enabling the cloud for the u.s. governmentlgsinnovations.com/wp-content/uploads/cloud-v2.pdf ·...

ST RAT EG I C W H I T E PA P E R

ENABLING THE CLOUD FOR THE U.S. GOVERNMENT



LGS Innovations delivers next generation solutions that solve the most complex networking and communications challenges

facing the U.S. Federal Government, state and local governments, foreign governments, and commercial enterprises. LGS offers

groundbreaking research and development and builds advanced wireless, optical, and wired products and applications custom-

ized for specific mission environments. These solutions provide unique information and security advantages that lead to the

operational success of its customers.

LGS is working to apply advanced networking technologies to enable cloud services for the U.S. Government. Our cloud solu-

tions provide on-demand network access with sufficient bandwidth and carrier grade redundancy for mission critical services

and applications. By transforming the government’s ability to quickly and securely send and receive information of all kinds –

anywhere, at any time, on any device – LGS contributes to mission success, from protecting the homeland to increasing service

to the citizen.

The topic of cloud computing is broad and touches many areas in the enterprise market. This white paper addresses the net-

worked data center, as it pertains to cloud and application enablement. LGS focuses on the challenges that the USG faces migrat-

ing to a cloud services delivery model and the potential benefits realized through LGS solutions of cloud enablement products and

services for the networked data center. We leverage the Alcatel-Lucent Data-Center Connect solution for networked data center

design, planning and data center automation.

2



[ 1 ] C LO U D FO R T H E U SG – T R E N DS & C H A L L E N G ES 03

[ 2 ] LGS C LO U D SO LU T I O N S 0 5

2.1 Cloud Network Enabler 05

2.2 Data Center Connect (DCC) 06

2.3 DCC Building Blocks 06

2.4 ALU – Hewlett-Packard Strategic Alliance 08

2.5 Data Center Automation 08

2.6 Application Assurance (AA) 09

2.7 Service Aware Management 10

2.8 Data Center Interconnect 11

2.9 Interior Data Center Fabric 12

2.10 Optical Transport 12

[ 3 ] C LO U D S ECU R I T Y 1 3

[ 4 ] S U M M A RY 1 6

[ 5 ] G LOSSA RY 1 7

TABLE OF CONTENTS

3



An important aspect of cloud computing is convenient, on-demand network access to a shared pool of configurable computing

resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal

management effort or cloud service provider interaction.

National Institute of Standards & Technology’s (NIST) definition of cloud computing technologies and services is used as a frame-

work to baseline our cloud-based, configurable computing solutions. The NIST Cloud Computing Reference Architecture defines

five major actors in the conceptual cloud: consumer, broker, provider, auditor

and carrier as represented in Figure 1-1. The following summarizes their roles

in the reference architecture.

• Cloud Consumer - user of cloud apps and services

• Cloud Auditor – assesses security, performance, & usage

• Cloud Provider – delivers apps & services to consumers

• Cloud Broker –manages & negotiates service performance between

consumers & providers

• Cloud Carrier – provides transport & connectivity between consumers

& providers.

NIST’s service orchestration layer offers basic classes of services: Software as a Service (SaaS), Platform as a Service (PaaS), and

Infrastructure as a Service (IaaS). Resource Abstraction and Control incorporates virtualization technologies to establish and effi-

ciently manage resources to ensure reliable and secure usage. Service classes and their control mechanisms have a critical depen-

dence on the underlying physical resources that provide network access to end-users with connectivity to USG Agency locations

and backbone interconnection of data centers.

Migrating to the cloud has the potential to dramatically change the way the USG accesses and provides services. Cloud is a highly

flexible, on-demand framework that leverages innovative technology and business models that together create new service delivery

mechanisms. Shifting to a cloud model has key benefits for the USG.

• Efficiency – Improved IT resource utilization, cost savings through data center consolidation and optimization, and short-

ened procurement lead times.

• Agility – More responsive to urgent agency needs, ubiquitous access, and scalable services.

• Innovation – Shifts focus from asset ownership to service management, leverages commercial innovations, and is better

linked to emerging technologies.

• Performance – Improved end user Quality of Experience (QoE).

