blue-tri-color-logo
§Petr Habarta
Network Services Delivery
§SSO+DCS  MU FIT

IBM-logo-50-black
2
Agenda
§Shared Network Infrastructure
§Organization structure
§Network monitoring tools
§LAN Management
§WAN Management
§Firewall
§IP Services
§Network Security
§Typical issues - LAN/WAN
§Typical issues - FW, IPSE
§

IBM-logo-50-black
3
What is Shared Network Infrastructure (SNI)?
§Provides secure way how to connect from IBM internal network to customer network
§SNI is special network architecture inside IBM Global Services Data Center.
§Security requirements are very difficult
§Is based on few network segment with different security access levels

IBM-logo-50-black
4
Tier Definitions for SNI (e.g. eSNI “simplified”)
Tier 0 - Internal
Tier 1 - Highly Secured
Tier 2 - Secured
Tier 3 - Controlled
Tier 4 - External
             (untrusted)
IBM Intranet
(with secure areas)
Central Infrastructure
(within sphere of
control)
Shared Infrastructure
(within each site)
Service Resources,
Customer Resources
Customer Networks,
Business Partners,
Internet
Other
Enterprise
Customer
Security Layer
Layer Description
Segments
Internet
Allowed
Communication

IBM-logo-50-black
5
Customer 1
Customer 2
Customer 3
Implementation Example (e.g. eSNI “simplified”)
IBM INTRANET
SML
DAL
DAL
SSL
DML
Access
Firewall
Management
Firewall
Service
Firewall
IAL
IAL_IBM
CML
CSL
Edge
Firewall
DML
Customer
Firewall
Internet
Firewall
SSL
DAL
Router
Tier 0
Tier 1
Tier 2
Tier 3
Tier 4
Router

IBM-logo-50-black
6
Abbreviations
§CML – Central Management LAN
§CSL – Central Service LAN
§SML – Shared Management LAN
§SSL – Shared Service LAN
§DML – Dedicated Management LAN
§DAL – Dedicated Access LAN
§IAL – Infrastructure Access LAN
§IAL_IBM – Infrastructure Access LAN IBM

IBM-logo-50-black
7
What Advantages/Disadvantages are there for SNI?
§Advantages
§Standard solution
§Secure solution
§Reuse of environment
§Cost reduction
§Disadvantages
§Sharing of network environment got much higher security and management requirement as
single-customer one.
§It’s not always possible standardize all customer specific requests
§Possibility of conflicts in private IP address ranges

IBM-logo-50-black
8
Organization Structure – Network management
GNMC model

A pot file is a Design Template file, which provides you the “look” of the presentation
1.You apply a pot file by opening the Task Pane with View > Task Pane and select Slide Design –
Design Templates.
2.Click on the word Browse… at bottom of Task Pane and navigate to where you stored BlueOnyx
Deluxe.pot (black background) or BluePearl Deluxe.pot (white background) and click on Apply.
3.You can switch between black and white background by navigating to that pot file and click on
Apply.
4.Another easier way to switch background is by changing color scheme.  Opening the Task Pane,
select Slide Design – Color Schemes and click on one of the two schemes.  All your existing content
(including Business Unit or Product Names) will be switched without any modification to color or
wording.
Start with Blank Presentation, then switch to the desired Design Template
1.Start a new presentation as Blank Presentation
2.You can switch to Blue Onyx Deluxe.pot by opening the Task Pane with View > Task Pane and select
Slide Design – Design Templates.
3.Click on the word Browse… at bottom of Task Pane and navigate to where you stored BlueOnyx
Deluxe.pot (black background) and click on Apply.
4.Your existing content will take on Blue Onyx’s black background, and previous black text will
turn to white.
You should add your Business Unit or Product Name by modifying it on the Slide Master
1.You switch to the Slide Master view by View > Master > Slide Master.
2.Click on the Title Page thumbnail icon on the left, and click on the Business Unit or Product
Name field to modify it.
3.Click on the Bullet List  Page thumbnail icon on the left, and click on the Business Unit or
Product Name field to modify it.
4.Click on Close Master View button on the floating Master View Toolbar
You can turn on the optional date and footer fields by View > Header and Footer
1.Suggested footer on all pages including Title Page: Presentation Title  |  Confidential
2.Date and time field can be fixed, or Update automatically.  It appears to the right of the
footer.
3.Slide number field can be turned on as well.  It appears to the left of the footer.

IBM-logo-50-black
9
NOC - Level 1 support
§Proactive monitoring of different tools. Coordinates incident resolution and communication.
§Use simple and clear processes. Require best knowledge of these processes, tools usage and got
global overview of systems.
§Necessary 24/7 support
§
§Examples
§
§Coordinates outages of WAN providers, communicate WAN related issues.
§Update problem tickets in ticketing systems and inform other teams in case of issue resolution
§Communication point for CSC – provide feedback for customer
§Coordinates HW replacement

IBM-logo-50-black
10
NOC - Level 2 support
§Advanced problem resolution of troubles coming from 1st level.
§Processes are not so clear for 2nd level
§Level 2 require skills and experiences
§
§Examples
§
§Analyze and correct routing problems
§Correct security findings in configuration, patch/upgrade OS on devices
§Setting and modifying configuration on devices, activation of new customers or devices
§Change of ACLs, cooperation with 3rd level and vendor support if needed
§

