Information Technology IT Briefing April 2007 Information Technology IT Briefing March 15, 2007 Gartner Demonstration Computer Ordering & Emory Express Demo Blackboard Upgrade Firewall Migration Update Announcements/Updates John Kazmin Loette King & David Thurston Julia Leon Jimmy Kincaid Jay Flanagan 1 Information Technology Gartner John Kazmin John.kazmin@gartner.com Tel: 239-995-2077 Information Technology www.gartner.com access page http://it.emory.edu/showdoc.cfm?docid=2465 Questions or issues email: gartner@listserv.emory.edu 3 Information Technology Computer Ordering & Emory Express Loette King David Thurston Information Technology Blackboard Upgrade Julia Leon Information Technology What’s New • • • • • Discussion Board revamped Improvements to Tests and Gradebook Visual Textbox Editor in more places …more features… More robust technical architecture 6 Information Technology Architecture-Now 7 Information Technology Architecture-Upgraded 8 Information Technology Schedule 9 Information Technology Firewall Migration Update Jimmy Kincaid Information Technology Presentation Structure Brief Project Overview Diagram of Legacy Firewalls Diagram of New Firewalls Implementation Issues and Fixes Logical Diagram of Modified Design Remaining Steps and Timeline 11 Information Technology Brief Project Overview Emory needed a new firewall solution. A cross-organizational evaluation team was put together consisting of AAIT Security, IS Security, and Network Communications. Candidates were Cisco/FWSM, Checkpoint/Crossbeam, and Juniper/Netscreen. After extensive testing and evaluation, the Juniper Netscreen 5400 was chosen as Emory's new firewall platform. 12 Information Technology Legacy Checkpoint Firewalls Multiple single points of failure No site redundancy Software (CPU) based External third-party load balancers Physical hardware per-firewall 13 Information Technology New Juniper Firewalls Site redundancy Stateful HA via NSRP and OSPF Hardware (ASIC) based Virtual firewalls No external loadbalancers 14 Information Technology Implementation Attempts ResNet was migrated without issue. Several attempts to migrate the Academic firewalls were unsuccessful due to high CPU utilization and instability. We worked very closely with Juniper and determined the root causes of the issues. 15 Information Technology Implementation Issues TCP sessions were not removed from the firewall's session table when the sessions were finished All RTSP (Real Time Streaming Protocol) packets hit the firewall CPU OSPF (Open Shortest Path First) LSA (Link State Advertisement) database limitation of < 2048 16 Information Technology TCP Session Issue Fix The TCP session issue was identified as a software bug and was fixed in software release 5.4.0.r3. A software bug that prevented us from loading 5.4.0.r3 was fixed in release 5.4.0.dm2. The 5.4.0.dm2 software was loaded, and the TCP session issue was corrected. ResNet showed immediate improvement (> 50% session table reduction). 17 Information Technology RTSP Issue Fix The RTSP issue only occurs when the streaming media traffic uses the same session (TCP/554) as the control traffic instead of a secondary UDP session for the media stream. AOL was a big offender. The RTSP ALG (Application Layer Gateway) that handles these secondary sessions was disabled. ResNet showed a dramatic improvement in CPU utilization. 18 Information Technology OSPF LSA Database Fix Redesign OSPF so that each internal core has its own unique stub area. An OSPF stub area dramatically reduces the size of its LSA database by filtering out LSAs from other external areas. OSPF stub areas have been implemented for ResNet and HIPAA. LSA count for these networks has been reduced from nearly 1200 to under 100. IP route count for these networks has been reduced from nearly 900 to under 100. 19 Information Technology Additional Hardware Required Even with all issues identified and resolved, it was determined that a single pair of 5400's did not have the resources to handle Emory's existing traffic. Juniper agreed to provide two additional pairs of 5400's ($800k+ list price) free of cost to make up the difference. The additional hardware gives us room to implement our planned virtual firewalls with resources left over to grow. 20 Information Technology Academic Firewalls Migrated A second firewall cluster was installed using our lab gear pending replacement by Juniper in order to expedite the project. ResNet was moved from the original cluster to the new cluster Mon 04/09 6AM - 7AM. The Academic firewalls were successfully migrated to the new cluster Wed 04/11 between 5AM – 7AM. The Academic firewalls are stable and are performing as expected. 21 Information Technology Logical Diagram 22 Information Technology Remaining Steps SecureAdmin/DMZSA prep including rulebase conversion: Mon April 30 – Fri May 4 SecureAdmin/DMZSA go-live: Mon May 7 (5AM – 8AM) SecureAdmin/DMZSA OSPF stub area conversion: TBD Academic OSPF stub area conversion: Wed May 16 (5AM - 7AM) 23 Information Technology Remaining Steps 2 SPH will be split up behind several of the new core firewalls including Academic, SecureAdmin, DMZSA, and HIPAA. There will not be a SPH virtual firewall. The timeline and details are still TBD. 24 Information Technology Remaining Steps 3 Healthcare has several additional prerequisite steps before their firewalls can be migrated. Those steps include rulebase conversion, border BGP project completion, OSPF padding, static routing VPN's, Pool NAT for SecureRemote, and OSPF stub area conversion. The timeline for all of these items is still TBD. 25 Information Technology Questions 26 Information Technology Announcements & Updates Karen Jenkins Information Technology Remedy First two training sessions well attended – thank you! Additional general training overview 4/26 1:00pm – 2:30pm NDB Enterprise Room 230 Application functioning as designed with out-of-the box capabilities plus some customizations Please submit feature requests using the application Current top priority customizations: Inbound email (working with vendor) Data migration (v5.6 custom fields need to be imported) Suppress notifications flag 28 Information Technology Others PeopleSoft HR upgrade go-live July 9, 2007 Kenexa/BrassRing (Applicant Tracking) go-live July 9, 2007 Web Hosting – heads up – 3 week delay Hardware delays and problems (HP and Egenera Solaris 10 compatibility issues) Continuing to work towards 5/25 date – but it is tight! Emory Exchange Soliciting volunteers for the Support Center Tier 1 & Tier 2 resources required email felicia.bianchi@emory.edu if interested 29