as of:  March 10, 2006

History

The Weber State University data network had its beginnings in the 1980s with funding from the Academic Resources & Computing Committee (ARCC).  As networking technology evolved and matured, a four-phase university network plan was developed in the mid 1990s and implemented as resources became available.  Phase four of that plan was essentially completed in the 2004-06 planning cycle.

Moving forward, it is clear that the university network is more mission critical than ever.  All students, faculty, staff and administrators use network services of one kind or another.  Recently, the one millionth WSU video stream (in this case a faculty lecture) was downloaded by a student at 5:15 AM on a weekday morning.  Voice over IP (VoIP) telephones are being tested in several offices on the Ogden campus.  The bottom line expectation is that high bandwidth, highly reliable network facilities will be available 24x7 to the Weber State University community.  This new network plan addresses the upgrades that will be required over the next several years to make this a reality.

Executive Summary

The basic goals of this plan are to achieve:  (a) a more robust wired and wireless networking infrastructure, (b) improved preventative and reactionary security measures, (c) simplified and more accurate user access to network resources, and (d) improved tools and capabilities for efficient management of the university’s high availability network systems.

This will be accomplished in phases by essentially rebuilding the university network with up-to-date equipment and significantly enhancing the emerging wireless network. The end results will include:  (1) an estimated 200% improvement in network performance from end to end, (2) enhanced security that protects the university community from internal and external threats with minimal manual intervention, (3) network management that will exceed current abilities without the need to increase staff, and (4) significant growth potential that will provide services to the university for both current and future needs.

Understanding of Current Situation

A recent audit concluded that the WSU data network does not fully meet current or anticipated future needs.  Specifically, the audit pointed out that the current network is difficult to expand, includes overly complicated configurations, and lacks adequate security in several areas including wireless access.

Review of the current network by current engineers has shown that the current network will not support future applications, such as VoIP, high bandwidth distributed computing, improved wireless networking, and network-based intrusion detection.  Furthermore, the current network uses hardware and software in critical functions that is no longer supported by the manufacturer.

Requirements

The network design for current and future university requirements must include:

• a multi-Gigabit redundant core
• redundant Gigabit connectivity for each wiring closet
• a robust wireless network providing secure indoor and outdoor access
• a redundant user-based VPN solution
• standardized hardware and software for ease of replacement
• network- and host-based intrusion detection and prevention
• user-based network access authentication
• network-based virus detection and prevention, and
• standardized network administration tools.

Method and Approach

The requirements for the enhanced university network will be met in the following ways:

Multi-Gigabit redundant core

This requirement will be met by upgrading the current Cisco Catalyst 6500 switches with new modules to support improved routing and faster forwarding of traffic. These modules will also support advanced features needed to meet other requirements. The physical connections between each of these devices, and to each building, will be moved to support a redundant architecture to prevent network failures.

Redundant Gigabit connectivity for each wiring closet

This requirement will be met by providing a Gigabit capable switch to each wiring closet, and connect access switches with Gigabit uplinks. This, in addition to redeploying physical connections, will allow each wiring closet to have multi-Gigabit connectivity into the core network and provide Gigabit connectivity to each user-access switch in the wiring closet.

Indoor and Outdoor Secure Wireless Networking

This requirement will be achieved by installing new wireless access points (WAP), and a central control system. The WAPs will provide the ability to have both indoor and outdoor wireless access, have built-in security features to prevent unauthorized access, and will use a centralized authentication system (discussed later). The central control system will enhance the wireless network by providing centralized management, detection and isolation of rogue WAPs, fast and secure transitions between WAPs, and documentation features. Additionally, the wireless network will be designed to allow access at all campus locations without a change in client configuration.

Redundant User-based VPN solution

A system will be installed that will provide user-based VPN connectivity into the university network. This solution provides connections to authorized users external to the university, and to users with wireless devices that are unable to support the latest encryption. This will be achieved using the latest technology from Cisco Systems, the Cisco Adaptive Security Appliance 5520.

Standard networking hardware and software

A document will be created listing the recommended standard equipment for all areas of the network, as well as minimum acceptable software versions. This document will be reviewed and updated quarterly for software changes, and annually for hardware changes. Updates will be made based on the recommendations of the Network Engineer or Network Security Engineer in consultation with outside experts as needed.

