Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1
Speaker Name
Shared Infrastructure Architecture for Government
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 2
Disclaimer
The specifications and information regarding the products in this manual are subject to change without notice. All statements, information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. Users must take full responsibility for their application of any products.
The software license and limited warranty for the accompanying product are set forth in the information packet that shipped with the product and are incorporated herein by this reference. If you are unable to locate the software license or limited warranty, contact your Cisco representative for a copy.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, regents of the University of California.
Notwithstanding any other warranty herein, all document files and software of these suppliers are provided “as is” with all faults. Cisco and the above-named suppliers disclaim all warranties, expressed or implied, including, without limitation, those of merchantability, fitness for a particular purpose and noninfringement or arising from a course of dealing, usage, or trade practice.
In no event shall Cisco or its suppliers be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Cisco or its suppliers have been advised of the possibility of such damages.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 3
Agenda
Shared Infrastructure in GovernmentCisco’s Vision for Shared Infrastructure in GovernmentThe ArchitectureShared Data Center ServicesShared Security ServicesShared Infrastructure ManagementCase StudiesWhy Cisco?Next StepsQ and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 4
Shared Infrastructure in Government
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 5
Government Drivers for Change
Share infrastructure Share information Share services
Enable sharing of physical resources and equipment across agencies to reduce costs
Control, enhance, and secure network access
Simplify management and reconfiguration
Ensure new applications are built based on constituent needs
Improve operational efficiency by providing access to critical information
Foster communications to support delivery of constituent services, agency collaboration, and joint operations
Consolidate common government services to enhance operational efficiency
Enable creation of centers of excellence to provide services
Citizen-centered Outcome-focused
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 6
What Does Shared Infrastructure in Government Look Like?
Agricultural DeptFarm ServicesFood and Safety
Branch
RemoteWorkerHeadquarters
Data Center
Data Center
Server Consolidation
Web Servers
DWDMNetwork
IP WAN
Web Servers
VPN
Agricultural DeptFarm ServicesFood and Safety
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 7
What Are the Benefits?
Supports uniform security management and control
Reduces costs Improves efficiency and enables greater productivity
Improves flexibility
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 8
Technical RequirementsAchieving a Complete Shared Infrastructure Solution
Shared data center services
Shared security services
Shared infrastructure network management
1 2 3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 9
Cisco’s Vision for Shared Infrastructure in Government
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 10
Integratedtransport
Integratedservices
VirtualizedNetworking Resources
Stage 2 Stage 3
Integratedapplications
Intelligent Movement of Data, Voice,and Video
Stage 1
Deliver sustained high-quality public services
Consolidate resources and provide access to critical information
Time
Shared Shared InfrastructureInfrastructure
Shared Shared InformationInformation
Shared Shared ServicesServices
IP N
etw
orki
ng A
dopt
ion
Create converged, unified network by standardizing and sharing resources
Application-Enabling Services
Cisco Intelligent Information Network: Three-to-Five-Year Vision
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 11
Interagency Collaboration
Security ServicesVoice Collaboration Services
Security Services (VPN)Mobility Services
Voice Collaboration Services (VPN)Security ServicesIdentity Services
Application Delivery ServicesVirtualization
Application Protocol Optimization
Interagency Infrastructure
Sharing
Interagency Services Sharing and Information
Sharing
Operational Effectiveness and Efficiency
Bus
ines
s Va
lue
Intra-Agency Collaboration
Intra-Agency Mobility
(Interoperability)
Phased Evolution to Infrastructure Sharing in Government
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 12
A Phased ApproachPhase Technology Shared or
Dedicated Across Agencies
Description
1 Time-Division Multiplexing (TDM)
Dedicated Current state of the network characterized by “siloed” TDM technologies
IP Network Dedicated First step in migration from TDM technologies to IP-enabled infrastructure, building the foundation for transformation
IP Communications Dedicated Cisco Unified Communications, including voicemail, conferencing, rich-media communication, and extension mobility
IP Contact Center Dedicated Cisco’s Unified Contact Center to deliver intelligent call routing and call treatment
Self-Defending Network Security
Dedicated Enable each site with the security needed to maintain the business
Intelligent Routing Dedicated Site-to-site VPN with IPSec for encryption when required; DCN for out-of-band management; QoS to ensure the site-to-site experience is equal to the experience of a single location
Mobility Dedicated Enable mobile IP to support the mobile workforce.
