hkom+ marko erjavec. goals for hkom+ lower the connection expensess (today:lease connections) lower...
TRANSCRIPT
Vodja projekta:Aleksander Bucik univ. dipl. ing.
Pregledal:Marko Ambrož univ. dipl. ing.
Izdelal:Marko Skubic univ. dipl. ing.
Center vlade za informatiko Langusova 4 1000 Ljubljana
Opombe:Koda:Slovenija november 2000
Datum:November 2000
Naziv:Shematični prikaz HKOMpovezav po Sloveniji
Trenutno stanje
HKOM+
Marko Erjavec
Goals for HKOM+• Lower the connection expensess (today:lease connections)• Lower the maintenace and managing expensess (goal: With one man maintain whole network)
– Lower the needed human resources for network maintanance– Lower the complexity of configurations on remote locations: configuration standardisation – simplification of maintenance and
management of configurationj– Rule optimisation: Rules on whoo, what and when someone communicate are located in one central point
• Enabling new services:– VoIP– Multicast
• Quality supervising on ousourcers and outtaskers• Connection to remote locations should be posssible on every known – possible connection independent of
connection povider– Frame relay (todays connectios)– Internet– MPLS– Leased lines(copper, optics)– Providers: Telekom, Volja, Amis, Mobitel, Satelite, Vimax ….
• Bandwidth increase– Possibility of application centralisation (SPIS)– Possibility of introducing and centralisation of VoIP
• Traffic restriction inside the HKOM+ with MPLS technology• Security: Availability, integrity, confidentiality• Preparation to EU presidency – process audits an security reqirements in year 2007• Akreditation to security level - restraint • Redefinition of procesesses for building, maintenance and manage of network in accordance to appropriate
standards and best practices• Virtualisation of devices and connections
Present production state
800 locations
80 pops
Ljubljana
30.000 users1600 LANs
Future production state
• 890 end locations1700 LANs30.000 users
Ljubljana
Internet
Satelite
Telekom
Mobitel
Goals enabling
• Increasing altogether bandwidth from aprox. 1Gb/s to 8Gbit/s, by changing from leased lines to flat rate.
• Lower the connection expensess – Tender for Providers ability to provide different
bandwidths on different locations(890)
Informational request 10Mbit/s connectionsBest offer
Starting fee Monthly fee Starting fee Monthly fee0 56EUR 100EUR 80EUR
100Mbit/s connectionsBest offer
Starting fee Monthly fee Starting fee Monthly fee0 420EUR 100EUR 80EUR
Recapitulation: (500 x 10Mbit/s, 100x 100Mbit/s)
First year total expensess (prim + backup): Second year total expensess (prim + backup):Best offer 2.862.500 EUR Best offer 1.450.000 EUR
Todays yearly expensess
4.583.333 EURTodays yearly expensess
4.583.333 EUR
Primary (simmetric) connectioncapacity: 100 Mbit/s
Backup (asimetrična) connectioncapacity: 4 / 2 Mbit/s
Primary (simmetric) connectioncapacity: 10 Mbit/s
Backup (asimetrična) connectioncapacity: 4 / 2 Mbit/s
Goals Enabling
• Security: – Availability:
• Every remote location is connected to two independent providers• NIC Maribor – backup location with all functionality as Primary
location in Ljubljana• Every provider is connected to Ljubljana and Maribor
– Integrity, Confidentiality: • All traffic to remote locations is crypted (certificates SIGOV-CA)
• Preparation to EU presidency – preparation of security procesess according to standard ISO 27001 and special EU security standards
• Collaboration with security agency to get knowledge of special requirements and influence on creation of security requirements.
