Data Dial Tone LAN Architecture and Infrastructure
Data Dial Tone is OTM's term for local area network services provided to customer agencies. It is currently available in selected buildings in Capitol Park in metro Baton Rouge. OTM has adopted an architectural model for campus-based, high-availability enterprise networks. OTM provides all local area network services from the cable that plugs into the network interface card (NIC)of the PC or network printer, through the building, to the Shared Data Centers, and to the Internet. The speed of access is fast Ethernet (100Mbps) unless 10Mbps access is specified by the user agency. All connectivity in the core of the network is via fiber and is running at gigabit Ethernet speeds (1000Mbps).
- Desktop Access
Connectivity for individual computers, network printers, or file or application servers located in a building served by Data Dial Tone. There is a monthly charge for each active port.
- Server Access
Connectivity for individual servers or mainframes, public or private, located in one of the Shared Data Centers. Devices will be connected directly to OTM switches. There is a monthly charge for each active port based on the type of switch ports used: 10/100 or Gigabit Ethernet.
Internet bandwidth subscription for publicly accessible servers, mainframes, or other devices located in one of the Shared Data Centers. Agency will purchase a Server Access port for each device in the DMZ (see Server Access above). In addition, the agency will pay a fee for public access bandwidth for the agency' s collective group of DMZ servers. Access is rate-limited based on the IP address range of the agency's DMZ servers.
- LaNet via Data Dial Tone
Internet bandwidth subscription for an agency's collective group of users within LSI. Access is rate-limited based on the IP address range of the agency's user community.
- Wireless LAN
OTM will provide free Internet Only wireless access in one common area of each Data Dial Tone building, generally the first floor where multiple shared conference rooms and/or training rooms are located. Agencies will also have the option of subscribing to a paid service in other areas of their home building. A monthly fee will be associated with each access point used to serve the requested areas.
- Virtual Private Networking (VPN)
Agencies may subscribe to a Group service or to a Site-to-Site service. With Group service the agency pays a monthly fee for a collective amount of bandwidth to be shared among all of its individual remote users. With Site-to-Site service the agency is charged a monthly fee for the bandwidth associated with each site-to-site connection.
Station wiring is provided in State buildings according to the tenant agency service requirements. As a standard, two data ports and one voice port with a minimum of Category 5 Enhanced type cable shall be installed at each occupied drop or work location within a building. OTM provides all copper and fiber patch cables in the closets, as well as lobe cables from work station data ports to each network interface card. All data ports in each work area are labeled and correspond to labels in the wiring closets. Additional drops installed after initial building occupation shall be coordinated through OTM, but shall be done at the expense of the requesting agency.
Fiber is used within each building for vertical connectivity between Main Distribution Frame (MDF) closets and Intermediate Distribution Frame (IDF) closets on each floor. The buildings served by Data Dial Tone in Capitol Park are also interconnected with multiple strands of fiber optic cable.
Communications among data centers located at the Information Services Building (ISB) at 1800 North Third Street in downtown Baton Rouge, the Department of Public Safety (DPS) on Independence Boulevard in mid-town Baton Rouge, and at LSU are achieved using Gigabit Ethernet links over leased fiber and State-owned Dense Wave Division Multiplexing (DWDM)equipment.
- Infrastructure Equipment
OTM has deployed access switches supporting Layer 2 to provide 10/100 Ethernet services to desktop devices and network printers. OTM does not plan to maintain a one-to-one correlation between all data ports in a particular building and available switch ports. Therefore, it is likely that patch cables will have to be added or moved in the event that a networked device is moved within a building (see Service Orders).Each workgroup switch is dual-homed to a pair of switches at the building aggregation level. Each building aggregation switch is dual-homed via Gigabit Ethernet links to the core network located in the ISB.
