SERVICE DESCRIPTION Wide Area Network

Transcription

1 SERVICE DESCRIPTION Wide Area Network Date: Document: Service description: Wide Area Network

2 TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION Basic service Options DHCP service Link Balancing Guest Zone Partner VPN Traffic Shaping Link Management 11 3 ADDITIONAL DOCUMENTS 12 4 DISCLAIMER 12 Copyright United Security Providers AG page 2/12

3 1 INTRODUCTION This document describes the USP Wide Area Network managed service with all the options available from USP. This document, together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service. Field of application Companies are often distributed over a number of locations, or even over a number of continents. There is a lively exchange of date between locations. In addition to the need for communication between colleagues, those employed at one site must frequently access resources located at a different site. The Wide Area Network service offers a simple and secure capability for companies to build up a data network covering different locations that is tailored to their needs. The Wide Area Network service is independent of ISPs and transmission technologies. This means that the best possible Internet connection, with the best price/performance ratio, can be selected for each site. This means that our customers benefit from high quality at a favourable price. At the same time, they can use different connection technologies. This means that our customers get the best possible performance from their services. At the same time, they benefit from a very high availability over the entire network. USP acts as a single point of contact for all matters relating to your Wide Area Network. Our customers have the benefit of a single contact person who always has an overview of the entire network and is therefore able to solve problems globally, efficiently and quickly. Copyright United Security Providers AG page 3/12

4 2 SERVICE DESCRIPTION 2.1 Basic service USP's Wide Area Network service provides flexible and efficient networking of sites. Name of service Service abbreviation Wide Area Network MSS-WAN Service version 2.0 Status Operating hours Operational OH1: Monday Friday, 08:00 18:00 CET OH2: Monday Saturday, 07:00 21:00 CET OH3: Monday Sunday, 0:00 23:59 CET OH4: Monday Friday, 08:00 18:00 local time Availability guarantee ACA: best effort ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours The service is assessed on the basis of the number of site-to-site connections. The Wide Area Network service connects sites through secure IP VPN tunnels. Whatever the medium by which the Internet Service Provider (ISP) supplies the data to the site, the Wide Area Network service implements a company network based on static IPSec VPN tunnel. All end points are monitored by the USP Security Operations Center 24 hours a day/7 days a week. Our staff will react in the event of a problem in the network. The USP Security Operations Center act as a single point of contact and handles all interactions with the ISPs. Internet connections can be procured from local providers at all sites, so that the best price/performance ratio can be achieved. This improves the performance of the WAN as a whole. At the same time connection costs can be saved. USP acts as a single point of contact. USP handles coordination with the various providers in the event of connection problems. The problem is considered from a holistic view, which means that a solution can be found quickly and efficiently. In addition to rapid problem solutions, the customer benefits from having one contact for all aspects and does not have to worry about the, often tiresome, management of the various parties. Copyright United Security Providers AG page 4/12

5 Key Performance Indicators (KPIs) Compliance with the SLA parameters is measured against the availability of the service infrastructure. The following service-specific values are collated in the monthly reports: - service infrastructure workload - data volume in total and per location - bandwidth utilisation The following measuring points are monitored to monitor the service: - CPU/RAM utilisation of the service infrastructure - accessibility of the ISP router - availability of Internet links - incoming and outgoing data volume per location The service infrastructure must be implemented redundantly for availability guarantees that are better than ACA. A redundant setup requires the allocation of static private IP addresses. The service requires a valid Fortiguard or Forticare subscription for the infrastructure. The USP Security Operations Center must be notified to the ISP as changeauthorised. Copyright United Security Providers AG page 5/12