• Green – Improved energy efficiency.

Savings: The USG is migrating to cloud-based solutions to reign in their IT budgets in the current cost-sensitive environment. The

Federal Cloud strategy outlines a decision framework for cloud migration, which estimates that the USG spends $80B each year

on over 12,000 systems in major agencies with $20B potentially targeted for migration to cloud computing.

1. CLOUD FOR THE USG – TRENDS & CHALLENGES

Figure 1-1: NIST Conceptual Cloud Model Extensible framework for cloud services

1NIST Cloud Computing Reference Architecture, Special Publication 500-292, September, 2011.

4



Also estimated is that the USG dramatically increased the number of data centers over the past decade from 400 to over 2000; it

currently has a goal to shut 800 data centers by 2015.

Privacy/Security: Typical IT environments contribute to increasing costs, low resource utilization and inflexible, difficult to

manage systems. Coupled with these constraints, there are data security challenges facing the Federal IT sector that should be

addressed on the road to cloud migration.

• Ensure security and privacy in a virtualized environment

• Data integrity, separation, protection, and management

• Long term storage and records management

• Availability of critical government services

The Department of Defense (DoD) has unique challenges such as the processing of information at multiple classification levels

under multiple authorities (DoD, DHS), the Certification & Accreditation process, and the ability to respond to rapid changes in

DoD mission requirements. Additionally, a published NSA briefing cites the Gartner Group’s findings that security risks applied

to the DoD include:

• Protection of sensitive data, regulatory compliance, data location, segregation, and recovery

• Security standards (SAML, WS*)

• Secure provisioning of applications into the cloud

• Controlling/restricting what applications can run in which cloud instances

• Binding specific platforms/virtual machines to applications

• Protecting cloud computing platforms from cyber attack

User Experience: An advantage of migrating to cloud services is the potential to offer a superior end-user experience. With ade-

quate local access and modern networking protocols and operations, cloud services can be delivered with reproducible Quality of

Service (QoS). Across the Agency all users can experience a common operating environment with centralized identity manage-

ment and mutual authentication between the users and the networked cloud. Ultimately, centralized IT support can be offered

more efficiently and at a higher uniformity/proficiency than when users depend on the expertise of local IT administrators and

desk top support.

Green Technology: Data centers (DCs) throughout the USG are historically underutilized since they must provide sufficient

capacity to meet the peak load required by their users and that load is increasing dramatically. By networking, automating, and

orchestrating operations, the DCs work in concert to share load. The average usage goes up markedly, so that fewer data centers

are needed and then newer, more energy efficient equipment can be justified. Thus cloud computing leverages the use of green

technology. Furthermore, the LGS solutions described in Section 3 are power efficient since they propose to distribute data

centers near end-users to reduce transport power dissipation, and furthermore are designed with energy efficiency as a primary

requirement.

2Federal Cloud Computing Strategy, Vivek Kundra, US CIO, February 8, 2011.

3DoD Cloud Computing Security Challenges”, Chris Kubic, Chief Architect, Information Assurance Architecture and Systems Security Engineering Group, National Security Agency

5



LGS Innovations and ALU’s key cloud solutions strengths enable data cen-

ters to virtually interoperate. Our innovations in Service Aware Routing

and Optical Networking are supplemented with middleware and services

that automate the operation of distributed, dynamic DCs. Cost effective

and efficient cloud service management and application assurance are the

fundamental end user benefits realized by these leading networking and

management capabilities.

LGS Innovations has partnered with Alcatel-Lucent (products/services)

and Bell Labs (research) to offer a carrier-grade networked cloud archi-

tecture, which integrates best-in-class solutions with advanced network

technologies. This innovative approach improves application and service

responsiveness, realizes data center resource scalability and efficiency,

and provides end-to-end management at the service and application

levels. Our solutions are agile, secure, and offer multiple deployment

options. For example, our cloud architecture moves high-bandwidth or

latency-sensitive applications closer to the user. The Data Center Connect (DCC) solution is an adaptive architecture, using ALU’s

award-winning IP/MPLS service routers, optical switches, and transport. DCC can also be integrated with Hewlett-Packard’s data

center storage and server infrastructure. This cloud-enabling data center infrastructure is coupled with application and service

assurance technologies and professional and management services, thus offering an end-to-end cloud services network.