Each building aggregation switch is further dual-homed via Metro Ethernet links to the DPS data center, providing, at a minimum, Internet access under disaster conditions leaving the core network at ISB unavailable. Data Dial Tone agencies located in state-owned Capitol Park buildings will have network access to any diverse resources they have proactively located within the DPS data center. All aggregation and core devices support Layer 3 switching (IP routing). Redundant and diverse core networks, one at the ISB and one at DPS, are connected to redundant LSI Gateway switches via Gigabit Ethernet links for Internet access provided by diverse vendors.
OTM has deployed one of a set of standard network architectures, composed of Layer 2 switching and Layer 3 routing, to provide Data Dial Tone service for agencies located in non-state-owned or non-Capitol Park buildings within the Baton Rouge (225) Local Access and Transport Area (LATA). Such agencies' network connections will be single-homed via bandwidth-customized links and aggregated within the ISB.
- Location of Agency Resources
An effort is underway to centralize and consolidate the State's data processing resources at two Shared Data Centers within the State. The first is located at the ISB. The second is at the DPS data center. Agencies that subscribe to Data Dial Tone services will locate all shared resources, servers, printers, mainframe computers and other resources at these Shared Data Center facilities. Agency servers may be located in a building served by Data Dial Tone only when they are used exclusively by tenants of that same building; all shared or public servers must be located at the agency data center in the shared facilities. See OIT policy IT-POL-002.
- Network Availability
OTM supports Data Dial Tone services 24 hours a day, 7 days per week. The network should be available at all times, with the exception of network maintenance intervals. For more details see Network Maintenance.
- Supported Protocols
Ethernet (10/100/1000 Mbps) is the only Layer 2 LAN protocol supported by Data Dial Tone service; no token-ring or other LAN protocols are used. TCP/IP is the only Layer 3/4 protocol supported by Data Dial Tone services. Other protocols (SNA, IPX) must be encapsulated in IP for transport across the Intranet network.
- Ethernet Port Configuration
Due to incompatibilities with various implementations of Ethernet auto-negotiation, OTM will configure all desktop access switch ports to operate at 100Mb full duplex. In order to insure compatibility, agencies must also configure the network interface cards of all their devices to operate at 100Mb full duplex rather than allowing auto-negotiation. If the agency has legacy devices that will not support 100Mb, they should request that those specific ports be configured differently.
- Virtual LANs
Virtual LANs are used in all Data Dial Tone buildings and Shared Data Centers. VLANs are not shared by multiple agencies, so each workgroup access switch in a building closet or Shared Data Center may support multiple VLANs. VLAN Tagging as defined by the IEEE 802.1Q standard is used to trunk VLANs between access and aggregation switches as necessary. In the Data Dial Tone buildings a given VLAN does not appear in multiple workgroup switches (i.e., VLANs are not spanned). This creates smaller broadcast domains and reduces the potential for spanning tree issues. In the Shared Data Centers where it is beneficial to provide connection redundancy for critical servers and separation of network connections for clustered servers, VLANs are spanned across multiple access switches.
- IP Addressing
OTM shall implement a private addressing scheme for all Data Dial Tone subscribers. Each agency shall be assigned private and public address ranges appropriate to the size of their agency. Agencies must re-address their devices prior to moving subscribing to Data Dial Tone services. Private to Public Network Address Translation (NAT) and Port Address Translation (PAT) will take place within the OTM-managed firewalls that divide the State's secure Intranet (LSI) from the Internet. For more details see IP Addressing Technical Standards.
OSPF is the routing protocol used between Layer 3 switches. The access switches in each building and in the data centers function solely at Layer 2, providing Ethernet connectivity from agency devices to the aggregation switches. The aggregation switches utilize OSPF to route between access switches as well as out of the building or data center to the core switches. The network core is purely Layer 3/OSPF.
- Internet Access
Each agency that wishes to have Internet connectivity must subscribe to the LaNet via Data Dial Tone service. Internet traffic for each agency is rate-limited based on that agency's IP subnet(s) according to the level of bandwidth to which the agency subscribes. The rate limit is applied to both outgoing and incoming Internet traffic.