3
Data Center Dedicated Consolidate data center into a centralized environment
2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 13
A Phased ApproachPhase Technology Shared or Dedicated
Across AgenciesDescription
Intelligent Routing Shared Enable virtualization and segmentation of the intelligent routing layer
Self-Defending Network Security
Shared Virtualize security features
Data Center Dedicated Enable data center consolidation with the server and storage fabric
IP Communications Shared Enable Cisco Hosted Unified Communications to truly virtualize IP Communications
IP Contact Center Shared Enable the Cisco Hosted Unified Contact Center to virtualize the IP contact center
5
Data Center Shared Consolidate data center function across multiple agencies and introduce application acceleration and load balancing
Data Center Shared Virtualize data center function across multiple agencies and introduce application protocol optimization/translation
Intelligent Routing Shared Enable virtualization and segmentation of the intelligent routing layer
6
Self-Defending Network Security
Shared Virtualize security features
4
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 14
InstantMessaging
UnifiedMessaging
MeetingPlace
IPCC IP Phone IP/TV®
PLM CRM ERP
HCM Procurement SCM
BusinessApplications
CollaborationApplications
Data CenterBranchCampus TeleworkerMAN / WAN
Ada
ptiv
ePo
licy
Traditional Architecture and Service-Oriented Architecture
Network Virtualization Services
Places in the Network
Server Storage DevicesNet
wor
ked
Infr
astr
uctu
reLa
yer
Inte
ract
ive
Serv
ices
Lay
er
Serv
ices
Sha
ring
Col
labo
ratio
nLa
yer
Security Services
Mobility Services
Storage Services
Voice Services
Computer Services
Identity Services
Application-Enhancing Services Collaboration-Enhancing ServicesInfrastructure-
EnhancingServices
Infr
astr
uctu
re
Shar
ing
Info
rmat
ion
Shar
ing
App
licat
ion
Laye
rService-Oriented Network Architecture Achieves an Intelligent Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 15
The Architecture
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 16
Three functional areas map to access control, path isolation, and services edge.
Architecture Framework
Agricultural DepartmentFood and Safety DepartmentFarm Services Department
Functions Access Control Path Isolation Services Edge
Branch - Campus WAN - MAN - Campus Data Center - Campus
GREMPLS
VRFs
1. Identify and authenticate client
2. Isolate into a segment3. Grant/prevent access
1. Map client VLAN to transport technology
2. Transport client traffic through isolated path
3. Terminate isolated path at destination edge
1. Map isolated path to destination VLAN
2. Apply policy at VLAN entry point
3. Isolate application environments
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 17
Access Control
ObjectiveAuthenticate users or devices logging onto the network
ProcessIdentify endpointsAuthorize onto the network through port activationAssociate endpoint to specified user group
Primary authentication scenariosClient-based authentication for endpoints with client softwareClientless authentication for endpoints without client software
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 18
Path Isolation
ObjectiveIsolate traffic, so that users only have access to designated data and resources
ProcessUsing separate Layer 2 domains to logically isolate traffic negates scalability and modularity benefits of hierarchical network designAlternatively, traffic separation can occur in the Layer 3 domain
Distributed access control lists (ACLs)Overlay of GRE tunnels interconnecting VRFsVRFs at every hop interconnected with VLAN trunksMPLS/BGP VPNs
GREMPLS
VRFs
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 19
Services Edge
Provides mechanisms required for users from different groups to securely access common servicesProvides access to user-group-specific servicesProvides logical connectivity and security mechanisms over shared facilities
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 20
