Division of Information Technology IT Infrastructure Working Group (IWG) Meeting April 2, 2015 Computer & Space Sciences Building, Room 4402 Action Item 1: Quality of the Wireless Network Division of Information Technology Wireless Coverage Map Division of Information Technology UMD Network Division of Information Technology Scope and Scale • 5 Wireless SSIDs • • • • 2 Cisco 6500 Switches in NCT Network Hubs • css-wireless-r1 • ptx-wireless-r1 5,500+ Wireless Access Points • Cisco 3600 for 802.11n • Cisco 3700 for 802.11ac • Cisco 1520 for Outdoors 22 Cisco 5500 Wireless Controllers • • • • UMD, UMD-Secure, Eduroam, UMD-Util1 and UMD-Dev 11 in CSS 11 in PTX HP Tipping Point IPS protect Wired Network from Wireless Network Utilizes Cisco ASA Service Modules to provide NAT Division of Information Technology Wireless SSIDs UMD Network • Unencrypted network • Authentication through web browser • Intended for users/devices who have not or can not set up WPA/WPA2 on their device UMD-Secure Network • Encrypted using WPA/WPA2 • 802.1x Authentication • Preferred wireless network for students, faculty and staff Eduroam Network • Encrypted using WPA/WPA2 • 802.1x Authentication • Preferred wireless network for visiting students, faculty and staff UMD-Util1 Network • PSK authentication for devices that can not support web browser or 802.1x • Replacing UMD-Dev UMD-Dev Network • To be decommissioned and replaced with UMD-Util1 Division of Information Technology Wireless Controllers 22 Cisco 5500 Wireless Controllers • Wireless APs register to the controllers • Manually balance APs among controllers based upon loads and AP locations • Each controllers connects to a Wireless Router with four 1GB connections (4GB) • Wireless Routers are connected the the Network Core by dual 10GB connections (Active/Standby) • APs failover to another controller when a controller fails • Currently, only enough capacity to handle 2 of 11 controllers failing per side Division of Information Technology Wireless System Design Current Design • Wireless Network is available in all buildings on campus • • Planned for coverage in all spaces In the process of being expanded to outdoor areas • Complete during Summer 2015 Current Challenges • Number of devices has increased • • Device bandwidth needs have increased • • • Average of 3 to 5 devices per user 802.11ac Voice, video, and streaming require more bandwidth “Consumerization” of IT • Users are bringing devices that are not meant for the enterprise • • Interference from other broadcasting networks/devices • • • • Apple TVs, Wireless TVs, Wireless Projector, etc. Personal APs, Wireless Printers, etc. 2,000+ “other” networks seen on campus Large number of end user device types Security Division of Information Technology South Campus Commons Building 1 – RF Report Floor 1 - Signal Power, IEEE 802.11n (2.4GHz), Contour Simulation Signal power (dBm) -80.0 dBm -65.0 dBm -50.0 dBm Division of Information Technology South Campus Commons Building 1 – RF Report Floor 1 - Signal Power, IEEE 802.11n (5GHz), Contour Simulation Signal power (dBm) -80.0 dBm -65.0 dBm -50.0 dBm Division of Information Technology Heat Map of Tydings Hall (Ground Floor) Division of Information Technology Heat Map Calculations • To ensure that the map accurately represents the signal power of the access points, several aspects of the building must be factored into the map calculations, including: • • The building’s floorplan Values for the walls, floors, ceilings, etc. • • • • For example: Drywall is 3 decibels and concrete is 15 decibels (…or drywall is 12 decibels less than concrete). Once each floor is completed, all floors are combined into one drawing. The coverage is simulated on each floor from side-to-side, as well as from the floor above and the floor below. Maps are created for both frequencies of 2.4 ghz and 5 ghz • The 5 ghz band is used to determine the placement of access points. Division of Information Technology Quantifying Wireless Network Service Difficult to quantify the quality of the service • • • • • • 44,000+ associated devices 41,000+ authenticated devices Can not determine between a device drop and a device that leaves the network Not all issues are reported