VolNet2

Bill White

Network Services

September 20, 2004 OIT Fall Staff Meeting

Why Volnet2?

• Based on the Security Assessment findings• Insecure protocols are widely used• Insecure protocols used on the wireless network

for financial transactions• Proliferation of virus activity• Lack of network authentication

September 20, 2004 OIT Fall Staff Meeting

Goals for Volnet2

• Provide a layered approach to security • Encourage use of secure protocols and anti-virus software• Apply filtering per port for every customer• Continue anti-spoofing access control in the core• Provide virus and DoS protection at our borders• Continue to filter TCP/UDP ports at our border• Provide a more redundant firewall solution for server

sanctuaries and special applications• Upgrade our Wireless infrastructure

September 20, 2004 OIT Fall Staff Meeting

Core Upgrades

• New supervisor modules provide 10 Gbps core connections

• IPv6 will be implemented campus-wide• SNMPv3 supported for secure communications

with HP OpenView• Redundant supervisor modules installed on OIT

core server switch• Mitigation of DoS attacks on core routers

September 20, 2004 OIT Fall Staff Meeting

Intrusion Prevention Systems

• Blocks virus-related traffic at wirespeed• Blocks common attacks like DoS• Digital Vaccines are automatically updated

(sometimes faster than McAfee)• 2 Gbps throughput • Will be placed on the dorm network between the

Internet and the rest of campus• Will be placed on the Faculty/Staff network

September 20, 2004 OIT Fall Staff Meeting

Firewalls

• New Juniper/Netscreen firewalls were installed November 18

• Firewalls are ASIC based with 12 Gbps performance and can process 1,000,000 concurrent sessions

• Can support 24 Gigabit or 72 10/100 ports• Firewalls will support the SAP/IRIS subnet, OIT

server segments, and other special projects• Redundancy (core routers via HSRP, firewall

chassis via NSRP, interfaces, and new switch redundancy)

September 20, 2004 OIT Fall Staff Meeting

Wireless Upgrades

• Rogue Access Point detection• 802.1x network authentication for those Operating

Systems that support it (gateways used for others)• Encrypted traffic from the client to the AP• “G” kit upgrade will double the capacity• Wireless network will be segmented• The project started on October 1 and ends Jan. 12

September 20, 2004 OIT Fall Staff Meeting

Building Rewires

• Buildings that still have COAX cabling will be rewired as originally mandated by the first Volnet project

September 20, 2004 OIT Fall Staff Meeting

Edge Switch Upgrades

• Can provide 1 Gbps to desktops in high traffic buildings

• SNMPv3 supported for secure communications with HP OpenView

• Can apply ACLs to every Ethernet port on campus to help control virus activity and machines from becoming the gateway

• BPDU Guard to block PCs from bridging wireless and the wired network

• 802.1x network authentication can be implemented for those Operating Systems that support it

• Can apply per port rate-limiting on P2P applications

September 20, 2004 OIT Fall Staff Meeting

Time Line

• The wireless upgrade has already started and will finish in December

• The Netscreen firewalls were installed this past week

• Intrusion Prevention Systems will be installed in January

• The new supervisor modules for our core routers will be installed in December

• 2 new core nodes will be purchased and installed in June of 2005

September 20, 2004 OIT Fall Staff Meeting

Time Line continued

• The edge switch installations will start in November of this year and will take approximately 20 months to complete

• Additional firewalls will be installed as required by special security projects

• Building rewires will continue for several years

September 20, 2004 OIT Fall Staff Meeting

Questions or Concerns

• Check the Volnet2 site @ volnet2.utk.edu

• Send email to volnet2@utk.edu