Services Edge in Action
VPN A
InternetCampus
Core
VPN B
VPN C
VPN D
PE FW
VFW
VFW
VFW
VFW
InternetEdge
Router (Optional)
SharedServices
Agricultural DepartmentFood and Safety DepartmentFarm Services Department
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 21
Shared Data Center Services
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 22
Virtualized Data Center ArchitectureShared Data Center Services
Agriculture Department Data Center
Food and Safety Data Center
Farm Services Data Center
Layer 3 Switch
Network Management
Intrusion Prevention
Detector
PIX Firewall
SSL
VPN Concentrator
City A City B
Agricultural Department (500 employees)
Food and Safety (200 employees)
Farm Services (30 employees)
Agricultural Department (100 employees)
Food and Safety (200 employees)
Farm Services (10 employees)
Wide Area Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 23
A Center of Excellence Facilitates the Shared Data Center Approach
Provides scalability, availability, and reliability
Reduces management/operational needs and costs of data center
Ensures network and asset security through specialized products and best-practice designs
Uses segmentation to allow agencies to share partitioned/authorized assets
“Virtualizes” more assets into data center and offload management of onsite gear
Builds intelligence into the application infrastructure
An IT-enabled hub facility that enables a secure shared infrastructureand delivers a uniform, cost-effective set of shared services to multiple agencies
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 24
Data Center Architecture OverviewCampus
Core
Data CenterCore
Aggregation
Access
Servers
Access
Core
Storage
GE
DC Interconnect
DWDMNetwork
WAN
Metro Ethernet
SONET/SDHNetwork
Simplified components of the shared data center architecture are shown here to explore the specific requirements of a well-designed shared data center for multiple agencies.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 25
Network building blocks offer the flexibility to compose a suitable network depending on the size of the organization in the areas of core, aggregation, access, and DC interconnect, Layer 2and Layer 3 designs, high availability, and clustering; virtualization and segmentation; intelligence; security.
Server fabric provides the performance and control necessary to access the applications and servers in a shared data center.
SAN fabric handles the connectivity in the data center from the network to the storage farms by combining the core and edge layers to help reduce the complexities and drive more effective use of the ports.
Shared Data CenterArchitecture
Benefits of a Shared Data Center Architecture
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 26
Shared Security Services
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 27
Security Is a Process, Not a ProductCisco’s Self-Defending Network Ensures Security Is Proactive and Pervasive
AgencySecurityPolicy
Secure
Monitorand
Respond
Manageand
Improve
Test
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 28
Source: Forrester Trends 2005: Risk and Compliance Management; October 25, 2004
Managing Security Risks Better Through Shared Infrastructure
Password Guessing
Self Replicating Code
Password Cracking
Disabling Audits
Hijacking Sessions
Exploiting Known Vulnerabilites
Sniffers
Packet Forging/Spoofing
BackDoors
Sweepers
Stealth Diagnostics DDOS
New Internet Worms
Sophisticationof HackerTools
TechnicalKnowledgeRequired
High
Low
1980 1990 2000
Governments seek a formalized, consistent approach to managing information risk and compliance requirements
across the entire organization.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 29
Control does not have to be relinquished to maintain security policies and requirements.
Default Security Policy in a Shared Infrastructure System
Security does not have to be compromised or minimized to offer a shared infrastructure environment.
Each network tenant can adopt his/her own specific security requirements.
