1 TO FROM NEN Community REANNZ DATE June 2010 SUBJECT Design Statement: NEN Edge Device Background This National Education Network (NEN) design statement was developed by REANNZ with input from the relevant community stakeholders. It builds on experience gained in the NEN Proof-of-Concept trial, design work on the distribution layer of KAREN, and experiences from the existing fibre loop communities. For the purposes of this Design Statement the NEN has been defined as: A high-speed, symmetric Ethernet service delivered to a single edge-device within a school building, providing access to a national private network common to the rest of the research and education sector, international connectivity to the global research and education sector and access to commodity Internet routes. Revisions This design statement was originally published in March 2010 and was used as the basis of a Request for Proposals (RFP) for procuring edge routers for the NEN. This tender process closed on 14 April 2010 and during evaluation the Ministry of Education requested that the required features scope be expanded to include network firewall functionality and that options for the device to also provide wider aspects of Unified Threat Management (UTM) were also explored. This revised Design Statement summarises these additional requirements, which will form the basis of a re-issued RFP. Purpose The purpose of the edge layer and edge device is to allow a school to gain access to the distribution layer of KAREN (layer 3) and, by extension, KAREN itself and the commodity Internet. The edge device is also required to provide firewall and security functionality.
2 The physical connection between the school and the KAREN distribution layer would typically be a fibre pair but may appear as part of a layer-2 provisioned service over any physical bearer, subject to certain capacity and performance standards (see Design Statement for NEN Local Access Service ). Objectives The NEN edge device has the following objectives: 1. To logically connect a school to the NEN. 2. To logically connect a school to a range of content and service providers, provided via a single access circuit. 3. To provide a consistent end-user experience in line with the KAREN core principles of minimum latency and high throughput, and through extending KAREN s core architectural principles to the school. 4. To employ a standards-based approach to avoid technical lock-in. 5. To achieve economic benefits by aggregating demand when purchasing network products or services. 6. To provide network firewall capability (defined below) There is an additional, optional, objective to be considered 7. To explore the potential of providing unified threat management (UTM) in the NEN edge device Design guidelines The following guidelines will help in the selection, implementation and operation of this NEN component. 1. Applications, content and services required by schools will increasingly reside in the cloud. 2. A standard set of routing policies, common to all schools will be will be implemented and supported, consistent with KAREN s Network Access and Acceptable Use policies, and any relevant Local Loop policies. 2
3 3. The aim is to achieve the lowest possible operating expense for the sector in conjunction with a low capital cost. 4. The edge device will: be compliant with the KAREN distribution layer network be remotely managed; ideally, there should be no need to visit the school to service the edge device except to install or replace new or defective hardware be separate to any fibre termination unit (FTU) provided as part of the access provider s service offering be capable of terminating both fibre and/or copper connections. maximize use of KAREN provided public IPv4 addresses, reducing the need to place school servers and school based content services behind the Port Address Translation (PAT) interface provide network firewall functionality on an opt-out basis, i.e. if schools have suitable alternative firewall functionality they may opt not to use this function on the NEN edge device not replace a school s internal network except that it will perform the role of a school s primary WAN router not replicate KAREN core routing functions 5. a) A NEN managed school (default arrangement) will have no access privileges to the edge device s configuration, and no need for access privileges, except where independent log-ins can be provided with restricted access to specified functionality, e.g. changing firewall rules b) A NEN unmanaged school (one with qualified IT staff with the skills to manage the edge device locally) will have access privileges to the edge device s configuration but must supply change request tickets for any work carried out. 6. The NEN Edge Device will be the only route to or from the school to the NEN and the Internet. Edge Device requirements 1 The device must support the following L2 and L3 functions: 3
4 a b c d Ipv4 and Ipv6; Frame size supporting not less than a 1500 Byte IP MTU; The full VLAN number range of 4094 in 802.1Q must be supported; PIM Sparse Mode; e Path MTU Discovery (RFC 1191); f g h NAT; and Quality of Service (QoS); and Network firewalling, as defined below. 2 The device must provide a minimum of 4 ethernet ports of which: a b at least 2 ports are capable of operating at Gigabit Ethernet; and at least one Gigabit Ethernet port capable of supporting a single mode optical fibre interface. 3 The device should achieve a throughput performance under real operating conditions as close to 1 Gb/s as possible. Actual measured throughput of the device with all of the minimum requirements turned on is to be stated. 4 The device must be able to be remotely managed through: a b Support of administrator remote login, and Implementation of an SNMP MIB and trapping to support the proactive notification of network security issues. Network firewall functionality For the purposes of this design statement, a distinction is made between a network firewall and a range of other network security services that are generally included in the scope of Unified Threat Management (UTM). Network firewall functionality is defined where rules are applied to the following: Source IP address Source port Destination IP address Destination port Port-based access control lists Protocol 4
