Shared Infrastructure Architecture for Government · course of dealing, usage, or trade practice. In no event shall Cisco or its suppliers be liable for any indirect, special, consequential,

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Speaker Name

Shared Infrastructure Architecture for Government


Disclaimer

The specifications and information regarding the products in this manual are subject to change without notice. All statements, information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. Users must take full responsibility for their application of any products.

The software license and limited warranty for the accompanying product are set forth in the information packet that shipped with the product and are incorporated herein by this reference. If you are unable to locate the software license or limited warranty, contact your Cisco representative for a copy.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, regents of the University of California.

Notwithstanding any other warranty herein, all document files and software of these suppliers are provided “as is” with all faults. Cisco and the above-named suppliers disclaim all warranties, expressed or implied, including, without limitation, those of merchantability, fitness for a particular purpose and noninfringement or arising from a course of dealing, usage, or trade practice.

In no event shall Cisco or its suppliers be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Cisco or its suppliers have been advised of the possibility of such damages.


Agenda

Shared Infrastructure in GovernmentCisco’s Vision for Shared Infrastructure in GovernmentThe ArchitectureShared Data Center ServicesShared Security ServicesShared Infrastructure ManagementCase StudiesWhy Cisco?Next StepsQ and A


Shared Infrastructure in Government


Government Drivers for Change

Share infrastructure Share information Share services

Enable sharing of physical resources and equipment across agencies to reduce costs

Control, enhance, and secure network access

Simplify management and reconfiguration

Ensure new applications are built based on constituent needs

Improve operational efficiency by providing access to critical information

Foster communications to support delivery of constituent services, agency collaboration, and joint operations

Consolidate common government services to enhance operational efficiency

Enable creation of centers of excellence to provide services

Citizen-centered Outcome-focused


What Does Shared Infrastructure in Government Look Like?

Agricultural DeptFarm ServicesFood and Safety

Branch

RemoteWorkerHeadquarters

Data Center

Data Center

Server Consolidation

Web Servers

DWDMNetwork

IP WAN

Web Servers

VPN

Agricultural DeptFarm ServicesFood and Safety


What Are the Benefits?

Supports uniform security management and control

Reduces costs Improves efficiency and enables greater productivity

Improves flexibility


Technical RequirementsAchieving a Complete Shared Infrastructure Solution

Shared data center services

Shared security services

Shared infrastructure network management

1 2 3


Cisco’s Vision for Shared Infrastructure in Government


Integratedtransport

Integratedservices

VirtualizedNetworking Resources

Stage 2 Stage 3

Integratedapplications

Intelligent Movement of Data, Voice,and Video

Stage 1

Deliver sustained high-quality public services

Consolidate resources and provide access to critical information

Time

Shared Shared InfrastructureInfrastructure

Shared Shared InformationInformation

Shared Shared ServicesServices

IP N

etw

orki

ng A

dopt

ion

Create converged, unified network by standardizing and sharing resources

Application-Enabling Services

Cisco Intelligent Information Network: Three-to-Five-Year Vision


Interagency Collaboration

Security ServicesVoice Collaboration Services

Security Services (VPN)Mobility Services

Voice Collaboration Services (VPN)Security ServicesIdentity Services

Application Delivery ServicesVirtualization

Application Protocol Optimization

Interagency Infrastructure

Sharing

Interagency Services Sharing and Information

Sharing

Operational Effectiveness and Efficiency

Bus

ines

s Va

lue

Intra-Agency Collaboration

Intra-Agency Mobility

(Interoperability)

Phased Evolution to Infrastructure Sharing in Government


A Phased ApproachPhase Technology Shared or

Dedicated Across Agencies

Description

1 Time-Division Multiplexing (TDM)

Dedicated Current state of the network characterized by “siloed” TDM technologies

IP Network Dedicated First step in migration from TDM technologies to IP-enabled infrastructure, building the foundation for transformation

IP Communications Dedicated Cisco Unified Communications, including voicemail, conferencing, rich-media communication, and extension mobility

IP Contact Center Dedicated Cisco’s Unified Contact Center to deliver intelligent call routing and call treatment

Self-Defending Network Security

Dedicated Enable each site with the security needed to maintain the business

Intelligent Routing Dedicated Site-to-site VPN with IPSec for encryption when required; DCN for out-of-band management; QoS to ensure the site-to-site experience is equal to the experience of a single location

Mobility Dedicated Enable mobile IP to support the mobile workforce.