to the NOC Interference from “other” networks can cause device issues Multitude of devices and configuration options for each • Rely on end user to configure their own device properly Troubleshooting Tools and Reporting • • • Monitor network for large scale issues Monitor incidents as they are reported Review Top 50 weekly reports • • Top 50 AP by Client Count Top 50 Busiest AP by Rx/Tx Utilization Division of Information Technology Top 50 AP by Client Count 255-0d-ap1314 00:26:cb:d1:d2:b0 10.96.130.249 UMD > 255 (School of Public Health) > Floor 1 css-wireless-c5 0 6 232 6.12 0 227 Division of Information Technology Top 50 Busiest AP by Rx/Tx Utilization Division of Information Technology Wireless Client Count by Authentication (data for 4 weeks) 41,000 Clients Authenticated Wireless Client Count by Association (data for 4 weeks) 45,000 Clients Associated Wireless Client Traffic (data for 1 week) 4 Gbps Wireless 2.0 Design Currently designing Wireless 2.0 Network Service • Plan and install for density/capacity where users congregate • Libraries • Classrooms • Dining Halls • Greater redundancies • Add Cisco 8510 WLAC to allow for complete site and geographic redundancy • • • Better hardware and software tools for troubleshooting issues Increase uplinks to APs for future 802.11ac bandwidth needs Provide customized wireless services • Departmental Firewalled Wireless networks • Special visitor networks • • • Onboarding system to simplify device configuration Enhance Guest Network Enforce certificate based authentication to prevent man-in-the-middle attacks Division of Information Technology Action Item 2: Overview of Cellular Coverage on Campus Division of Information Technology Cellular Vendors on Campus • AT&T • • • • SPRINT • • • TYSER TOWER (MACRO) INFINITY CENTER (DAS) VERIZON • • • • • COLE FIELD HOUSE (MACRO) PLANT SCIENCES (MACRO) VANMUNCHING HALL (DAS) BYRD STADIUM (DAS) INFINITY CENTER (DAS) PLANT SCIENCES (MACRO) VANMUNCHING HALL (DAS) T-MOBILE • PLANT SCIENCES (HAS INQUIRED ABOUT INSTALLING MACRO) Division of Information Technology Locations of Cell Towers and Distributed Antenna Systems Division of Information Technology Action Item 3: Overview of Cable TV Division of Information Technology CATV Distribution Division of Information Technology Campus CATV Headend in Hornbake Division of Information Technology Campus CATV Lineup • • 97 digital channels 5 analog (legacy equip) Division of Information Technology Campus CATV continued… • • Cable is on its own separate system using fiber distributed to the building and coax fiber in the building It is unknown how much the classrooms use cable TV • • • Currently cable to classrooms and cable to the residence halls are two separate services: commercial and residential • • Cable is primarily used by the Student Union and Campus Rec (mostly used in gathering places) Most likely, cable is used very little in the classrooms However, it may be possible to negotiate them together Currently, there are no plans to move forward with IPTV due to the associated costs (which make the service unaffordable) Division of Information Technology Division of Information Technology IT Infrastructure and Research Working Groups - Joint Meeting April 2, 2015 Computer & Space Sciences Building, Room 4402 Action Item 5: Cloud Services Division of Information Technology Why Edublogs? • • Edublogs is a managed WordPress for education Security Week publication refers to WordPress as the “…Most Attacked CMS…” • • http://www.securityweek.com/wordpress-most-attacked-cms-report Having Edublogs manage the environment and the risk for this offering, we ensure a secure and stable educational service for blogs Division of Information Technology Edublog Features • • • • • • • Edublogs is integrated in the UMD Shibboleth Federated Identity system. One price ($40,000/Yr) and unlimited blogs Unlimited Traffic and storage for all blogs Mobile-friendly deployment Over 300 themes and 50 plugins built in Built-in privacy control and integrated Google Analytic visitor stats 24/7/365 support Division of Information Technology How Edublogs • • • http://blog.umd.edu/request-a-blog/ End user management and training by DIT Learning Technologies