Goals enabling
• On all remote locations standardised interface is ethernet (UTP cable, RJ45 connector)
• Some remote locations have more than one LAN• Every LAN has three ethernet connections:
– Data– VoIP– DMZ – for larger agencies that have their own IT
department and internet applications
• All configurations on remote locations have the same configuration except IP address and name
How we started
• Negotiating with Telekom– We got good negotiating position with results from Informational
request
• Equipement purchase• Designing and building LAB• LAB connection to the production network – it is now part
of production• Making pilot instalations on existing leased lines and new
flat rate connections• Large deployment to existing leased lines and new flat
rate lines– In two months all 600 routers will be placed on site
LAB design
HKOM F7
ISP1
ISP2
Existing HKOM (phase 7)
L-2001
Vlan 801
Vlan 802
10.1.1.0/24
10.2.1.0/24
.100.1
.1
.100
.201
.202
Vlan 806
Vlan 807
10.1.2.0/24
10.2.2.0/24
.100.1
.1
.100
.206
.207
L-8010
Vlan 811
Vlan 812
10.1.3.0/24
10.2.3.0/24
.100.1
.1
.100
.211
.212
L-1021
Vlan 816
Vlan 817
10.1.4.0/24
10.2.4.0/24
.100.1
.1
.100
.216
.217
L-3000 192.16
8.14.192
/26
192.168.14.0/26
192.168.14.192/26
.193
.9
Vmware-VC.24
MGMT.11
.194CSM
DATA1
DATA2
.11
.12
.21
.22
.05
.06
ESX.20
ESX.21
ESX.22 .23
Fedora
.26 .27 .25
HKOM-FW1
HKOM-FW2
.31
.32
HSRP .1
Vlan 818
Vlan 819
10.1.5.0/24
10.2.5.0/24
.100.1
.1
.218
.219.100
FE0/22
FE0/23
Dostop do PC v LAB-u je preko terminal services clienta ( tcp 3389) na naslove 192.168.14.201 - 219, kot je prikazano na sliki
DSLAMDSL
L-1025
Only Data ethernet is shown on LANs
Production state
HKOM F7
DSL
PSTN HKOM PHASE7
Internet
TELEKOM
HKOM (PHASE 7)
L-2001
Vlan 801
Vlan 802
10.1.1.0/24
10.2.1.0/24
.100.1
.1
.100
.201
.202
Vlan 806
Vlan 807
10.1.2.0/24
10.2.2.0/24
.100.1
.1
.100
.206
.207
L-8010
Vlan 811
Vlan 812
10.1.3.0/24
10.2.3.0/24
.100.1
.1
.100
.211
.212
L-1021
Vlan 816
Vlan 817
10.1.4.0/24
10.2.4.0/24
.100.1
.1
.100
.216
.217
L-3000 192.16
8.14.192
/26
192.168.14.0/26
192.168.14.192/26
.193
.9
Vmware-VC.24
MGMT.11
.194CSM
DATA1
DATA2
.11
.12
.21
.22
.05
.06
ESX.20
ESX.21
ESX.22 .23
Fedora
.26 .27 .25
HKOM-FW1
HKOM-FW2
.31
.32
HSRP .1
Vlan 818
Vlan 819
10.1.5.0/24
10.2.5.0/24
.100.1
.1
.218
.219.100
FE0/22
FE0/23
Dostop do PC v LAB-u je preko terminal services clienta ( tcp 3389) na naslove 192.168.14.201 - 219, kot je prikazano na sliki
DSLAM test
CALL MANAGER
Physical/Logical Topology
MPLS VPN
GRE over IPsec
Logical Topology
Detailed LAB picture
•
Configuration standardisation• Every remote LAN has three ethernet connections
– Data – VoIP – DMZ – just for some organisation
• If some exception exist, it must become standard configuration in at least two months. That implies that in two months we have to change “configurator” application
• Configurator will became center point of provisionng and maintenace of whole HKOM+ network
• We expect new revisions every two months.• Now it covers five differrent Cisco routers and switches that we use
in HKOM+ • Daily configuration on firewall must be done through CSM –
command line is not permited
Configurator
Other tools• MARS
– Analitical – corelation tool to predict possible problems in network - Netflow• CSM
– Cisco firewall GUI configuration tool• Cisco works equivalent (Rancid) configuration management on routers and switches • Monitor
– Custom designed HW and SW for larger (important) remote locations to measure availability of services and SLA
• OpenView, cacti for all locations• Various databases of IP addressing, location address, location specific, SecID
authorisation data ….• Help desk software
– Registering every incident – Making reports, knowledgebase
• IDS/IPS: ISS products (Proventia, Black ice…)• Conclusion:
– Everyday work on network is done by CSM and Help desk. Other tools are for alarming and observing network.
Services
• HKOM offer different services to its users
• HKOM need different services to function properly
• Services must never go down (24/7)
Services• HKOM services:
– DNS – inside and outside, registrar– Proxy– Remote access for outsourcers– Remote access for users– Authentication, authorisation, accounting– Video conferencing, Video streaming– Syslog– Radius– IPS for all agencies on central point– Firewalling for all traffic that comming or leaving HKOM (internet, ousourcers,
some gov. Agencies, EU netw., Data center)– SecurID issue– Mail for some organisations– Access for concessionaires– Load balancing for different web applications (content manager)– Connection to EU networks– Voice (telephone)
VoIP
• Solution for more than one service provider present in HKOM
• Telephone call free of charge for internal calls
• Only external calls from HKOM are charged
Information request
•
HKOM network
Internal call
TCHKOM
existingtelefoncentral
HKOM connections
Gateways to service provider
HKOm central location
Service provider"A"
Service provider "B"
Service provider
Service provider"C"
Public service provider
End locations
Public service
provider"A"
Public service
provider"C"
Connection schematic
•
Internet
Telekom
Sinfonika
Amis
HKOM
External call for Telekom subscribersExternal call for Sinfonika subscribers External call for Amis subscribersInternal call
PRA
SIP
TC HKOM
VPN
Existing tel. central
Information request• Request was addressed to 15
service and sollution providers• We propose form into which
providers put the prices• We got 5 proposals
Eqipement rent Eqipement rent
Eqipement buyWithout PoE
funkc.
Eqipement buy
Number of subscribers Without PoE functionality With PoE functionality
With PoE funkc.