6 2.2 Options DHCP service The service infrastructure acts as a DHCP server or forwards DHCP messages to a target segment. Name of the service option Abbreviation DHCP service MSS-WAN-DHCP The service option is assessed on the basis of the size of the address range. DHCP relaying is assessed at a fixed amount. Clients need to have a valid address before they are able to use network resources. These addresses are either set statically or assigned dynamically by a DHCP server. If this option is enabled, the WAN service infrastructure acts as a DHCP server. Two different versions of this are supported. Either the infrastructure acts as a DHCP server for one or more internal segments. Or alternatively, the addresses are accepted by the infrastructure from a remote server and forwarded into the internal segment. Often there is no DHCP server available at smaller sites. No additional infrastructure is required if the WAN service infrastructure takes on the role of the DHCP server. Static addressing is not possible if the clients in a segment are not known and change frequently, for example in guest networks. Instead of using a dedicated server and hence additional infrastructure, this task can be taken on by the existing service infrastructure. Key Performance Indicators (KPIs) Compliance with the SLA is determined using the KPIs for the basic service. The following data is added to the reported data: - number of addresses assigned per day - addresses assigned concurrently The number of addresses assigned concurrently is monitored. The option is offered for segments with no more than 50 protected IP addresses or for guest segments. Copyright United Security Providers AG page 6/12

7 2.2.2 Link Balancing Where a site has a number of Internet links, they can be used in common with this option. Name of the service option Abbreviation Link Balancing MSS-WAN-LB The service option is assessed on the basis of the size of the basic service. This option distributes the data traffic over the available links. Various strategies can be used for this: - source IP-based: standard, links selected in sequence by the roundrobin method, depending on the source IP. - weighted load balance: based on the configured weighting of the links. - spillover: the second link is only selected once a specified bandwidth is exceeded on the first link. Equal Cost Multipath Routing (ECMP) is generally used on these set-ups. As an alternative to using both links, one line can also be used as a pure backup line. As an alternative to the strategies listed above, it is also possible to define the load distribution on the basis of predefined rules. Connection to the Internet is of enormous importance for many companies. Pure availability is just as important in this context as the performance of the link. This option allows the achievement of an improvement in performance by distributing the load over a number of links. Very high availability can be achieved by using multiple links. Should one link fail, the entire data flow will be taken on by the remaining links so that connectivity is assured and you benefit from a constant connection to the Internet. Key Performance Indicators (KPIs) Compliance with the SLA is determined using the KPIs for the basic service. The following data is added to the reported data: - availability of Internet links - Internet link utilisation The availability of the links is checked by sending pings. The relevant interfaces on the WAN infrastructure and the ISP router are additionally monitored. The Internet links are provided by the customer and are not a part of this service option. USP recommends that the USP Security Operations Center is made changeauthorised with the ISP so that changes and incidents can be handled as quickly as possible. Copyright United Security Providers AG page 7/12

8 2.2.3 Guest Zone This option operates a further zone which can be used to give guests access to the Internet. Name of the service option Abbreviation Network Segmentation MSS-WAN-NS The service option is assessed on the basis of the size of the basic service. This option operates an additional network segment. The segment is terminated at the WAN service infrastructure. This additional zone is completely isolated from the internal zone. There are no firewall rules permitting a transition between the zones. The separation of the network zones for staff and the guest segments make it impossible for guests to access resources on the internal network. This significantly increases the security of the company data. There are no additional ISP costs to pay as the guests can also use existing Internet connections. Incoming and outgoing data traffic for the guest segment is added to the existing report. The incoming and outgoing data volume is measured. The conditions of use for the basic service apply. Guests must be uniquely identified and the data traffic must be logged in accordance with current legislation. The components required for this are not part of this service option. They must either be provided by the customer, or procured from the ISP as a service. Copyright United Security Providers AG page 8/12

9 2.2.4 Partner VPN This option allows sites that are not operated by USP to be connected to the company network. Name of the service option Abbreviation Partner VPN MSS-WAN-PVPN The service option is assessed at a fixed rate independently of the basic service. This option is used to operate a site-to-site connection to another company or to partners. The connection is established by the WAN service infrastructure as an IPSec VPN tunnel. The connections are restricted so that the users can only access those resources that they need for their work. The tunnels can be further restricted. For example, access can be restricted to office hours. Data communications with business partners outside the company network is a common requirement. Partner VPN connections make possible a simple and low-cost option for incorporating partners into communications. And without entering the risk that partners can access sensitive data that is not intended for third parties. USP has considerable experience in handling partner VPN connections such as these and can establish an appropriate VPN tunnel to practically any gateway. This means that it is not necessary to buy expensive infrastructure. Incoming and outgoing data traffic for the tunnel is added to the existing report. The availability of the tunnel will be monitored. The conditions of use for the basic service apply. Whatever the availability guarantee for the basic service, partner VPN tunnels are always operated as best effort, as USP can only have limited influence on the counter-party. Copyright United Security Providers AG page 9/12