2 .1 C LO U D N E T WO R K E N A B L E R

As the government transforms its IT infrastructure, the network becomes a key enabler of cloud services delivery. Large numbers

of resources residing in multiple locations can be consolidated and managed as a single source to deliver services over high band-

width with sufficient redundancy for mission critical applications. Through virtualization technologies, layer 2 & layer 3 Virtual

Private Networks (VPNs) extend connectivity across the network and virtualize data center resources. Alcatel-Lucent IP/MPLS

routers and optical products dynamically connect end users and multiple data centers at the network level so that the users can

be optimally served by available computing, storage, and applications resources. This provides transparency and efficient perfor-

mance without relying on geographic or physical presence to users across customer campuses, thereby extending the virtualized

data center network.

Figure 2.1-1 illustrates service

transparency between data centers

whose resources are pooled across

the network. This expands the

scope of virtualization by drawing

on technologies that are already

deployed in ALU service router

networks and are based on VPLS

(Virtual Private LAN Services)

and PBB (Provider Backbone

Bridging)/VPLS to massively

scale customer VLANs and MAC

addresses on the cloud network.

2. LGS CLOUD SOLUTIONS FOR DATA CENTERS

• Virtualized network infrastructure

• Dynamic load sharing across Data Centers

• Application assurance

• Service aware management

• Automated provisioning services

• Multi-vendor architecture

• Support for industry standards

• Carrier grade 5-9’s availability

LGS/ALU Solution Discriminators

VM AwarenessFull Multi-Site VirtualizationService Transparency & MobilityUbiquitous Service AccessDynamic Load SharingScalable BandwidthPer Application QoS with Deep Packet InspectionEnd-to-End SLAsData Center Automation

>>

>>

>>

>>

>>

>>

>>

>>

>>

Figure 2.1-1: LGS/ALU Virtual Data Center Connectivity Optimizes shared capacity & minimizes cost

6



Through virtualization technologies, LGS’ cloud infrastructure portfolio creates an agile network fabric that maintains organiza-

tional isolation and supports multi-tenancy with carrier-grade 99.999% reliability in a services-oriented architecture.

2 . 2 DATA C E N T E R CO N N ECT ( D CC )

Virtualization is a key enabler of cloud computing. By integrating the virtual network with a virtual data center under common

management products and services, Alcatel-Lucent offers the Data Center Connect (DCC) solution to yield cost and performance

benefits. DCC delivers a scalable solution which interworks physically separate data centers to end users. DCC leverages ALU’s

strength in WAN routing, optical transport, and management solutions with automated data center service delivery.

2 . 3 D CC B U I L D I N G B LO C KS

The DCC building blocks are ALU products, general services and professional services, shown in Figure 2.3-1. The DCC solution

infrastructure, coupled with an OEM’s server and storage platforms, offers complete multi-data center fabric, service aware man-

agement, and services capabilities.

1. Data Center Fabric

• OpticalTransportandDataCenterSwitching

– 1830 Photonic Service Switch (PSS) portfolio

• SANextension,bandwidthaggregation

• Virtualizationandrouting

– Service Router (SR) 7750, SR 7710

• Layer2&Layer3virtualizationforinter-datacentermachinemobility

• ApplicationAssurance

– Enterprise Switching ESS 7450

• Scalable,MPLS-enabledEthernetServiceSwitch

• Intra-datacenternetworking(eitherALUorOEM)

– Top of Rack (TOR) – OmniSwitch 6850/6850E (or new OS6900)

– End of Row (EOR) – OmniSwitch 9000E

– Core – OmniSwitch 10K

2. Service Aware Management

• ServiceAwareManagement(SAM5620)/ServiceLevelAgreements(SLAs)andQualityofExperience(QoE)

