April 19, 2007

advertisement
Information Technology
IT Briefing
April 2007
Information Technology
IT Briefing March 15, 2007
 Gartner Demonstration
 Computer Ordering &
Emory Express Demo
 Blackboard Upgrade
 Firewall Migration Update
 Announcements/Updates
 John Kazmin
 Loette King &
David Thurston
 Julia Leon
 Jimmy Kincaid
 Jay Flanagan
1
Information Technology
Gartner
John Kazmin
John.kazmin@gartner.com
Tel: 239-995-2077
Information Technology
www.gartner.com access page
http://it.emory.edu/showdoc.cfm?docid=2465
Questions or issues email:
gartner@listserv.emory.edu
3
Information Technology
Computer
Ordering &
Emory Express
Loette King
David Thurston
Information Technology
Blackboard
Upgrade
Julia Leon
Information Technology
What’s New
•
•
•
•
•
Discussion Board revamped
Improvements to Tests and Gradebook
Visual Textbox Editor in more places
…more features…
More robust technical architecture
6
Information Technology
Architecture-Now
7
Information Technology
Architecture-Upgraded
8
Information Technology
Schedule
9
Information Technology
Firewall
Migration Update
Jimmy Kincaid
Information Technology
Presentation Structure






Brief Project Overview
Diagram of Legacy Firewalls
Diagram of New Firewalls
Implementation Issues and Fixes
Logical Diagram of Modified Design
Remaining Steps and Timeline
11
Information Technology
Brief Project Overview
 Emory needed a new firewall solution.
 A cross-organizational evaluation team was
put together consisting of AAIT Security, IS
Security, and Network Communications.
 Candidates were Cisco/FWSM,
Checkpoint/Crossbeam, and
Juniper/Netscreen.
 After extensive testing and evaluation, the
Juniper Netscreen 5400 was chosen as
Emory's new firewall platform.
12
Information Technology
Legacy Checkpoint Firewalls
 Multiple single points
of failure
 No site redundancy
 Software (CPU)
based
 External third-party
load balancers
 Physical hardware
per-firewall
13
Information Technology
New Juniper Firewalls
 Site redundancy
 Stateful HA via
NSRP and OSPF
 Hardware (ASIC)
based
 Virtual firewalls
 No external loadbalancers
14
Information Technology
Implementation Attempts
 ResNet was migrated without issue.
 Several attempts to migrate the Academic
firewalls were unsuccessful due to high CPU
utilization and instability.
 We worked very closely with Juniper and
determined the root causes of the issues.
15
Information Technology
Implementation Issues
 TCP sessions were not removed from the
firewall's session table when the sessions
were finished
 All RTSP (Real Time Streaming Protocol)
packets hit the firewall CPU
 OSPF (Open Shortest Path First) LSA (Link
State Advertisement) database limitation of
< 2048
16
Information Technology
TCP Session Issue Fix
 The TCP session issue was identified as a
software bug and was fixed in software release
5.4.0.r3.
 A software bug that prevented us from loading
5.4.0.r3 was fixed in release 5.4.0.dm2.
 The 5.4.0.dm2 software was loaded, and the
TCP session issue was corrected. ResNet
showed immediate improvement (> 50% session
table reduction).
17
Information Technology
RTSP Issue Fix
 The RTSP issue only occurs when the
streaming media traffic uses the same
session (TCP/554) as the control traffic
instead of a secondary UDP session for the
media stream. AOL was a big offender.
 The RTSP ALG (Application Layer Gateway)
that handles these secondary sessions was
disabled. ResNet showed a dramatic
improvement in CPU utilization.
18
Information Technology
OSPF LSA Database Fix
 Redesign OSPF so that each internal core
has its own unique stub area.
 An OSPF stub area dramatically reduces
the size of its LSA database by filtering out
LSAs from other external areas.
 OSPF stub areas have been implemented
for ResNet and HIPAA.
 LSA count for these networks has been
reduced from nearly 1200 to under 100.
 IP route count for these networks has
been reduced from nearly 900 to under
100.
19
Information Technology
Additional Hardware Required
 Even with all issues identified and resolved, it
was determined that a single pair of 5400's did
not have the resources to handle Emory's
existing traffic.
 Juniper agreed to provide two additional pairs
of 5400's ($800k+ list price) free of cost to
make up the difference.
 The additional hardware gives us room to
implement our planned virtual firewalls with
resources left over to grow.
20
Information Technology
Academic Firewalls Migrated
 A second firewall cluster was installed using
our lab gear pending replacement by Juniper
in order to expedite the project.
 ResNet was moved from the original cluster
to the new cluster Mon 04/09 6AM - 7AM.
The Academic firewalls were successfully
migrated to the new cluster Wed 04/11
between 5AM – 7AM. The Academic firewalls
are stable and are performing as expected.
21
Information Technology
Logical Diagram
22
Information Technology
Remaining Steps
 SecureAdmin/DMZSA prep including
rulebase conversion: Mon April 30 – Fri May
4
 SecureAdmin/DMZSA go-live: Mon May 7
(5AM – 8AM)
 SecureAdmin/DMZSA OSPF stub area
conversion: TBD
 Academic OSPF stub area conversion: Wed
May 16 (5AM - 7AM)
23
Information Technology
Remaining Steps 2
 SPH will be split up behind several of the
new core firewalls including Academic,
SecureAdmin, DMZSA, and HIPAA.
 There will not be a SPH virtual firewall.
 The timeline and details are still TBD.
24
Information Technology
Remaining Steps 3
 Healthcare has several additional
prerequisite steps before their firewalls can
be migrated. Those steps include rulebase
conversion, border BGP project completion,
OSPF padding, static routing VPN's, Pool NAT
for SecureRemote, and OSPF stub area
conversion.
 The timeline for all of these items is still
TBD.
25
Information Technology
Questions
26
Information Technology
Announcements
& Updates
Karen Jenkins
Information Technology
Remedy
 First two training sessions well attended – thank
you!
 Additional general training overview 4/26 1:00pm –
2:30pm NDB Enterprise Room 230
 Application functioning as designed with out-of-the
box capabilities plus some customizations
 Please submit feature requests using the application
 Current top priority customizations:
 Inbound email (working with vendor)
 Data migration (v5.6 custom fields need to be imported)
 Suppress notifications flag
28
Information Technology
Others
 PeopleSoft HR upgrade go-live July 9, 2007
 Kenexa/BrassRing (Applicant Tracking) go-live
July 9, 2007
 Web Hosting – heads up – 3 week delay
 Hardware delays and problems (HP and Egenera Solaris
10 compatibility issues)
 Continuing to work towards 5/25 date – but it is tight!
 Emory Exchange
 Soliciting volunteers for the Support Center
 Tier 1 & Tier 2 resources required
 email felicia.bianchi@emory.edu if interested
29
Download