Once traffic is segmented, the network is secured.Traffic is being transported virtually, separate from other network traffic.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 30
Examples of Security Options for the Shared Infrastructure System
Feature Benefits
Stateful firewall Cisco IOS Stateful Firewall
Stateful firewall engine
Threat detection and prevention
URL filtering support
Voice traversal
Multimedia application
Advanced applications
AAA Integration
Cisco IOS IDS
Over 100 signatures
Enhanced performance
Inline operation (shunning)
Alarm management
Intrusion protection
IDS Network Module45 Mbps. Separate processor
Full signature set (more than 850)
Response actions
Alarm management
Security Services
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 31
Examples of Security Options for the Shared Infrastructure System, cont’d
Feature Benefits
Intrusion protection Security Proxy (Content Engine Network Module)
AAA support
Worm blocking
Anti-virus proxy
Trust and identity CNS bootstrap call home
Public key infrastructure (PKI) support
Management tunnel
Secure RSA private key
PKI and AAA integration
DNS secured IP address assignment
URL filtering Content Engine Network Module
Integrated SmartFilter URL filtering
Interoperability with N2H2 and WebSense URL filters
Security Services
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 32
Examples of Security Options for the Shared Infrastructure System, cont’d
Dynamic multipoint VPN (DMVPN)
Virtual full mesh
On-demand spoke-to-spoke tunnels
Dynamic discovery of spoke-to-hub tunnels
QoS, Multicast support
Tiered DMVPN
Enhanced scalability
IPSec-to-MPLS integration
VRF-aware IPSec
IPSec NAT transparency
Allows encrypted IPSec traffic to traverse Network Address Translation (NAT) or Port Address Translation (PAT) devices
High availability IPSec stateful failover
Feature Benefits
V3PN Multiservice-centric quality of service (QoS)
Support for diverse traffic types
Support for multiservice network topologies
Enhanced network failover capabilities
Network Integration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 33
Examples of Security Options for the Shared Infrastructure System, cont’d
Feature Benefits
IP Solutions Center (ISC)
Policy-based management
Multiple VPN deployments
PKI-based end-to-end authentication and audit checks
Device abstraction layer
Hub-and-spoke, full and partial mesh topologies
Design and deploy complex firewall rules
Integrated routing–Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP)
Automate provisioning of failover and load balancing
QoS provisioning
Massive NAT configuration deployment
Service provisioning
CiscoWorks VPN/Security Management System (VMS)
Policy-based management
Combines Web-based tools for configuring, monitoring, and troubleshooting enterprise VPNs, firewalls, and network and host-based IDS
Device hierarchy and policy inheritance
Industry-leading auto update feature
Centralized, role-based access control enables different groups to have different access rights across different devices and applications
Integrated monitoring of Cisco PIX and Cisco IOS syslogs, and events from network and host-based IDS, along with event correlation
Management
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 34
Shared Infrastructure Management
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 35
Shared Infrastructure Management
Network management architecture is either implemented:
Processes that facilitate management of the infrastructure:
Configuration managementSecurity managementEvent managementAddress managementApplication managementAsset management
In-band using the data pathOut-of-band using a separate network management infrastructure
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 36
Data Communications NetworkDedicated “management”network
Out-of-band management network provides connectivity between the EMS and NMS/OSS systems
Accomplished by physically separate link or VPN tunnel
Provides various levels of security, including physical separation of data and encryption
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 37
Data Communications NetworkThree-Tiered Structure
Access Central Office Distribution Backbone
Found at each office to provide connectivity to their respective switching/distribution centers. It is within this design that you can find configurations for small, medium, and large central offices.
Located around the backbone to provide symmetric connectivity to main offices.
