information Technology
Wireless SSIDs
UMD Network
• Unencrypted network
• Authentication through web browser
• Intended for users/devices who have not or can not set up WPA/WPA2 on their
device
UMD-Secure Network
• Encrypted using WPA/WPA2
• 802.1x Authentication
• Preferred wireless network for students, faculty and staff
Eduroam Network
• Encrypted using WPA/WPA2
• 802.1x Authentication
• Preferred wireless network for visiting students, faculty and staff
UMD-Util1 Network
• PSK authentication for devices that can not support web browser or 802.1x
• Replacing UMD-Dev
UMD-Dev Network
• To be decommissioned and replaced with UMD-Util1
Division of Information Technology
Wireless Controllers
22 Cisco 5500 Wireless Controllers
• Wireless APs register to the controllers
• Manually balance APs among controllers
based upon loads and AP locations
• Each controllers connects to a Wireless
Router with four 1GB connections (4GB)
• Wireless Routers are connected the the
Network Core by dual 10GB connections
(Active/Standby)
• APs failover to another controller when a
controller fails
• Currently, only enough capacity to
handle 2 of 11 controllers failing per
side
Division of Information Technology
Wireless System Design
Current Design
•
Wireless Network is available in all buildings on campus
•
•
Planned for coverage in all spaces
In the process of being expanded to outdoor areas
•
Complete during Summer 2015
Current Challenges
•
Number of devices has increased
•
•
Device bandwidth needs have increased
•
•
•
Average of 3 to 5 devices per user
802.11ac
Voice, video, and streaming require more bandwidth
“Consumerization” of IT
•
Users are bringing devices that are not meant for the enterprise
•
•
Interference from other broadcasting networks/devices
•
•
•
•
Apple TVs, Wireless TVs, Wireless Projector, etc.
Personal APs, Wireless Printers, etc.
2,000+ “other” networks seen on campus
Large number of end user device types
Security
Division of Information Technology
South Campus Commons Building 1 – RF Report
Floor 1 - Signal Power, IEEE 802.11n (2.4GHz), Contour Simulation
Signal power (dBm)
-80.0 dBm
-65.0 dBm
-50.0 dBm
Division of Information Technology
South Campus Commons Building 1 – RF Report
Floor 1 - Signal Power, IEEE 802.11n (5GHz), Contour Simulation
Signal power (dBm)
-80.0 dBm
-65.0 dBm
-50.0 dBm
Division of Information Technology
Heat Map of Tydings Hall (Ground Floor)
Division of Information Technology
Heat Map Calculations
•
To ensure that the map accurately represents the signal power of the access
points, several aspects of the building must be factored into the map
calculations, including:
•
•
The building’s floorplan
Values for the walls, floors, ceilings, etc.
•
•
•
•
For example: Drywall is 3 decibels and concrete is 15 decibels (…or drywall is 12 decibels less
than concrete).
Once each floor is completed, all floors are combined into one drawing.
The coverage is simulated on each floor from side-to-side, as well as from the
floor above and the floor below.
Maps are created for both frequencies of 2.4 ghz and 5 ghz
•
The 5 ghz band is used to determine the placement of access points.