10 2.2.5 Traffic Shaping This option makes it possible to give data differing priorities. Name of the service option Abbreviation Quality of Service MSS-WAN-QoS The service option is assessed on the basis of the size of the basic service. This option classifies the data traffic into up to three classes. A maximum bandwidth is assigned to the classes. Classes may exceed their bandwidths as long as the total bandwidth available is not completely utilised. The classes are limited to their particular bandwidth if the entire bandwidth is used. The data traffic is divided up on the basis of various characteristics: - origin address - origin port - destination address - destination port - protocol As a rule, a default class is specified to accept all data packets that are not explicitly assigned to another class. More and more often, business applications are being provided centrally and the users access these applications from anywhere in the world. Thanks to the Quality of Service option, important data traffic can be communicated as a priority. This makes working with the business applications more comfortable, without having to pay out for more bandwidth. Data traffic that is not time-critical, backup data for instance, can be given a lower priority than other data. This means that you do not need dedicated lines but you can continue to use the existing lines. The utilisation of the various classes is added to the monthly reports. The rejected packets are also reported. The number of rejected packets is measured. The conditions of use for the basic service apply. Changes to the bandwidths have a considerable influence on this option and must be notified to the USP Security Operations Center as soon as possible. There is no prioritisation on the application layer (layer 7) with this option. but this can be implemented with the MSS-WP-AC service. Copyright United Security Providers AG page 10/12

11 2.2.6 Link Management USP handles all the contract management for the Internet connections. Name of the service option Abbreviation Link A Management, Link B Management, MPLS Link Management MSS-WAN-LINK_A, MSS-WAN-LINK_B, MSS-WAN-MPLS The service option is assessed on the basis of the bandwidth of the various links. The primary Internet link is always assigned to the Link A Management (MSS-WAN-LINK_A) option, and the second link to Link B Management (MSS-WAN-LINK_B) correspondingly. MPLS links are assigned to the MPLS Link Management (MSS-WAN-MPLS) option. In this option, USP acts as the contractual contact for the Internet providers. USP subleases the lines to the customer. All contracts with the ISPs are regularly examined and re-evaluated. A regular check is made to ensure that the bandwidth still meets requirements. If not, these are amended, with the customer's agreement. The latency times between the sites are also monitored. The ISP is reevaluated should these times not meet requirements. The evaluation of ISPs is often a time-consuming and tiresome task especially abroad. USP handles this task so that our customers can save significant effort and, eventually, money. A one-stop shop for the complete WAN service. This gives the customer a consistent SLA and one single partner responsible for the service who will reliably make sure that incidents are rectified promptly and professionally in the customer's interests. This significantly enhances the availability of the WAN overall. No additional data is reported in the monthly reports. The latency time from the USP Security Operations Center to the various sites is measured. The conditions of use for the basic service apply. This option is not available in some countries, as the entity taking out the contract must have a presence in-country. Copyright United Security Providers AG page 11/12

12 3 ADDITIONAL DOCUMENTS The present document describes the functional scope of USP's Wide Area Network service. General information on the Service Level Agreement and on operation may be found in the additional documents. Service management and SL catalogue Services catalogue Price list This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees. The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. The prices of all services and options are laid down in the price list. 4 DISCLAIMER This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with Section 23 in conjunction with Section 5 of the Swiss Unfair Competition Law. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement. USP's General Terms and Conditions shall apply unless higher-ranking provisions apply. Copyright United Security Providers AG. All rights reserved. Copyright United Security Providers AG page 12/12