OTM has created a "de-militarized zone" or DMZ between the Internet and the State's internal network or Intranet. This DMZ is defined as an area off the OTM firewalls that is more secure than the "outside" (Internet) and less secure than the "inside" (Intranet). DMZ access is available both at the ISB and at DPS. All publicly accessible servers must reside in this DMZ. Agencies connect their server(s) directly to OTM's DMZ switch at ISB or DPS. Each agency is configured as a separate logical DMZ in order to provide maximum security between servers of different agencies. Incoming traffic is routed only to the appropriate agency's physical ports off the DMZ switch(es). Traffic is not allowed to pass from one agency to another agency within the DMZ without first going through the OTM firewalls. Public IP addressing is used in the DMZ (see IP Addressing Policy ). Each agency pays a per port charge for each device connected to the DMZ. In addition, the agency pays for the aggregate Internet bandwidth required for all devices located in the DMZ.
- Shared Areas in Buildings
At an agency's request OTM will provide Internet Only access from areas like conference rooms, training rooms, and other similar locations that will be shared by multiple agencies within a building. Those VLANs designated as Internet Only are outside of any agency's IP range and do not have access to any agency's private resources. Access to agency internal resources requires use of a Virtual Private Network. Alternatively, an agency may request that a port in a shared area be activated in their private VLAN. However, anyone who uses that area will then have access to the agency's network. OTM does not recommend this solution.
- Wireless LAN
OTM will provide secure Wireless LAN access within Data Dial Tone buildings for use by agency personnel and authorized guests. OTM owns and maintains the entire wireless LAN infrastructure, including wireless access points and antennae. A site assessment will be conducted prior to each installation and OTM will place and configure access points to ensure maximum coverage in requested areas while accounting for potential future coverage demands.
OTM will provide free portal-dependent guest user access and VPN-dependent agency user access in one common area of each Data Dial Tone building, generally the first floor where multiple shared conference rooms and/or training rooms are located. Agencies will also have the option of subscribing to a paid service in other areas of their home building. A one-time installation fee and a monthly fee will be associated with each access point used to serve the requested areas. The paid service will offer VPN-independent agency user access in addition to portal-dependent guest and VPN-dependent agency user access. Portal-dependent guest user access requires 1) agencies to maintain their own database of authorized users and 2) wireless users to supply appropriate credentials prior to proper wireless operation. Portal-dependent guest users, after successful login, will have access to the Internet. VPN-dependent agency user access requires subscription to OTM's VPN service. VPN-dependent agency users, after successful establishment of the VPN tunnel, will have access to the Internet and to agency internal resources. Independent agency user access requires 1) agencies to maintain their own database of authorized users and 2) compliance with OTM minimum requirements for interfacing systems. Independent agency users, without any login and without any VPN connection, will have access to the internet and to agency internal resources. The wireless services will be secured with authentication and encryption: only authorized agency personnel and authorized guests will have access to the wireless LAN. Agencies will maintain their own database of authorized users on a radius server, and OTM will proxy to the appropriate agency database upon each authentication attempt. There will be a one-time setup fee for each agency to establish this server-to-server relationship.
Agencies should not implement their own wireless LAN solutions within Data Dial Tone buildings as this may cause conflicts with future OTM solutions and may present significant security risks to the entire network. OTM also strongly suggests that agencies not purchase or use 2.4Ghz wireless telephones as they may interfere with wireless LAN devices.
- Virtual Private Networking (VPN)
OTM offers a VPN line of service in order to provide individual clients and branch offices with remote access to agency resources in LSI. Agencies may subscribe to a Group service and/or to a Site-to-Site service. Two VPN concentrators have been deployed for redundancy, one at ISB and one at DPS. The VPN concentrators' public interfaces are placed in a central DMZ at each data center, and the private interfaces connect to the Data Center Aggregation switches.