Network-based Intrusion Detection and Prevention

Intrusion detection and prevention will be achieved by leveraging other upgrades in the network. A module will be installed in the Catalyst 6500 devices that will provide 600 Mbps of traffic monitoring ability. In order to achieve redundant coverage of vital areas in the network, multiple modules will be installed in separate devices. As well, inherent features in the Cisco IOS will be implemented to enhance the intrusion prevention abilities of the network at no additional cost.

Host-based Intrusion Detection and Prevention

Host-based intrusion detection and prevention is vital in our data center operations to protect student information and financial data, as well as other critical functions necessary for university operations. Hosts will be protected with Cisco Secure Agent software on each machine. This software is able to report problems to a central management console, defend the local machine against attacks, and enable the network to perform blocking of the attacking machine. 

Network-based Virus Detection and Prevention

Virus detection and prevention will be achieved by leveraging the abilities of new software on Cisco ASA devices. This is to provide protection from virus activity, network intrusions, and unauthorized access.

User-based Network Access Authentication

A software-based solution will be implemented that will integrate with the proposed network upgrades to provide user-based authentication. This system will integrate into existing user databases to verify if network access can be granted or denied.  This system will be configured to provide specific accesses to users based on their credentials in the existing user database.  This will require additional work on the user database.

Standardized Network Administration Tools

Network tools will be reviewed and implemented to provide easier, improved management of network routers, switches, security devices and WAPs. These administration tools will have reporting abilities that will demonstrate performance relative to Service Level Agreements (SLAs). The tools will also facilitate forensic review of any security breach.

Implementation Plan

The plan for implementation will be a phased approach. Improvements and upgrades in the wired and wireless networks will happen in parallel to leverage the advantages of the new architecture in both networks as soon as possible.

The wired network will be upgraded in three phases:

1. Wired Phase 1 will include a network core upgrade by upgrading the current Catalyst 6500s with new routing modules, and a module to support new wireless features.
2. Wired Phase 2 will involve upgrades to the distribution layer switches in each wiring closet with Catalyst 3750s. This will leverage the new Gigabit core capabilities and provide an inline power feature to support the new wireless access points.
3. Wired Phase 3 will reconnect all access switches to the new Catalyst 3750 switches, and to restructure the logical network and IP addressing. This will correlate with a rollout of the new logical structure of the wireless network with improved security features. 

The wireless network will also be completed in phases, starting with outdoor wireless access:

1.      Wireless Phase 1 will ensure that all common spaces are covered with wireless access points to provide secure network connectivity from notebook computers and handheld devices to the university network. This will correlate with the installation of a wireless service module in the core network, and the installation of an appliance to manage the wireless access points and provide additional security.

2.      Wireless Phase 2 will happen on a “per-structure” basis. One-by-one, buildings will be migrated to the new wireless standard, addressing those in most need first. As each building is migrated it can take advantage of the new wireless security and access features.

Implementation of improved network security devices and practices (including network and host intrusion detection and prevention, virus prevention, user-based authentication, and redeployment of firewalls) will be done in parallel to the wired network project. Pieces of the network security implementation fit logically into each phase of that project.

New network management software tools and devices can be installed during or after the major wired and wireless projects are complete.  However, it would be preferable to install these earlier to take advantage of their capabilities during the various phases of these projects.

The new VPN devices can be installed at any time, and will be of great benefit to faculty, staff and students. These devices integrate well into the existing network, and only require user-based authentication to function properly.

Benefits

The overall benefits of this plan include:  (a) improved network speeds to users, (b) improved accessibility to wireless users, (c) improved reliability through greater redundancy, (d) improved services by leveraging the capabilities of the Cisco IOS, and (e) improved security that will help protect the university from existing threats and “day-zero” threats.

The new wired network will provide:  (a) faster speeds to the desktop, (b) increased availability to commonly used network applications, (c) faster accessibility to student applications, (d) improved redundancy to limit network outages that affect users, and (e) the ability to take full advantage of the GeoMax Gigabit connection to the UEN network (impossible today, because of the 100Mb links in the current core network).

The upgraded wireless network will provide improved university-wide access, including the ability to allow members of the university community to securely connect to the university network from any location, on any campus, without the need for software configuration changes.

Timelines and Costs

Timeframes for all project phases rely heavily on availability of resources.  The following estimates are based on an ideal situation, allowing for some unforeseen circumstances in the implementation.