(volume discount)
First connectionPer subscriber
Monthly fee per subscriber
First connectionPer subcsriber
Monthly fee per subscriber
Price per subscriber
Price per subscriber
(in EUR with
tax)(in EUR with
tax)(in EUR with
tax)(in EUR with
tax)(in EUR with
tax)(in EUR with
tax)
1 - 999 0 10 -15 0 13-18 300 - 450 400 - 550
1000 -1999 0 10 -15 0 13-18 300 – 450 400 - 550
2000 – 4999 0 10 -15 0 13-18 300 – 450 400 - 550
5000 – 9999 0 10 -15 0 13-18 300 – 450 400 - 550
10000 -19999 0 10 -15 0 13-18 300 – 450 400 - 550
Over 20000 0 10 -15 0 13-18 300 - 450 400 - 550
Current state of HKOM+ upgrade
• 830 locations of 890 are upgraded
• Some additional management tools are developed and instaled
• Remote desktop server (ISL) is implemented
Future plans
• Change of main switch (250 ports) in data and communication core network with fourty smaller (48 ports) distributed 1Gb/s switches
• Instalation of equipement in backup location in Maribor
• Developement and instalation of smaller management applications
• End of activities in 1.1.2008
EU networks
Network
H K O M
Network
C C NNetwork
E X T R A N E T
Network
T E S T A I I
EU networks CCN – Common Communication Network
Network CCN is under the jurisdiction ofEC, DG TAXUD (European Commission,Directorate General for Taxationand the Customs Union)
Network CCN has been established forinterchange of regular customs and taxation data
Over network CCN also special data are interchanged - AFIS (Anti-Fraud Information Systems) under the jurisdiction of EC OLAF (European Commission, European Anti-Fraud Office)
Primary connection:leased line -> 256 kb/s
Secondary connection:ISDN
Data crypting:yes
Network
C C N
Network
H K O M
Network
C C N
EU networksCCN – Common Communication Network
Ministry of Finance
Customs AdministrationMinistry of Finance
Tax AdministrationMinistry of Finance
VIES (VAT Information ExchangeSystem) – system for VAT numbervalidationNCTS (New Computerised Transit System)CIS (Customs Information System) - TARIC (TARif Intégré Communautaire), QUOTA,…AFIS (Anti-Fraud Information Systems) – systems for detecting and preventing frauds, corruption and other illegal activitieswith financial consequences
EU networksTESTA – Trans-European Services for Telematics between Administrations
Network TESTA II is under the jurisdiction of EC, ENTERPRISE DG (European Commission, Enterprise Directorate-General)
Network TESTA II is one of the generic services of the Programme IDA (Interchange of Data between Administrations Programme: a European Community Programme)
Projects using network TESTA II: 14POINTS, AFIS, CARE, CIRCA, DUBLINET, ECB.NET, EUDRANET, EUPHIN, EURAMIS,EURODAC, EUROSTAT, FIDES,FIUNET, INTRACOM, PROCIV-NET,SAFESEANET, SFC, SIGL,TACHONET in TESS (most of themare projects of common interest)
Network
T E S T A I I
sTESTA
EU networksTESTA – Trans-European Services for Telematics between Administrations
Network
H K O M
Network
T E S T A I I
Office for Money Laundering Prevention
Ministry of Finance
Ministry of the Interior
Ministry of the Economy
Administration for Civil Protection and Disaster Relief
Ministry of Defense
Ministry of Transport
Primary connection:leased line -> 256 kb/s
Secondary connection:leased line -> 256 kb/s
Data crypting:yes
FIU.NET (Financial Intelligence Unit) – system for money laundering detection and prevention
EURODAC – system for fingerprints comparison(identification process of the asylum applicants)
DUBLINET – system for interchanging data about the asylum applicants (DUBLIN II regulation)
SIGL – system for textile and steelimport quota checking (beforeissuing the import documentation)
PROCIV-NET (Civil Protection and Environmental Emergencies European Network) – system for interconnecting national civil protection institutions; essential information interchanging (CECIS - Common Emergency Communication and Information System)
TACHONET – system for interchangingdata about professional truck driversand truck journey (digital tachograph)
Network
T E S T A I I
EU networksTESTA – Trans-European Services for Telematics between Administrations
EU networksTESTA – Trans-European Services for Telematics between Administrations
I N T E R N E T
(VPN, Crypto)
EXCEPTION:
EUDRANET – system for interchanging data about pharmaceutical products (competence: Agency for Medicinal Products and Medicinal Devices of the Republic of Slovenia,Ministry of Health)
EU networksEXTRANET – Extranet Network
Network EXTRANET is under the jurisdiction of the General Secretariat of the Council of the European Union
Network EXTRANET has been established for interchanging documents in electronic form (sent from the GSC EU to the EU member states)
Primary connection:leased line -> 256 kb/s
Secondary connection:ISDN (4 channels)
Data crypting:yes
Network
E X T R A N E T
EU networksEXTRANET – Extranet Network
Network
H K O M
Network
E X T R A N E T
EU-Portal
U32Mail - in Slovenia documents are available over dedicated EU-Portal application