Division of Information Technology
Quantifying Wireless Network Service
Difficult to quantify the quality of the service
•
•
•
•
•
•
44,000+ associated devices
41,000+ authenticated devices
Can not determine between a device drop and a device that leaves the network
Not all issues are reported to the NOC
Interference from “other” networks can cause device issues
Multitude of devices and configuration options for each
•
Rely on end user to configure their own device properly
Troubleshooting Tools and Reporting
•
•
•
Monitor network for large scale issues
Monitor incidents as they are reported
Review Top 50 weekly reports
•
•
Top 50 AP by Client Count
Top 50 Busiest AP by Rx/Tx Utilization
Division of Information Technology
Top 50 AP by Client Count
255-0d-ap1314
00:26:cb:d1:d2:b0
10.96.130.249
UMD > 255 (School of
Public Health) > Floor 1
css-wireless-c5
0
6
232
6.12
0
227
Division of Information Technology
Top 50 Busiest AP by Rx/Tx Utilization
Division of Information Technology
Wireless Client Count by Authentication (data for 4 weeks)
41,000 Clients Authenticated
Wireless Client Count by Association (data for 4 weeks)
45,000 Clients Associated
Wireless Client Traffic (data for 1 week)
4 Gbps
Wireless 2.0 Design
Currently designing Wireless 2.0 Network Service
• Plan and install for density/capacity where users congregate
• Libraries
• Classrooms
• Dining Halls
•
Greater redundancies
• Add Cisco 8510 WLAC to allow for complete site and geographic redundancy
•
•
•
Better hardware and software tools for troubleshooting issues
Increase uplinks to APs for future 802.11ac bandwidth needs
Provide customized wireless services
• Departmental Firewalled Wireless networks
• Special visitor networks
•
•
•
Onboarding system to simplify device configuration
Enhance Guest Network
Enforce certificate based authentication to prevent man-in-the-middle
attacks
Division of Information Technology
Action Item 2: Overview of Cellular Coverage
on Campus
Division of Information Technology
Cellular Vendors on Campus
•
AT&T
•
•
•
•
SPRINT
•
•
•
TYSER TOWER (MACRO)
INFINITY CENTER (DAS)
VERIZON
•
•
•
•
•
COLE FIELD HOUSE (MACRO)
PLANT SCIENCES (MACRO)
VANMUNCHING HALL (DAS)
BYRD STADIUM (DAS)
INFINITY CENTER (DAS)
PLANT SCIENCES (MACRO)
VANMUNCHING HALL (DAS)
T-MOBILE
•
PLANT SCIENCES (HAS INQUIRED ABOUT INSTALLING MACRO)
Division of Information Technology
Locations of Cell Towers and Distributed Antenna Systems
Division of Information Technology
Action Item 3: Overview of Cable TV
Division of Information Technology
CATV Distribution
Division of Information Technology
Campus CATV Headend in Hornbake
Division of Information Technology
Campus CATV Lineup
•
•
97 digital channels
5 analog (legacy equip)
Division of Information Technology
Campus CATV continued…
•
•
Cable is on its own separate system using fiber distributed to the building and
coax fiber in the building
It is unknown how much the classrooms use cable TV
•
•
•
Currently cable to classrooms and cable to the residence halls are two separate
services: commercial and residential
•
•
Cable is primarily used by the Student Union and Campus Rec (mostly used in
gathering places)
Most likely, cable is used very little in the classrooms
However, it may be possible to negotiate them together
Currently, there are no plans to move forward with IPTV due to the associated
costs (which make the service unaffordable)
Division of Information Technology
Division of Information Technology
IT Infrastructure and Research Working Groups - Joint Meeting
April 2, 2015
Computer & Space Sciences Building, Room 4402
Action Item 5: Cloud Services
Division of Information Technology
Why Edublogs?
•
•
Edublogs is a managed WordPress for education
Security Week publication refers to WordPress as the “…Most Attacked CMS…”
•
•
http://www.securityweek.com/wordpress-most-attacked-cms-report
Having Edublogs manage the environment and the risk for this offering, we
ensure a secure and stable educational service for blogs
Division of Information Technology
Edublog Features
•
•
•
•
•
•
•
Edublogs is integrated in the UMD Shibboleth Federated Identity system.
One price ($40,000/Yr) and unlimited blogs
Unlimited Traffic and storage for all blogs
Mobile-friendly deployment
Over 300 themes and 50 plugins built in
Built-in privacy control and integrated Google Analytic visitor stats
24/7/365 support
Division of Information Technology
How Edublogs
•
•
•
http://blog.umd.edu/request-a-blog/
End user management and training by DIT Learning Technologies
Infrastructure management by DIT Middleware
Division of Information Technology
Drupal as a Service by Acquia
•
•
•
•
•
•
Acquia is a managed service using the Drupal CMS system
It is a fully-managed, high-performance Drupal-tuned platform stack
It has an automated development workflow with site health and monitoring
tools
A highly available, scalable, and secure infrastructure
24x7 monitoring backed by people that do Drupal Support as a primary function
When security vulnerabilities are found, then Acquia is one of the first to patch
Division of Information Technology
How is it provisioned?