Wired network phases:

·         Core network.  Duration is approximately 60 days, not taking into account exceptional lead times for ordering hardware. In this timeframe the required planning and preparation will be made to minimize network outages, and accomplish the major part of the transition over the holiday break. The estimated cost for this phase is:  $125,000. (Note:  this does not take into account the value of any equipment that can be used as trade-in credit. Substantial discounts might result from this trade-in value.)

·         Distribution level.  The distribution level phase will include the installation of Cisco Catalyst 3750 switches in each wiring closet. This can be started shortly after the completion of the core network phase, and can be planned to upgrade one building at a time. It is estimated that this phase could take as little as 90 days (completing 2-3 buildings each week) if the funds were immediately available in total. The timeframe on this project is relatively quick because of improved efficiency in installation after the first couple of buildings are completed. This phase would also include a logical redesign of the networks in each building, based on the new logical network architecture.  The cost for this phase is estimated to be: $200,000. (This estimate might be reduced by the trade-in value of our existing switches.)

·        Access level.  This phase will include an upgrade of existing switches to new Catalyst 2950 or Catalyst 3560 switches to enable a Gigabit connection to the new Catalyst 3750 switches.  It can take place in parallel to the distribution level phase if funds are available. This phase is divided to allow for planning of anticipated upgrades to newer access layer technology supporting inline power for IP communications technology. The cost for this phase ranges from $300,000 for low-end 2950 switches, to $900,000 for 3560 switches that support inline power for Cisco IP telephones and wireless access points.

Wireless network phases:
 

·         The first phase includes installing hardware that will control the access points and provide centralized management. This phase includes installing one module into a Catalyst 6500 and installing one management appliance. This phase can be completed immediately after phase one of the wired network begins. The estimated time would be 2 weeks. The estimated cost for this phase = $20,000.

·         The second phase will be the installation of the outdoor wireless infrastructure to provide secure wireless access to students, faculty and staff. This phase can be completed in parallel with phase two of the wired network. The estimated time for this phase is 90 days. The estimated cost would be: $20,000. This number can be offset by trade-in value of our existing access points.

·         The third phase of the wireless project will be the installation of access points in each building. This phase can be completed over an extended time, with the limiting factor being the support for two wireless infrastructures while they are both in place. This phase would include an informal site survey for each building to determine the number of access points needed. The timeframe for this project would be 6-12 months and can begin as soon as phase one is complete. The estimated costs for this phase cannot be precisely determined until a site survey of each building is completed. Based on the current number of installed access points the cost should be approximately $175,000.

New security features:

·         Security portions of this proposal happen at various stages of the wired phases, and can happen in parallel to that part of this project. The network-based intrusion detection will use the Cisco 4250XL appliance-based intrusion detection device. The cost for this will include four modules to be included in the core network, at a price of $50,000.

·         A device which will provide immediate benefit to the security of our network and systems will be the Cisco Security Monitoring, Analysis and Response System (CS-MARS). This will provide an aggregation point for all our security monitoring and will give triggered alerts and automatic and coordinated responses to security threats across the network. This system is approximately $35,000 depending on the capacity of the device.

·         User-based authentication will be accomplished using Cisco’s Access Control Server that provides both RADIUS and TACACS+ authentication protocols to all network devices, and computers on the network. This portion should be completed as soon as possible to allow for ease of integration. The estimated timeframe for deployment is 1-2 weeks after receiving the hardware. The cost for this will be $18,000.

·         Cisco Secure Agent is the recommended product for host-based intrusion prevention.  This is a simple software program that installs on all servers and monitors the services running on that machine for anything that would trigger an alert. This software can be deployed over an extended timeframe as personnel have resources available. The cost to install this software on 100 servers would be $48,000.

Network Management:

·         Existing tools will be enhanced with the addition of CiscoWorks. This would provide centralized and enhanced management of our Cisco security devices, intrusion detection, routing and switching architecture, and wireless environments. CiscoWorks packages to support these items take 6-8 weeks to install and configure with estimated costs being $40,000.

·         A redundant VPN system will be implemented by installing Cisco Adaptive Security Appliances. Two of these devices will be installed in a redundant configuration to provide the best access to VPN users, and will replace the current Internet firewall configuration.  The cost for this will be $15,000, and it will take a projected 4 weeks to install.