3

Data Center Dedicated Consolidate data center into a centralized environment

2


A Phased ApproachPhase Technology Shared or Dedicated

Across AgenciesDescription

Intelligent Routing Shared Enable virtualization and segmentation of the intelligent routing layer


Shared Virtualize security features

Data Center Dedicated Enable data center consolidation with the server and storage fabric

IP Communications Shared Enable Cisco Hosted Unified Communications to truly virtualize IP Communications

IP Contact Center Shared Enable the Cisco Hosted Unified Contact Center to virtualize the IP contact center

5

Data Center Shared Consolidate data center function across multiple agencies and introduce application acceleration and load balancing

Data Center Shared Virtualize data center function across multiple agencies and introduce application protocol optimization/translation

Intelligent Routing Shared Enable virtualization and segmentation of the intelligent routing layer

6


Shared Virtualize security features

4


InstantMessaging

UnifiedMessaging

MeetingPlace

IPCC IP Phone IP/TV®

PLM CRM ERP

HCM Procurement SCM

BusinessApplications

CollaborationApplications

Data CenterBranchCampus TeleworkerMAN / WAN

Ada

ptiv

ePo

licy

Traditional Architecture and Service-Oriented Architecture

Network Virtualization Services

Places in the Network

Server Storage DevicesNet

wor

ked

Infr

astr

uctu

reLa

yer

Inte

ract

ive

Serv

ices

Lay

er

Serv

ices

Sha

ring

Col

labo

ratio

nLa

yer

Security Services

Mobility Services

Storage Services

Voice Services

Computer Services

Identity Services

Application-Enhancing Services Collaboration-Enhancing ServicesInfrastructure-

EnhancingServices

Infr

astr

uctu

re

Shar

ing

Info

rmat

ion

Shar

ing

App

licat

ion

Laye

rService-Oriented Network Architecture Achieves an Intelligent Network


The Architecture


Three functional areas map to access control, path isolation, and services edge.

Architecture Framework

Agricultural DepartmentFood and Safety DepartmentFarm Services Department

Functions Access Control Path Isolation Services Edge

Branch - Campus WAN - MAN - Campus Data Center - Campus

GREMPLS

VRFs

1. Identify and authenticate client

2. Isolate into a segment3. Grant/prevent access

1. Map client VLAN to transport technology

2. Transport client traffic through isolated path

3. Terminate isolated path at destination edge

1. Map isolated path to destination VLAN

2. Apply policy at VLAN entry point

3. Isolate application environments


Access Control

ObjectiveAuthenticate users or devices logging onto the network

ProcessIdentify endpointsAuthorize onto the network through port activationAssociate endpoint to specified user group

Primary authentication scenariosClient-based authentication for endpoints with client softwareClientless authentication for endpoints without client software


Path Isolation

ObjectiveIsolate traffic, so that users only have access to designated data and resources

ProcessUsing separate Layer 2 domains to logically isolate traffic negates scalability and modularity benefits of hierarchical network designAlternatively, traffic separation can occur in the Layer 3 domain

Distributed access control lists (ACLs)Overlay of GRE tunnels interconnecting VRFsVRFs at every hop interconnected with VLAN trunksMPLS/BGP VPNs

GREMPLS

VRFs


Services Edge

Provides mechanisms required for users from different groups to securely access common servicesProvides access to user-group-specific servicesProvides logical connectivity and security mechanisms over shared facilities


Services Edge in Action

VPN A

InternetCampus

Core

VPN B

VPN C

VPN D

PE FW

VFW

VFW

VFW

VFW

InternetEdge

Router (Optional)

SharedServices

Agricultural DepartmentFood and Safety DepartmentFarm Services Department


Shared Data Center Services


Virtualized Data Center ArchitectureShared Data Center Services

Agriculture Department Data Center

Food and Safety Data Center

Farm Services Data Center

Layer 3 Switch

Network Management

Intrusion Prevention

Detector

PIX Firewall

SSL

VPN Concentrator

City A City B

Agricultural Department (500 employees)

Food and Safety (200 employees)

Farm Services (30 employees)

Agricultural Department (100 employees)

Food and Safety (200 employees)

Farm Services (10 employees)

Wide Area Network


A Center of Excellence Facilitates the Shared Data Center Approach

Provides scalability, availability, and reliability

Reduces management/operational needs and costs of data center

Ensures network and asset security through specialized products and best-practice designs

Uses segmentation to allow agencies to share partitioned/authorized assets

“Virtualizes” more assets into data center and offload management of onsite gear

Builds intelligence into the application infrastructure

An IT-enabled hub facility that enables a secure shared infrastructureand delivers a uniform, cost-effective set of shared services to multiple agencies


Data Center Architecture OverviewCampus

Core

Data CenterCore

Aggregation

Access

Servers

Access

Core

Storage

GE

DC Interconnect

DWDMNetwork

WAN

Metro Ethernet

SONET/SDHNetwork

Simplified components of the shared data center architecture are shown here to explore the specific requirements of a well-designed shared data center for multiple agencies.


