information technology it briefing april 2007. information technology 1 it briefing march 15, 2007 ...
TRANSCRIPT
Information Technology
IT Briefing
April 2007
Information Technology
2
IT Briefing March 15, 2007
Gartner Demonstration Computer Ordering &
Emory Express Demo Blackboard Upgrade Firewall Migration Update Announcements/Updates
John Kazmin Loette King & David
Thurston Julia Leon Jimmy Kincaid Jay Flanagan
Information Technology
4
www.gartner.com access page
http://it.emory.edu/showdoc.cfm?docid=2465
Questions or issues email:
Information Technology
Computer Ordering & Emory Express
Loette KingDavid Thurston
Information Technology
Blackboard Upgrade
Julia Leon
Information Technology
7
What’s New
• Discussion Board revamped• Improvements to Tests and Gradebook• Visual Textbox Editor in more places• …more features…• More robust technical architecture
Information Technology
8
Architecture-Now
Information Technology
9
Architecture-Upgraded
Information Technology
10
Schedule
Information Technology
Firewall Migration Update
Jimmy Kincaid
Information Technology
12
Presentation Structure
Brief Project Overview Diagram of Legacy Firewalls Diagram of New Firewalls Implementation Issues and Fixes Logical Diagram of Modified Design Remaining Steps and Timeline
Information Technology
13
Brief Project Overview
Emory needed a new firewall solution. A cross-organizational evaluation team was
put together consisting of AAIT Security, IS Security, and Network Communications.
Candidates were Cisco/FWSM, Checkpoint/Crossbeam, and Juniper/Netscreen.
After extensive testing and evaluation, the Juniper Netscreen 5400 was chosen as Emory's new firewall platform.
Information Technology
14
Legacy Checkpoint Firewalls
Multiple single points of failure
No site redundancy Software (CPU)
based External third-party
load balancers Physical hardware
per-firewall
Information Technology
15
New Juniper Firewalls
Site redundancy Stateful HA via
NSRP and OSPF Hardware (ASIC)
based Virtual firewalls No external load-
balancers
Information Technology
16
Implementation Attempts
ResNet was migrated without issue. Several attempts to migrate the Academic firewalls were unsuccessful due to high CPU utilization and instability. We worked very closely with Juniper and determined the root causes of the issues.
Information Technology
17
Implementation Issues
TCP sessions were not removed from the firewall's session table when the sessions were finished All RTSP (Real Time Streaming Protocol) packets hit the firewall CPU OSPF (Open Shortest Path First) LSA (Link State Advertisement) database limitation of < 2048
Information Technology
18
TCP Session Issue Fix
The TCP session issue was identified as a software bug and was fixed in software release 5.4.0.r3. A software bug that prevented us from loading 5.4.0.r3 was fixed in release 5.4.0.dm2. The 5.4.0.dm2 software was loaded, and the TCP session issue was corrected. ResNet showed immediate improvement (> 50% session table reduction).
Information Technology
19
RTSP Issue Fix
The RTSP issue only occurs when the streaming media traffic uses the same session (TCP/554) as the control traffic instead of a secondary UDP session for the media stream. AOL was a big offender. The RTSP ALG (Application Layer Gateway) that handles these secondary sessions was disabled. ResNet showed a dramatic improvement in CPU utilization.
Information Technology
20
OSPF LSA Database Fix
Redesign OSPF so that each internal core has its own unique stub area.
An OSPF stub area dramatically reduces the size of its LSA database by filtering out LSAs from other external areas.
OSPF stub areas have been implemented for ResNet and HIPAA.
LSA count for these networks has been reduced from nearly 1200 to under 100.
IP route count for these networks has been reduced from nearly 900 to under 100.
Information Technology
21
Additional Hardware Required
Even with all issues identified and resolved, it was determined that a single pair of 5400's did not have the resources to handle Emory's existing traffic. Juniper agreed to provide two additional pairs of 5400's ($800k+ list price) free of cost to make up the difference. The additional hardware gives us room to implement our planned virtual firewalls with resources left over to grow.
Information Technology
22
Academic Firewalls Migrated
A second firewall cluster was installed using our lab gear pending replacement by Juniper in order to expedite the project. ResNet was moved from the original cluster to the new cluster Mon 04/09 6AM - 7AM.The Academic firewalls were successfully migrated to the new cluster Wed 04/11 between 5AM – 7AM. The Academic firewalls are stable and are performing as expected.
Information Technology
23
Logical Diagram
Information Technology
24
Remaining Steps
SecureAdmin/DMZSA prep including rulebase conversion: Mon April 30 – Fri May 4 SecureAdmin/DMZSA go-live: Mon May 7 (5AM – 8AM) SecureAdmin/DMZSA OSPF stub area conversion: TBD Academic OSPF stub area conversion: Wed May 16 (5AM - 7AM)
Information Technology
25
Remaining Steps 2
SPH will be split up behind several of the new core firewalls including Academic, SecureAdmin, DMZSA, and HIPAA. There will not be a SPH virtual firewall. The timeline and details are still TBD.
Information Technology
26
Remaining Steps 3
Healthcare has several additional prerequisite steps before their firewalls can be migrated. Those steps include rulebase conversion, border BGP project completion, OSPF padding, static routing VPN's, Pool NAT for SecureRemote, and OSPF stub area conversion. The timeline for all of these items is still TBD.
Information Technology
27
?Questions
Information Technology
Announcements & Updates
Karen Jenkins
Information Technology
Remedy
First two training sessions well attended – thank you! Additional general training overview 4/26 1:00pm –
2:30pm NDB Enterprise Room 230
Application functioning as designed with out-of-the box capabilities plus some customizations Please submit feature requests using the application
Current top priority customizations: Inbound email (working with vendor) Data migration (v5.6 custom fields need to be imported) Suppress notifications flag
29
Information Technology
Others
PeopleSoft HR upgrade go-live July 9, 2007 Kenexa/BrassRing (Applicant Tracking) go-live July
9, 2007 Web Hosting – heads up – 3 week delay
Hardware delays and problems (HP and Egenera Solaris 10 compatibility issues)
Continuing to work towards 5/25 date – but it is tight!
Emory Exchange Soliciting volunteers for the Support Center Tier 1 & Tier 2 resources required email [email protected] if interested
30