Infrastructure management by DIT Middleware Division of Information Technology Drupal as a Service by Acquia • • • • • • Acquia is a managed service using the Drupal CMS system It is a fully-managed, high-performance Drupal-tuned platform stack It has an automated development workflow with site health and monitoring tools A highly available, scalable, and secure infrastructure 24x7 monitoring backed by people that do Drupal Support as a primary function When security vulnerabilities are found, then Acquia is one of the first to patch Division of Information Technology How is it provisioned? • • • • • • UMD has a multi-site installation of Drupal on our Acquia servers. A site will be hosted with us in the DEV, STAGE, and PRODUCTION (live) environments. Requests come into webhosting in the form of tickets webhostingadmin@umd.edu User documentation is provided by DIT and Acquia with on site coordination by WebHosting The service costs DIT approximately $40,000.00 / Yr. A shared responsibility model is employed where Aquia and IT manage the core components with site owners managing their individual components Division of Information Technology WebHosting at AWS • • • • • Following last year’s security breach of the Maryland IT webhosting environment, several steps were taken to provide greater isolation between our customers The data was moved from on campus to AWS in the course of a week All code was modified to be functional in the cloud Further protection was added as DIT moved to a more virtual data center environment No new systems are to be deployed until security concerns are meet (The Rock) Division of Information Technology Enterprise UMD AWS environment Enterprise cyberinfrastructure environment in the AWS cloud for UMD. • This architecture will include the following building blocks: middleware, platforms, databases, security, compute, storage, and networking. • The environment will be architected as UMD’s production IT infrastructure solution, which will include Personally Identifiable Information (PII) data and compliance with all applicable regulations (such as FERPA and HIPAA). • It will be designed around resilience, scalability, accountability, policy, procedures, and will speak to appropriate separation of duties within the IT infrastructure framework. • An AWS architecture team has been assembled. This team is charged with designing the “blueprint” – UMD’s enterprise cyberinfrastructure environment in the AWS cloud. Division of Information Technology UMD Network Division of Information Technology DIT Data Center Network • PDC and SDC have identical network equipment • • • • Dual Cisco Nexus 7000 • pdc-r1and pdc-r2 • sdc-r1and sdc-r2 Cisco Nexus 5000 for 10G Server Connections Cisco Nexus 2000 for 1G Server Connections Protected by Cisco ASA Firewall Appliances • • PDC has 2 ASA 5585x SDC has 1 ASA 5545x and 1 ASA 5525x • Dual HP Tipping Point IPS inspect all traffic in/out of Data Centers • Dual F5 Viprion 2400 Load Balancers to distribute traffic and applications among servers Division of Information Technology Data Center OTV Overlay Transport Virtualization • Allows us to extend Layer 2 between geographically separated data centers Division of Information Technology UMD Campus VPN connection AWS Direct Connect Internet VPN connection campus data center Division of Information Technology Building Blocks Compute Platforms Storage Virtualization Networking Databases Security Identity and Access Monitoring Division of Information Technology Campus network security features compare to AWS native Security Feature Campus What is native at AWS Works like onprem Firewall Rules Management Tufin Security Groups No Advanced Threat Protection Tipping Pt / Palo Alto None No Intrusion Protection Tipping Pt / Palo Alto None No Load Balancing F5 Elastic Load Balancing No Web Application Firewall None None No Logging Cloudwatch No Splunk Division of Information Technology An architecture S e c u r i t y Division of Information Technology Science DMZ Division of Information Technology UMD Network Division of Information Technology Proposed Science DMZ Division of Information Technology Commodity Internet (Allied) Internet 2 (MAX) Commodity Internet (Cogent) MDREN