Network building blocks offer the flexibility to compose a suitable network depending on the size of the organization in the areas of core, aggregation, access, and DC interconnect, Layer 2and Layer 3 designs, high availability, and clustering; virtualization and segmentation; intelligence; security.

Server fabric provides the performance and control necessary to access the applications and servers in a shared data center.

SAN fabric handles the connectivity in the data center from the network to the storage farms by combining the core and edge layers to help reduce the complexities and drive more effective use of the ports.

Shared Data CenterArchitecture

Benefits of a Shared Data Center Architecture


Shared Security Services


Security Is a Process, Not a ProductCisco’s Self-Defending Network Ensures Security Is Proactive and Pervasive

AgencySecurityPolicy

Secure

Monitorand

Respond

Manageand

Improve

Test


Source: Forrester Trends 2005: Risk and Compliance Management; October 25, 2004

Managing Security Risks Better Through Shared Infrastructure

Password Guessing

Self Replicating Code

Password Cracking

Disabling Audits

Hijacking Sessions

Exploiting Known Vulnerabilites

Sniffers

Packet Forging/Spoofing

BackDoors

Sweepers

Stealth Diagnostics DDOS

New Internet Worms

Sophisticationof HackerTools

TechnicalKnowledgeRequired

High

Low

1980 1990 2000

Governments seek a formalized, consistent approach to managing information risk and compliance requirements

across the entire organization.


Control does not have to be relinquished to maintain security policies and requirements.

Default Security Policy in a Shared Infrastructure System

Security does not have to be compromised or minimized to offer a shared infrastructure environment.

Each network tenant can adopt his/her own specific security requirements.

Once traffic is segmented, the network is secured.Traffic is being transported virtually, separate from other network traffic.


Examples of Security Options for the Shared Infrastructure System

Feature Benefits

Stateful firewall Cisco IOS Stateful Firewall

Stateful firewall engine

Threat detection and prevention

URL filtering support

Voice traversal

Multimedia application

Advanced applications

AAA Integration

Cisco IOS IDS

Over 100 signatures

Enhanced performance

Inline operation (shunning)

Alarm management

Intrusion protection

IDS Network Module45 Mbps. Separate processor

Full signature set (more than 850)

Response actions

Alarm management

Security Services


Examples of Security Options for the Shared Infrastructure System, cont’d

Feature Benefits

Intrusion protection Security Proxy (Content Engine Network Module)

AAA support

Worm blocking

Anti-virus proxy

Trust and identity CNS bootstrap call home

Public key infrastructure (PKI) support

Management tunnel

Secure RSA private key

PKI and AAA integration

DNS secured IP address assignment

URL filtering Content Engine Network Module

Integrated SmartFilter URL filtering

Interoperability with N2H2 and WebSense URL filters

Security Services



Dynamic multipoint VPN (DMVPN)

Virtual full mesh

On-demand spoke-to-spoke tunnels

Dynamic discovery of spoke-to-hub tunnels

QoS, Multicast support

Tiered DMVPN

Enhanced scalability

IPSec-to-MPLS integration

VRF-aware IPSec

IPSec NAT transparency

Allows encrypted IPSec traffic to traverse Network Address Translation (NAT) or Port Address Translation (PAT) devices

High availability IPSec stateful failover

Feature Benefits

V3PN Multiservice-centric quality of service (QoS)

Support for diverse traffic types

Support for multiservice network topologies

Enhanced network failover capabilities

Network Integration



Feature Benefits

IP Solutions Center (ISC)

Policy-based management

Multiple VPN deployments

PKI-based end-to-end authentication and audit checks

Device abstraction layer

Hub-and-spoke, full and partial mesh topologies

Design and deploy complex firewall rules

Integrated routing–Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP)

Automate provisioning of failover and load balancing

QoS provisioning

Massive NAT configuration deployment

Service provisioning

CiscoWorks VPN/Security Management System (VMS)

Policy-based management

Combines Web-based tools for configuring, monitoring, and troubleshooting enterprise VPNs, firewalls, and network and host-based IDS

Device hierarchy and policy inheritance

Industry-leading auto update feature

Centralized, role-based access control enables different groups to have different access rights across different devices and applications

Integrated monitoring of Cisco PIX and Cisco IOS syslogs, and events from network and host-based IDS, along with event correlation

Management


Shared Infrastructure Management


Shared Infrastructure Management

Network management architecture is either implemented:

Processes that facilitate management of the infrastructure:

Configuration managementSecurity managementEvent managementAddress managementApplication managementAsset management

In-band using the data pathOut-of-band using a separate network management infrastructure


Data Communications NetworkDedicated “management”network

Out-of-band management network provides connectivity between the EMS and NMS/OSS systems

Accomplished by physically separate link or VPN tunnel

Provides various levels of security, including physical separation of data and encryption


Data Communications NetworkThree-Tiered Structure

Access Central Office Distribution Backbone

Found at each office to provide connectivity to their respective switching/distribution centers. It is within this design that you can find configurations for small, medium, and large central offices.