•
•
•
•
•
•
UMD has a multi-site installation of Drupal on our Acquia servers.
A site will be hosted with us in the DEV, STAGE, and PRODUCTION (live)
environments.
Requests come into webhosting in the form of tickets
webhostingadmin@umd.edu
User documentation is provided by DIT and Acquia with on site coordination by
WebHosting
The service costs DIT approximately $40,000.00 / Yr.
A shared responsibility model is employed where Aquia and IT manage the core
components with site owners managing their individual components
Division of Information Technology
WebHosting at AWS
•
•
•
•
•
Following last year’s security breach of the Maryland IT webhosting
environment, several steps were taken to provide greater isolation between our
customers
The data was moved from on campus to AWS in the course of a week
All code was modified to be functional in the cloud
Further protection was added as DIT moved to a more virtual data center
environment
No new systems are to be deployed until security concerns are meet (The Rock)
Division of Information Technology
Enterprise UMD AWS environment
Enterprise cyberinfrastructure environment in the AWS cloud for UMD.
•
This architecture will include the following building blocks: middleware,
platforms, databases, security, compute, storage, and networking.
•
The environment will be architected as UMD’s production IT infrastructure
solution, which will include Personally Identifiable Information (PII) data and
compliance with all applicable regulations (such as FERPA and HIPAA).
•
It will be designed around resilience, scalability, accountability, policy,
procedures, and will speak to appropriate separation of duties within the IT
infrastructure framework.
•
An AWS architecture team has been assembled. This team is charged with
designing the “blueprint” – UMD’s enterprise cyberinfrastructure environment
in the AWS cloud.
Division of Information Technology
UMD Network
Division of Information Technology
DIT Data Center Network
•
PDC and SDC have identical network
equipment
•
•
•
•
Dual Cisco Nexus 7000
• pdc-r1and pdc-r2
• sdc-r1and sdc-r2
Cisco Nexus 5000 for 10G Server
Connections
Cisco Nexus 2000 for 1G Server
Connections
Protected by Cisco ASA Firewall
Appliances
•
•
PDC has 2 ASA 5585x
SDC has 1 ASA 5545x and 1 ASA 5525x
•
Dual HP Tipping Point IPS inspect all
traffic in/out of Data Centers
•
Dual F5 Viprion 2400 Load Balancers to
distribute traffic and applications
among servers
Division of Information Technology
Data Center OTV
Overlay Transport Virtualization
• Allows us to extend Layer 2 between
geographically separated data centers
Division of Information Technology
UMD
Campus
VPN connection
AWS Direct Connect
Internet
VPN connection
campus data center
Division of Information Technology
Building Blocks
Compute Platforms
Storage
Virtualization
Networking
Databases
Security
Identity and Access
Monitoring
Division of Information Technology
Campus network security features compare to AWS native
Security Feature
Campus
What is native at
AWS
Works like onprem
Firewall Rules
Management
Tufin
Security Groups
No
Advanced Threat
Protection
Tipping Pt /
Palo Alto
None
No
Intrusion Protection
Tipping Pt /
Palo Alto
None
No
Load Balancing
F5
Elastic Load
Balancing
No
Web Application Firewall None
None
No
Logging
Cloudwatch
No
Splunk
Division of Information Technology
An architecture
S
e
c
u
r
i
t
y
Division of Information Technology
Science DMZ
Division of Information Technology
UMD Network
Division of Information Technology
Proposed Science DMZ
Division of Information Technology
Commodity Internet (Allied)
Internet 2 (MAX)
Commodity Internet (Cogent)
MDREN
Related documents
10.2.1.2 Worksheet - Answer Security Policy
10.2.1.2 Worksheet - Answer Security Policy
WAEA
WAEA
ZigBee Based Intelligent Helmet for Coal Miners
ZigBee Based Intelligent Helmet for Coal Miners
Dr. Luk R. Arnaut
Dr. Luk R. Arnaut
Wireless structural health monitoring system(Literature review
Wireless structural health monitoring system(Literature review
wireless - Home and Learn
wireless - Home and Learn
Chapter 10
Chapter 10
Daftar Singkatan
Daftar Singkatan
Download
advertisement