• DataCenterAutomationdeliveredthroughRelevanceServices

3. Services

• GeneralServices-Engineering,design,integration,installation,maintenance

• ProfessionalServices–Analysis,planning,transitioningtocloud

7



Storage

• Server/storage block (OEM)– Virtualized Blade Servers– Storage

• Interior data center network– Top of Rack (TOR) – OmniSwitch 6850– End of Rack (EOR) – OmniSwitch 9000E– Core - OmniSwitch 10K

• Data center Provider Edge (PE) router/WAN

– SR-7750 (Full Service Edge)– ESS-7450 (Virtual Data Center Flex Fabric)

• Optics transport– 1830 PSS WDM bandwidth aggregation and SAN

extension Data Center PE –SR-7750, Optical

Transport/ SAN

Extension 1830 PSS

SAN SAN

End of Row 9000ETop of Rack

6850

Core 10KIN

TRA

-DC

fabr

ic

Storage

• Server/storage block (OEM)– Virtualized Blade Servers– Storage

• Interior data center network– Top of Rack (TOR) – OmniSwitch 6850– End of Rack (EOR) – OmniSwitch 9000E– Core - OmniSwitch 10K

• Data center Provider Edge (PE) router/WAN

– SR-7750 (Full Service Edge)– ESS-7450 (Virtual Data Center Flex Fabric)

• Optics transport– 1830 PSS WDM bandwidth aggregation and SAN

extension Data Center PE –SR-7750, Optical

Transport/ SAN

Extension 1830 PSS

SAN SAN

End of Row 9000ETop of Rack

6850

Core 10KIN

TRA

-DC

fabr

ic

Figure 2.3-1: LGS/Alcatel-Lucent Data Center ArchitectureEnd-to-end solution

8



2 .4 A LU – H EW L E T T- PAC K A R D ST RAT EG I C A L L I A N C E

The DCC solution is designed to work with Hewlett-Packard’s

Converged Infrastructure. ALU and HP offer a 10-year+ stra-

tegic alliance that brings industry leading technologies and

data center products to the market. The alliance combines

ALU’s advanced routing and optical solutions with HP’s

industry leading server, virtualization, and data center opera-

tions. This complementary, multi-vendor approach inte-

grates HP’s interior data center fabric, Storage Area Network

(SAN), Server and Local Area Network (LAN) products with

ALU’s Wide Area Network (WAN) routers and switches at the

edge and optical inter-DC connectivity transport.

The ALU-HP joint architecture applies to not only large data

centers, but also to medium and micro-sized data center

footprints. Micro-data centers can be placed closer to the end user, which lowers latency between the user and the provider serv-

ers and minimizes provider backhaul bandwidth costs. This arrangement offers the same end-to-end, services-oriented network

architecture.

Through ALU’s partnership with HP, LGS is able to offer an integrated, end-to-end data center solution. This business model

leverages HP’s IT transformation expertise with ALU’s networking leadership along with LGS’ focus to migrate the USG to secure,

carrier-grade cloud computing.

2 . 5 DATA C E N T E R AU TO M AT I O N

Data center automation delivers unified service provisioning and orchestration of the network and the cloud VMs. Data center

optimization requires efficiencies to streamline operations and minimize costs. ALU’s Relevance product and services achieves

these goals and is incorporated as part of the DCC solution.

Relevance is an automation tool that does both network and VM provisioning through a

portal for remote management, billing, and Customer Relationship Management (CRM).

Relevance is used extensively to orchestrate and automate the data center connect solu-

tion. Figure 2.5-1 illustrates Relevance’s functions in a data center environment.

• IntegratedLANandWANforend-to-endapplica-tion delivery

• Integratedsupplierrelationship:“one-stopshop”

•Enhancedinnovationcapabilitiesandservicedelivery model

•Reducedcostofownershipofinfrastructure

•ManagednetworkingandITservices

A LU - H P A L L I A N C E

• Integratedmanagement

•Automatedprovisioning

•Streamlinedoperations

R E L EVA N C E B E N E F I TS

9



2 . 6 A P P L I CAT I O N ASS U RA N C E (A A)

Application Assurance applies QoS to an application and identifies, monitors, and controls the performance of specific applica-

tions within a service group. In layer 2 and layer 3 VPNs, services are organized by major service type. A service aware router

views packet loss, roundtrip delay, jitter, QoS, etc. from the context of the service being delivered, and all applications within each

service class are treated equally. For instance, in the example shown in Figure 2.6-1, all Business Data applications belong to the

same L2 or L3 VPN QoS queue, even though some services are critical to the business while others are discretionary.