Located around the backbone to provide symmetric connectivity to main offices.

Contains WAN switches that form a core or transport function.


Cisco’s Data Communications NetworkNetwork Elements (NE) Data Communications Network

NetworkOperations

Center (NOC)

DCN

OSS to NE Connectivity

IP/OSI, ASYNC, X.25 (XOT)

FR, ATM, T1/E1

OperationsSupport

Systems (OSS)

Workstation

Mainframeor Mini

GNE

ADM

Dial

ISR 3303

SONET/SDHDWDM

Transmission Systems(SLC, IDLC, FITL, FOTS)

DSL ATM

Alarm Units

Voice, Digital Cross-connectFrame Relay

SS7 STP


Case Studies


FDA—White Oak, Maryland

ChallengeDeploy IT system that enhanced the collaborative nature of the new campus environment of 8 FDA centersCost-effectively support collaboration and employee movement throughout the campus

SolutionUnified Communications (video and audio conferencing, web collaboration)Converged, shared network infrastructure for all FDA centers throughout the campus

Projected BenefitsReduced administration and operating costsImproved productivity through collaboration

http://www.washingtontechnology.com/news/21_3/emerging-tech/27962-1.html


Texas 2-1-1 Information and Referral Network

ChallengeReduce costs by converging redundant voice and data systems Establish a referral operator who will direct callers to appropriate government organizations

SolutionIP network builds upon existing statewide virtual 2-1-1 call-center solution as single point of entry

BenefitsCitizens can call 2-1-1 for any social or non-emergency healthcare issue anytimeAnnual cost savings exceed $600,000


“Considering that our annual budget for the program is $6.3 million, [$600,000] is a significant savings.”

Judy WindlerTexas Health and Human Services Commission


Defense Information Systems Agency: DVS II

ChallengeImplement a common infrastructure that provides voice, video, and Web collaboration across all defense agencies

SolutionCisco® collaboration applications and SONA voice and collaboration

BenefitsVideoconferencing that meets critical security criteria, providing commanders the information and situational awareness they need to plan, and scalable execute, and manage military operations Most robust videoconferencing solution and architecture available


izn in Lower Saxony, Germany

ChallengeIncrease data-storage facilities Decrease operating costs and standardize operationsUse IP-based technologies within SAN environment to offer more cost-effective services

SolutionCisco® Business-Ready Data Center deployed across two separate data centers Data center is accessible via iznNet

BenefitsReduced overhead costsOptimized network availabilityIP-based protocols allow lower-cost service options


“The Cisco® Business-Ready Data Center model provides a high level of robustness which other suppliers still have to achieve.”

Herr Erik Krezizn


Why Cisco?


Unmatched technical expertiseUnrivaled partnershipsIndustry-leading, interoperable, standards-based solutions

Enables Responsive, Citizen-Centric Environments Through

Distinguishing Cisco from the Competition

Cisco® Capital finance programs


Modular network deployment based on integrated components

Customized design based on proven best practices

Optimal performance

Continuously expanding functionality Easily scalable architecture

Cisco Offers a Flexible, Scalable Approach


Cisco Is the Networking PioneerDriven networking standards

Quality of serviceAllows separateservices to fairly share IP networks

Power over Ethernet

Powers end devices from the network

Session Initiation Protocol

Builds unified networks


Find Out More

For more information about Cisco’s shared infrastructure solutions, contact TBD or visit TBD

Note to client: Placeholder slide. Please provide info.


Next Steps


Intra-Agency Collaboration

Interagency CollaborationIntra-Agency

Mobility (Interoperability)

Security ServicesVoice Collaboration Services

Security Services (VPN)Mobility Services

Voice Collaboration Services (VPN)Security ServicesIdentity Services

Application Delivery ServicesVirtualization

Application Protocol Optimization

Interagency Infrastructure

Sharing

Interagency Services Sharing and Information

Sharing

Operational Effectiveness and Efficiency

Bus

ines

s Va

lue

• Analyze the business or technology challenge and create a solution architecture.

• Develop a proof-of-concept in the Experience step that demonstrates the feasibility of the proposed solution.

• Create a proposal for a SONAsphere engagement based on the PPDIOO Lifecycle.

PPDIOO Lifecycle Services

Workshop Proposal Strategy

Solution

Accelerator

Experience

Next Step:Connected Government Workshop


Q and A


Documents

Shared Infrastructure Architecture for Government · course of dealing, usage, or trade practice. In no event shall Cisco or its suppliers be liable for any indirect, special, consequential,