Contains WAN switches that form a core or transport function.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 38
Cisco’s Data Communications NetworkNetwork Elements (NE) Data Communications Network
NetworkOperations
Center (NOC)
DCN
OSS to NE Connectivity
IP/OSI, ASYNC, X.25 (XOT)
FR, ATM, T1/E1
OperationsSupport
Systems (OSS)
Workstation
Mainframeor Mini
GNE
ADM
Dial
ISR 3303
SONET/SDHDWDM
Transmission Systems(SLC, IDLC, FITL, FOTS)
DSL ATM
Alarm Units
Voice, Digital Cross-connectFrame Relay
SS7 STP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 39
Case Studies
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 40
FDA—White Oak, Maryland
ChallengeDeploy IT system that enhanced the collaborative nature of the new campus environment of 8 FDA centersCost-effectively support collaboration and employee movement throughout the campus
SolutionUnified Communications (video and audio conferencing, web collaboration)Converged, shared network infrastructure for all FDA centers throughout the campus
Projected BenefitsReduced administration and operating costsImproved productivity through collaboration
http://www.washingtontechnology.com/news/21_3/emerging-tech/27962-1.html
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 41
Texas 2-1-1 Information and Referral Network
ChallengeReduce costs by converging redundant voice and data systems Establish a referral operator who will direct callers to appropriate government organizations
SolutionIP network builds upon existing statewide virtual 2-1-1 call-center solution as single point of entry
BenefitsCitizens can call 2-1-1 for any social or non-emergency healthcare issue anytimeAnnual cost savings exceed $600,000
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 42
“Considering that our annual budget for the program is $6.3 million, [$600,000] is a significant savings.”
Judy WindlerTexas Health and Human Services Commission
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 43
Defense Information Systems Agency: DVS II
ChallengeImplement a common infrastructure that provides voice, video, and Web collaboration across all defense agencies
SolutionCisco® collaboration applications and SONA voice and collaboration
BenefitsVideoconferencing that meets critical security criteria, providing commanders the information and situational awareness they need to plan, and scalable execute, and manage military operations Most robust videoconferencing solution and architecture available
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 44
izn in Lower Saxony, Germany
ChallengeIncrease data-storage facilities Decrease operating costs and standardize operationsUse IP-based technologies within SAN environment to offer more cost-effective services
SolutionCisco® Business-Ready Data Center deployed across two separate data centers Data center is accessible via iznNet
BenefitsReduced overhead costsOptimized network availabilityIP-based protocols allow lower-cost service options
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 45
“The Cisco® Business-Ready Data Center model provides a high level of robustness which other suppliers still have to achieve.”
Herr Erik Krezizn
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 46
Why Cisco?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 47
Unmatched technical expertiseUnrivaled partnershipsIndustry-leading, interoperable, standards-based solutions
Enables Responsive, Citizen-Centric Environments Through
Distinguishing Cisco from the Competition
Cisco® Capital finance programs
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 48
Modular network deployment based on integrated components
Customized design based on proven best practices
Optimal performance
Continuously expanding functionality Easily scalable architecture
Cisco Offers a Flexible, Scalable Approach
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 49
Cisco Is the Networking PioneerDriven networking standards
Quality of serviceAllows separateservices to fairly share IP networks
Power over Ethernet
Powers end devices from the network
Session Initiation Protocol
Builds unified networks
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 50
Find Out More
For more information about Cisco’s shared infrastructure solutions, contact TBD or visit TBD
Note to client: Placeholder slide. Please provide info.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 51
Next Steps
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 52
Intra-Agency Collaboration
Interagency CollaborationIntra-Agency
Mobility (Interoperability)
Security ServicesVoice Collaboration Services
Security Services (VPN)Mobility Services
Voice Collaboration Services (VPN)Security ServicesIdentity Services
Application Delivery ServicesVirtualization
Application Protocol Optimization
Interagency Infrastructure
Sharing
Interagency Services Sharing and Information
Sharing
Operational Effectiveness and Efficiency
Bus
ines
s Va
lue
• Analyze the business or technology challenge and create a solution architecture.
• Develop a proof-of-concept in the Experience step that demonstrates the feasibility of the proposed solution.
• Create a proposal for a SONAsphere engagement based on the PPDIOO Lifecycle.
PPDIOO Lifecycle Services
Workshop Proposal Strategy
Solution
Accelerator
Experience
Next Step:Connected Government Workshop
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 53
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 54