An application aware network assigns and controls QoS and other attributes on a per-application group or per-application basis.

For example, application aware networks can identify different application groups within the Business Data QoS group, then drill

down one step further and identify individual applications within an application group. For instance, HTTP application group

within the Business Data queue contains unique applications such as YouTube and E-learning. By identifying individual applica-

tions running over the network, services may be introduced that monitor and control these applications to improve visibility and

application performance.

Figure 2.5-1 Data Center Orchestration & Automation Portal-based services

1 0



The ALU SR7x50 Service Routers have the ability to perform application level visibility and control through an integrated services

adaptor (ISA) that does in-line data processing per application. The Application Assurance – ISA module (AA-ISA) in the SR7x50

supports the following features:

• Per-protocol,per-application,andper-application-groupvolumestatistics

• VolumestatisticscollectedperVPN,betweenVPNsites,andbetweenservers

•Nearreal-timeapplicationmonitoring(perVPN,persite)ofindividualoraggregatedvoice/videoorTCPflows

•Application“greenwall”toquicklyidentifyapplicationsthatdropbelowenterpriseperformancethresholds

•Abilitytodrilldownmultiplelevelsfordetails

• Customizablearchivereports

2 .7 S E RV I C E AWA R E M A N AG E M E N T

Service-aware management is a unique set of integrated layer 2 and layer 3 VPN operations, administration, and management

(OA&M) tools for service control of applications and network elements. This product suite simplifies service activation, enables

end-to-end service assurance and provides rapid troubleshooting and better reporting capabilities at the network and service lay-

ers. This enables the cloud provider to deliver a customer self-care portal for SLA monitoring.

The ALU Service Aware Management portfolio achieves network and service management for cloud services delivery across the

network layers, highlighted in Figure 2.7-1.

Figure 2.6-1 Application Assurance Advanced business VPN services

1 1



2 . 8 DATA C E N T E R I N T E R CO N N ECT

As indicated in Section 3.3, inter-data center network virtualization and routing is supported though ALU’s IP service router and

Ethernet switching platforms: SR 7750, 7710, and ESS 7450.

The award winning 77x0 Service Router (SR) product family is a suite of multiser-

vice edge routers designed to deliver high-performance, high-availability routing

with service-aware operations, administration, management, and provisioning

through the 5620 SAM.

The 7750 SR integrates the scalability, resiliency, and predictability of MPLS along

with the bandwidth and economics of Ethernet and a broad selection of legacy

interfaces, to enable a converged network infrastructure for the delivery of next-

generation services. In the data center, the 7750 SR may be deployed as a multiser-

vice edge router for carrier Ethernet and IP VPN business services or as the aggregation router. With support for service-enabled

high density 10GigE and 100GigE interfaces, the 7750 SR is also well suited for core routing applications. Available in five chassis

variants, the 7x50 SR scales gracefully from 90 Gb/s to 2 Tb/s of capacity, providing cost-effective solutions to address the small-

est to the largest locations.

The 7450 ESS is designed to support business VPN services. It integrates the scalability, resiliency, and predictability of MPLS

along with the performance and economics of Ethernet, to enable a metro-wide, converged packet aggregation infrastructure using

carrier Ethernet to deliver next-generation services.

The 7450 ESS scales carrier Ethernet metros to 100 Gigabit Ethernet and enables seamless evolution from 10 to 100 Gb/s infrastruc-

tures. Additionally, with the industry’s most advanced PBB/VPLS implementation, customers have the ability to flexibly deploy

either native carrier Ethernet or MPLS-based services and functions in any combination as the network plans require.

Leveraging the carrier-optimized and highly fault-tolerant Service Router Operating System (SR OS), the 7450 ESS provides

advanced, highly flexible service-aware QoS, and a robust operations, administration, and maintenance (OA&M) toolkit to enable

next-generation service delivery. The 7450 ESS is available in five chassis configurations.