The Group service is intended for use by individuals who need access to the Intranet from remote locations (home, customer networks, etc). Two options are available for Group access, IPsec or SSL. For IPsec access, each client workstation must have the Cisco VPN client software installed and must be configured with the appropriate group name and password. For SSL access clients use a supported browser and simply https to the public interface of one of the VPN concentrators. At this time SSL access is not supported on the Microsoft Vista or Apple Mac operating systems. Both IPsec and SSL assign the remote client a private IP address within the agency’s assigned range, and beyond the login process the user experience is the same for both. An agency may choose to have some clients connect via IPsec and others via SSL. Split tunneling will not be allowed due to the security risk it poses to the internal network. OTM also requires that anti-virus protection be installed and maintained on each remote machine accessing the VPN services. The agency pays a monthly fee for a collective amount of bandwidth to be shared among all of its individual remote users. There is no limit imposed on the number of remote users allowed to use the service.
The Site-to-Site service should be used for connecting small remote offices to the Intranet via an ISP. In this scenario, there is a single VPN termination device (concentrator, router, or firewall) at the remote office which must have a public IP address on the Internet. This device is also connected to the remote office's LAN. The workstations/servers on the LAN access the Intranet through this VPN termination device and are not required to have VPN client software installed. IP addressing on the remote LAN must comply with the LSI IP addressing standard. If existing IP addresses do not comply and conversion is not possible, NAT must be configured on the site-to-site tunnel. Because this service utilizes split tunneling and therefore increases the security risk to the Intranet, the remote site’s Internet connection must be firewalled. In addition, all workstations and servers on the remote network must have anti-virus software installed and signatures must be current. The agency is charged a monthly fee for the bandwidth associated with each site-to-site connection.
- Port Security
OTM configures port security on the workgroup switches in each building to restrict access on each user port to a single but undefined MAC address. End users should not plug hubs, switches, or routers into Desktop or Server ports.
- Access Control
By default Access Control Lists (ACL) in the building aggregation switches permit connectivity between agency users and agency resources as well as to the Internet but restrict access between the various agencies that subscribe to Data Dial Tone services. These rules can be modified to allow communication between agencies for specific applications if both agree.
OTM uses a pair of redundant firewalls to restrict access to the LSI DMZ and Inside networks. By default no sessions generated from the outside (public) network are allowed through the OTM firewall to the inside (private) network. Agencies must make specific requests regarding the source, destination and type of traffic that should be allowed from outside through the firewall to the private network using the OTM-30 LSI Firewall Change Request Form found on OTM's website. Most agencies will not require this access. An example of an exception might be for video conferencing sessions that will be initiated from the Internet.
OTM works with each agency to establish appropriate firewall rules which allow public access as needed to each server or device in the DMZ. It is OTM's intention to make the DMZ as secure as possible while allowing specific access to services within the DMZ. By default no sessions generated from the outside (public) network will be allowed through the OTM firewall to the DMZ. Agencies must make specific requests regarding the destination and type of traffic that should be allowed from outside through the firewall to the DMZ using the OTM-30 LSI Firewall Change Request Form found on OTM's website.
Agencies should not connect their DMZ servers directly to their internal network via a second NIC. The only secure way for DMZ servers to talk to servers on the Inside of the network is through the OTM firewalls. Those requests must be made using the Firewall Change Request form also. OTM will also provide a pair of redundant firewalls to restrict access from the users inside LSI to each data center. Agencies must make specific requests regarding the source, destination and type of traffic that should be allowed from the LSI user community through the firewall to the agencies' data center resources using the OTM-30 LSI Firewall Change Request Form found on OTM's website.