5 The network firewall is to be deployed between the NEN and the school internal network; other firewall functions may be deployed at the school edge or at other places on the NEN. 5 The device must be capable of supporting the following network firewall functionality: a. be capable of stateful firewalling across at least four zones, including: supporting a default configuration; supporting a capability of only allowing explicitly authorised connections; supporting bi-directional firewall rules between zones. b. support robust NAT traversal, including but not limited to SIP, H.323 and Adobe connect (RTMP) videoconferencing; c. support VPNs that may use encryption for: network to network tunnels (algorithms supported for the implementation should be specified); allowing access to the school network for remotely located hosts; d. be capable of mitigating distributed denial of service attacks based on source address spoofing. Specify how this is achieved for both egress and ingress traffic; e. The firewall must meet Common Criteria EAL3 or higher, or an equivalent assurance level. 6 The device must be capable of providing clear and comprehensive logging across all the minimum technical requirements. Information is required on: which tools are needed to access/view logs; length of time logs are kept level of detail provided in the logs. Optional Features 5
6 Some edge devices have the capability of supporting a wide range of firewall functions. REANNZ is also interested in understanding the pricing (one-off and recurring licensing costs) of these features. Physical Characteristics The edge device will preferably be rack mounted and installed in an equipment room or cabinet at each school; however, in some schools rack mounting facilities will not be available, and therefore the default requirement is either wall mount or free-standing. The edge device: Must use an AC 230V power supply Must support wall or free standing (or both) mounting options Should have a rack-mounted option. Warranty and Support The edge device is to be warranted for a minimum period of three years and the warranty is to be transferable if title to the edge device changes. While REANNZ is procuring the edge devices for the NEN trial extension, it is possible that within the warranty period, title could change to the Ministry of Education, schools or another NEN provider. The required level of support for device failure replacement/repair is next business day. For the NEN trial extension, it is envisaged that equipment spares will be held by regional technical specialists called netork wranglers, operating under the direction of the NEN team in REANNZ. NEN Demarcation The diagram below illustrates the point of demarcation between the school network and the National Education Network. 6
7 Notes The edge device will provide Port Address Translation due to insufficient public IPv4 address space being available for all school computers 7
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
Hosting Services - Dedicated Service Agreement Page 1 of 6 This Hosting Services - Dedicated Service Agreement ( Service Agreement ) sets forth the specific terms and conditions under which LightEdge Solutions,
PeopleSoft Red Paper Series Securing Your PeopleSoft Application Environment July 2010 Including: How to Plan for Security How to Secure Customized System Exposing PeopleSoft outside the Firewall Securing
R E Q U E S T F O R P R O P O S A L COUNTY OF PERTH Request for Proposal RFP No: IT2014-001 VoIP Telephone System Corporation of the County of Perth 1 Huron Street, Stratford N5A 5S4 519-271-0531 Contents
HP StoreOnce Catalyst and HP Data Protector 7 Implementation and Best Practice Guide Release 1 Executive Summary This guide is intended to enable the reader to understand the basic technology of HP StoreOnce
XAVi Technologies Corporation Tel: +886-2-2995-7953 9F, No. 129, Hsing Te Road, Sanchung City, Taipei Hsien 241, Taiwan Copyright 2003, XAVi Technologies Corporation Information in this manual is subject
WHITE PAPER Mobility Services Platform (MSP) Using MSP in Wide Area Networks (Carriers) Table of Contents About This Document... 1 Chapter 1 Wireless Data Technologies... 2 Wireless Data Technology Overview...
CHAPTER 9 Firewalls and Virtual Private Networks Introduction In Chapter 8, we discussed the issue of security in remote access networks. In this chapter we will consider how security is applied in remote
DES-1228P 24-Port 10/100Mbps PoE Web Smart Switch with 4-Port 10/100/1000Base-T and 2-Port Combo SFP User Manual V1.20 TABLE OF CONTENTS About This Guide... 1 Purpose... 1 Terms/Usage... 1 Introduction...
Dedicated Compute Cloud Version: 1.0, Issue Date: 09/12/2014 Classification: Open Classification: Open ii MDS Technologies Ltd 201416/12/2014. Other than for the sole purpose of evaluating this Response,
Intelligent WAN Technology Design Guide January 2015 Table of Contents Preface...1 CVD Navigator...2 Use Cases... 2 Scope... 2 Proficiency... 2 Introduction...3 Technology Use Cases... 3 Use Case: Secure
Example Community Broadband Wireless Mesh Network Design Version 1.1: 20 June 2007 General Information Company Information Main Office Address City, state, ZIP Code Phone number 866-872-6936 Fax number
VoIP Impairment, Failure, and Restrictions A BROADBAND INTERNET TECHNICAL ADVISORY GROUP TECHNICAL WORKING GROUP REPORT A Uniform Agreement Report Issued: May 2014 Copyright / Legal Notice Copyright Broadband
SERVICE AGREEMENT ( SA ) FOR DATA SERVICES This SA covers the provision of data-related services and is to be entered into between the Supplier and the Customer. The Service Contract formed by the accompanying
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
Common VoIP Architecture Executive Summary This white paper describes the architecture of AT&T s common infrastructure for real-time communications services over Internet protocol, commonly referred to
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
Special Publication 800-41 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology John Wack, Ken Cutler, Jamie Pole NIST Special Publication 800-41
Closed Environment Testing of ISP Level Internet Content Filters Report to the Minister for Broadband, Communications and the Digital Economy June 2008 Commonwealth of Australia 2008 This work is copyright.
APPENDIX 1 LOT 1: IP TELEPHONY SERVICES A. TECHNICAL SPECIFICATIONS EXISTING SYSTEMS IP based phone service and phone sets, rented: IP based Phone service for 35 phone numbers/users; Centrex PBX solution
VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without