5670 Reporting and Analysis Manager (RAM)Provides collection, warehousing and analysis of application performance and volumetric data.

5650 Control Plane CPAMIP/MPLS management with integrated route andpath analytics.

5620 Service Aware Manager (SAM)Integrated service and network element FCAPS. Integration with external OSS/BSS systems.

>>

>>

>>

Figure 2.7-1 Service Aware Management PortfolioGranular service control of applications, services and transport

•Highperformance,high availability routing

•Serviceaware

•Scalable,resilient

S R/SW I TC H I N G B E N E F I TS

1 2



2 .9 I N T E R I O R DATA C E N T E R FA B R I C

Interior data center fabric may be applied through the current ALU OmniSwitch product portfolio or alternatively through an OEM

such as Hewlett-Packard’s DC products. The ALU products include the OmniSwitch 6850 (or 6850E) or the new OmniSwitch

6900 for the Top of Rack (TOR), the OmniSwitch 9000E family for the End of Row (EOR), and the OmniSwitch 10K for the Core.

The Alcatel-Lucent OmniSwitch™ 6850 series is an L2 and L3 high-speed, GigE fixed configuration, stackable LAN switch family

with 1GbE and 10GbE interfaces.

The new Alcatel-Lucent Enterprise OmniSwitch 6900 (OS6900) Stackable

LAN Switches are compact, high-density 10GbE and 40GbE platforms that

offer unmatched versatility. In addition to high performance and extremely

low latency, the OmniSwitch 6900 platforms offer extensive QoS, layer 2 and

layer 3 switching, as well as system and network level resiliency. Through the

use of optional modules, the OmniSwitch 6900 can offer the highest 10GbE

port density in its class with up to 64 10GbE ports in a 1U form factor. The

OmniSwitch 6900 modularity also allows for up to 640GbE uplink ports. With

its benchmark power efficiency, this makes the OS6900 product family the

most efficient and versatile switch in its class.

The OmniSwitch™ 9000 (OS9000) products are fully featured, high-performance 10Gigabit Ethernet (10GigE) Chassis LAN

switches. The OS9000E delivers wire-rate support of multiple-virtual routing and forwarding (VRF), the foundation for network

virtualization in the data center.

The OmniSwitch™ 10K Modular Ethernet LAN Chassis is the first of a new generation of network adaptable LAN switches. This

high-capacity, high performance modular switch provides a secure networking environment and meets high availability demands

with uninterrupted uptime. It improves application performance and user experience with deep packet buffers, lossless virtual

output queuing (VOQ) fabric, and extensive traffic management capabilities. It simplifies layer 2 network deployments and offers

scalability to meet current and future bandwidth requirements. The OmniSwitch 10K has a sufficiently high density of wire-speed

10GigE ports (256*10G) and other features that it can eliminate the need for the distribution layer in data centers (or for separate

End of Rack switches).

2 .1 0 O PT I CA L T RA N S P O RT

The 1830 Photonic Service Switch (PSS) provides datacenter interconnectivity optical transport with meshed traffic patterns. It is

built on Reconfigurable/Tunable Optics (ROADM/TOADM), enabling rapid connectivity setup from months to days.

With a high-density design, the Alcatel-Lucent 1830 PSS goes beyond traditional ROADM architecture limitations by offering a

unique, fully tunable and reconfigurable (T&ROADM) 88-channel architecture for any-to-any wavelength switching, and integrates

unique wavelength tracking capabilities essential for end-to-end photonic traffic quality assurance and fault localization at the

wavelength level. It supports advanced design tools for simplified and automated network lifecycle from planning to commis-

sioning and service activation.

•Fullytunable&reconfigurable

•Rapidsetup

•E2Ephotonicqualityassurance

OPTICAL TRANSPORT B E N E F I TS

1 3



3. CLOUD SECURITY

The migration of legacy services to a cloud computing framework must address security issues. LGS offers a secure networked

cloud solution through centralized, integrated threat management. Our ALU network routers (SR7750) and its modular features

(MS-ISA card) mitigate Distributed Denial of Service (DDoS) attacks. This industry-leading, fully networked environment enables

centralized security management to be implemented efficiently as part of our cloud security solution. The following table lists key

cloud security threats with our mitigation approach.