- Intrusion Prevention Systems (IPS)
The goal of OTM's network Intrusion Prevention System is to protect critical IT assets within the LSI consolidated data center by identifying internal and external threats to the network and responding to each threat appropriately. The IPS examines packets for unauthorized traffic and defines threats to include:
The system categorizes these threats into three risk levels:
- Reconnaissance threats--Hackers scan network topologies to identify vulnerable devices (such as open ports, lack of password requirements, OS vulnerabilities) and attack them.
- Distributed-denial-of-service (DDoS) and infrastructure attacks--These are IP packet-based attacks launched at the network infrastructure to compromise network performance and reliability.
- Break-ins and device takeover--These usually follow a reconnaissance and are the unauthorized access to a given device with the intention to compromise device security.
- Theft of service and fraud--This threat category pertains to the unauthorized use of network resources.
- Red-dangerous threat
- Yellow-possible threat but could be legitimate traffic
When the system identifies a threat, an OTM security engineer will examine the traffic in question and open an internal incident case for the threat. The engineer will then notify the security contact(s) at the affected agency and provide detailed information concerning the event. The agency must then determine if the traffic is legitimate as some specialized programs may send traffic that the IPS will incorrectly interpret as a threat (termed a false positive). If the threat is real OTM will work with the agency to determine the best course of action (i.e. remove virus from computers or block traffic).
Initial notification of potential threats will be made via email. If OTM does not receive a timely response to the first email, another email will be sent. If there is still no response, the engineer will try to reach the agency contact(s) by telephone. Red level events will be escalated within OTM and the agency if the agency contact is unreachable or unresponsive. If OTM and the agency decide to implement blocking on the IPS for a particular threat, the security engineer will send the contact an email form stating exactly what traffic will be blocked. The contact must authorize the action by stating his/her agreement in a reply email. Once the agreement is received, OTM will initiate the blocking.
In order to reduce the occurrences of false positives in the system each agency will be asked periodically to provide basic details about all of their servers and applications. This information will only be used to verify the legitimacy of potential security threats. An example would be the IPS system reporting an excess of SMTP traffic to/from a particular server. If OTM knows that the machine in question is an email server then that threat can be marked as a false positive immediately and the agency does not have to be involved.
The IPS has significant functionality that can benefit your agency. To learn more, contact the OTM Security Team via email at OTM-LSI-Security@listserv.doa.la.gov or by telephone at 225-219-4860.
- Remote Access to Agency Resources
For security reasons, remote access is not allowed from either the Internet or by direct access by modem to a PC of an agency that subscribes to Data Dial Tone. The only acceptable remote access is via OTM's VPN services.
- Access to Telecommunications Closets
Agency access to building telecommunications closets is not permitted. OTM and its authorized contractors will perform all work in the closets. See the Telecommunications Room Access Policy for more details.
The OTM Network Services LAN Support group performs all adds, moves, and changes within the network. There are fees associated with adding, moving, or changing features after Data Dial Tone service is initially established in a tenant building. Refer to the OTM Catalog of Services for rate information. Simple changes, such as activating a new port for a user, involve standard charges and will usually be completed by the next business day. For complex changes, OTM will provide a quotation of the charges to the requesting agency for approval prior to beginning the work. Agencies should submit requests to the OTM Advanced Services Unit using the forms listed below. See the Service Orders Workflow for more details.
OTM-25 Data Dial Tone Service Order Form
OTM-30 LSI Firewall Change Request Form No fees associated with firewall change requests
OTM-31 Data Dial Tone VPN / Wireless LAN Service Order Form
The OTM Network Services LAN Support group provides day to day support for Data Dial Tone services, including problem determination and repair. OTM also contracts with the Office of Computing Services' (OCS) Centralized Monitoring Service (CMS) within the Division of Administration (DOA) to monitor all network elements within LSI and to provide a call center for Data Dial Tone trouble reporting. When LAN problems are reported to an agency's IT department, those personnel should review the problem and try to determine if it is a network issue. Network problems should then be reported to the CMS group. See the Trouble Reporting Workflow for more details.