Cloud Security Associated Risks LGS Network Mitigation MechanismsNetwork Virtualization Maintain network security associated

with multi-tenancy, VM isolation, VM

co-residency

Our network architecture deploys industry-

standard technologies to maintain virtualiza-

tion through advanced protocols supported by

our service routers and gateways.

• Technologies include MPLS, Virtual

Private Routed Networks (VPRN), Virtual

Private LAN Services (VPLS) and Provider

Backbone Bridging (PBB).

• PBB is used within the DC while MPLS

and PBB over VPLS are used between DCs

and from DCs to clients to create a highly

available, low-latency fabric.

Authentication & Access Control Manage identities to provide access

control

Our service aware network architecture pro-

vides integrated, centralized policy man-

agement for Unified Communication and

Collaboration (UCC).

• Centralized access control with role-based

identities

• Application quality and policy manage-

ment, end-to-end across the virtualized

enterprise network.

Threat Management Isolation, availability, data corruption Cloud based threat mitigation is achieved by

the ALU SR 7750 Threat Management System

(TMS).

• In partnership with Arbor Networks and

integrated onto the TMS-ISA card, DDoS

attack traffic is removed at the network

edge

• Secure traffic is delivered to the DC across

the IP/Ethernet service network

• Network-wide flow analysis & deep packet

inspection (DPI)

• Massive scale vs. firewall/IPS/IDS systems

1 4



Cloud Security Associated Risks LGS Network Mitigation MechanismsEncryption Key Management Identifying proper encryption usage &

scalable key management

Broadband networks enabling cloud comput-

ing depend on optical networks.

• Encrypted Wavelength service is a feature

of the ALU 1830 PSS (Photonic Service

Switch) : AES128

• Key management tool uses a web interface

Incident Handling Detection, reports, remediation Integrated TMS in SR 7750 utilizes incident

detection, analysis and reporting from Arbor

Networks.

• Incident reports sent to Security Operations

Center (SOC) which takes action to miti-

gate the threat.

• Armed with attack fingerprint informa-

tion, security managers identify the attack,

determine the source, analyze the form

and mitigate the impact of an attack.

Data Privacy & Availability Confidentiality, storage retention,

restoral

Data migrated to the cloud has enhanced secu-

rity because of network features that permit

centralized data management, privacy and

availability.

• Our optical switching platforms support

SAN protocols which provide reliable

interfaces to the data center fabric across

the enterprise.

• Our carrier-grade IP networks insure con-

tinuity of operations and system reliability

for cloud.

PC Attacks: Malware Pipes Infected PCs are referred to as “bots,”

with groups of bots controlled centrally

and focused on specific attacks referred

toasa“botnets.”

ALU’s integrated SR 7750 TMS-ISA feature

identifies & mitigates botnet attacks for net-

work-based DDoS protection.

• Identifies DDoS-related botnets via their

network behavior and takes action to stop

botnet channels before serious infection of

enterprise desktops and servers can begin.

• This removes a significant processing bur-

den on enterprise content filtering appli-

ances/software, leaving them free to focus

on identifying and filtering other threats

more effectively.

1 5



Cloud Security Associated Risks LGS Network Mitigation MechanismsSecure Internal Data Center Fabric

and User Access to the Network

Spoofing, DDoS, isolation Integrated security features of ALU

OmniSwitch reside within the DC and at user

access to the networked DC.

• Authentication methods such as MAC,

802.1x and web

• Denial of Service Defense

• Automatic Quarantine Management

• User Network Profiling

• Traffics Anomaly Detection (IDS)

• User port spoofing protection

• Spanning protection mechanism

• Network Access Control

• Host Integrity Check with Cyber Gatekeeper

(validates endpoint compliance with secu-

rity policies)

1 6



LGS Innovations offers the U.S. Federal Government an agile cloud infrastructure that achieves IT efficiencies, minimizes costs,

and optimizes performance through industry-standard virtualization technologies. The key building blocks of our solution are

the network infrastructure with integrated threat management, the virtualized data center, application assurance technology, and

unified service orchestration. Our cloud solution leverages innovations from the commercial enterprise market and supports these

critical operational and management criteria for our U.S. government customers. These include secure multi-tenancy, data por-

tability, virtual machine mobility, infrastructure scalability, low-latency /high bandwidth fabric, unified service management and

reduced power dissipation. The LGS cloud infrastructure is supported by our professional services teams to smoothly transition

the customer to the cloud and by our deployment services teams to provision, integrate, and maintain the systems.

The U.S. Federal Government turns to LGS Innovations to research, develop and deploy networking and communications solu-

tions for its missions around the world, trusting the company to address its most challenging communications needs. LGS

Innovations is the U.S. Federal Government’s one-stop shop for any network need – from infrastructure requirements such as

trenching and cabling, to network architecture and network operations, to Systems Engineering and Technical Assistance (SETA)

consulting and product-only solutions.

4. SUMMARY

A BO U T LGS I N N OVAT I O N S

LGS Innovations delivers next generation solutions that solve the most complex networking and communications challenges facing the

U.S. Federal Government, State and Local Governments, Foreign Governments, and commercial enterprises. LGS offers groundbreaking

research and development and builds advanced wireless, optical, and wired products and applications customized for specific mission

environments. These solutions provide unique information and security advantages that lead to the operational success of its custom-

ers. LGS’ offerings include:

» Campus and building networking solutions for military

bases, hospitals, and corporate centers

» Maritime applications for in-port and at sea communications

» Global networks (long-haul communications, including

undersea cable)

» Enterprise voice, video, and data networking

» 4G wireless deployable communications for public safety,

battlefield, and emergency and first responder communities

» Network engineering, integration, and installation

» Cloud and data center infrastructure

» Video teleconferencing and IPTV suites

» Research and development in advanced multimedia/RF

communications, cybersecurity, sensing technologies,

and photonics

LGS Innovations is a U.S.-owned company headquartered in Herndon, Virginia, with offices in Colorado, Illinois, Maryland, New Jersey,

New Mexico, and North Carolina. Formerly a subsidiary of Alcatel-Lucent, LGS is the exclusive reseller of Alcatel-Lucent products and

services to the U.S. Federal Government and any other entity when the end customer is the U.S. Federal Government. LGS maintains

strong ties to Bell Labs and its technologies, employing more than 450 scientists and engineers and a total of nearly 700 employees

worldwide. To learn more about LGS Innovations, visit www.lgsinnovations.com.

1 7© 20 1 4 – LGS I N N OVAT I O N S L LC - A L L R I G H TS R ES E RV E D

LGS, LGS INNOVATIONS, AND THE LGS INNOVATIONS LOGO ARE TRADEMARKS OF LGS INNOVATIONS LLC .

AA-ISA Application Assurance-Integrated Service Adapter

CPAM Control Plane Assurance Manager

CRM Customer Resource Management

DCC Data Center Connect

EoR End of Row

ESS Ethernet Service Switch

FCoE Fiber Channel over Ethernet

HP Hewlett-Packard

IP Internet Protocol

LAN Local Area Network

MAC Media Access Control

MPLS Multiprotocol Label Switching

OA&M Operations Administration & Maintenance

PBB Provider Backbone Bridging

PE Provider Edge

PSS Photonic Service Switch

QoS Quality of Service

RAM Reporting and Analysis Manager

ROADM Reconfigurable Optical Add Drop Multiplexor

SAM Service Aware Manager

SAN Storage Area Network

SLA Service Level Agreement

SR Service Router

TMS-ISA Threat Management System – Integrated Service Assurance

TOADM Tunable Optical Add Drop Multiplexor

ToR Top of Rack

VLAN Virtual Local Area Network

VOQ Virtual Output Queuing

VPLS Virtual Private LAN Services

VPRN Virtual Private Routed Networks

VRF Virtual Routing & Forwarding

WAN Wide Area Network

5. GLOSSARY

enabling the cloud for the u.s. governmentlgsinnovations.com/wp-content/uploads/cloud-v2.pdf ·...

Documents