IBM-logo-50-black
11
Level 3 support
§Level 3 support work with complex problems. 3rd level is involved in problems affecting huge
infrastructure.
§Solving all not standard solutions
§Cooperating and coordinating complex changes in network structure.
§Act as Network Architects
§
§Examples
§
§Providing prevention in wrong setup of routing protocols
§Finding solution for slow application performance
§Deploying new customer to SNI

IBM-logo-50-black
12
Why we need proper NSD tools set?
  More than 80 percent of application performance and availability failures will be blamed on
network problems, but the network will represent less than 20 percent of the root cause
§With proper tools set you can
–With monitoring tool react before customer will recognize problem.
–Locate problem much faster then by manual tracking
–Update many devices by one click
–By performance tools see the trend and recognize problem before it will occurred
–Based on historical data prevent blaming application problems

IBM-logo-50-black
13
Network Management Toolset
§Tivoli Netview
–Detection of problems with implementation of L3 map
–
§Entuity Eye of the Storm
–Performance and advanced monitoring / analysis
–Monitor device with SNMP  - can detect more than 70 type of errors.
–
§Cisco Works (CW)
–Provides advanced configuration / problem detection for Cisco Platform
–
§CACTI / Vital suite Statistics
–SNMP orientated performance management tool
–
§Other tools
–TACACS/RADIUS/LDAP – Authentication services
–Evidence databases – CEP+ / MAD / eAMT
–Ticket tracking tools

IBM-logo-50-black
14
Network Management Toolset
Netview
Entuity
Eye of the Storm
Cisco Works
WAN Devices
Cacti / Vital Suite
LAN Devices
Syslog / Tacacs

IBM-logo-50-black
15
Jméno semináře - VUT FI
5/3/2016
Fault detection with Netview
§Netview is standard tool used by IBM all over the world for most customers.
§Monitoring of device status
§Clear picture of network infrastructure
§Netview support easy implementation of various scripts which can automation work.
§With SNMP support of all devices provides advanced monitoring (not based only on UP/DOWN
functionality with ICMP)
§Can receive/forward SNMP traps from/to other tools (EotS/Cacti…)
§

IBM-logo-50-black
16
notesbuddy1516_23831
Fault detection - Netview
notesbuddy968_22955 notesbuddy968_22772

IBM-logo-50-black
17
Tivoli Netview – Event Browser

IBM-logo-50-black
18
Entuity Eye of the Storm
§Advanced monitoring of devices (LAN, WAN and firewalls) with SNMP
§Forward major issues to netview
§Provides advanced troubles finding
§Feature performance monitoring gives us possibility for prevention in outages based on wrong
implementation
§Provides statistic for core lines (Trunks, Etherchannels)
§Availability management
§Keeps historical data
§

IBM-logo-50-black
19
Entuity Eye of the Storm – port listing

IBM-logo-50-black
20
Entuity Eye of the Storm – device report

IBM-logo-50-black
21
Entuity Eye of the Storm

IBM-logo-50-black
22
Jméno semináře - VUT FI
5/3/2016
Configuration with Cisco Works
§CW support mapping devices in network made by Cisco devices.
§CW is able to download configs but it also allow to upload them to device, modify directly on CW
which allow to made small common changes by “one click” on many devices
§CW give you chance to work with device like with real (show physical surface)
§Data colleting from devices / mass changes / security activities
§Can create reports for Cisco platform

IBM-logo-50-black
23
notesbuddy1760_25508
Configuration – Cisco works
notesbuddy1760_22945 notesbuddy1760_26406 notesbuddy1760_22870

IBM-logo-50-black
24
Cisco Works – example of report

IBM-logo-50-black
25
Cisco Works – Cisco View

IBM-logo-50-black
26
Jméno semináře - VUT FI
5/3/2016
Performance with Lucent Vital suite / CACTI
§One of the most important part of our work is troubleshooting are network performance problems.
§Collect variable information from device and store them for analyze (historical data)
§Fast  analyze of network performance situations
–On which point is network overload.
–And what kind of traffic is overloading it.
§Proactive Information to prevent overload of WAN / LAN networks
§Lucent vital suite are the standard tool for Performance
§Can analyze QoS separately
§List of TOP talkers

IBM-logo-50-black
27
Cacti – graphs
Day
Week
Month
Year

IBM-logo-50-black
28
Evidence Databases & Other Databases
§All databases are bind
§Asset Evidence (eAMT)
§Central Evidence of all devices
–Device type/hardware information
–Location information
–IP address, hostname, interfaces
–Contacts for other support groups / provider / on-site support
–Security Evidence with historical data
–Etc.
§Evidence for Security findings
–Keeps OS bugs
–With each finding in configuration bug reports to responsible support

IBM-logo-50-black
29
LAN Management
§LAN = Local Area Network
§Device’s vendors
–Cisco, Nortel, 3com, Alel, Allied Telesyn, Blue Coat, Digital, D-link, Edimax, Enterasys, HP, IBM,
Intel, Intermac, Kingston, KTI Networks, LANart, LinkSys, Netgear, Nokia, Olicom, Planet, Symbol,
Synoptics, Xtreme
–Migration of all existing platforms to Cisco for providing best centralized support
§Device’s categories
–Firewalls
–Routers
–Switches

IBM-logo-50-black
30
LAN – simple connection

IBM-logo-50-black
31
LAN – Data Centre

IBM-logo-50-black
32
Datacentre example

IBM-logo-50-black
33
WAN Management
§WAN = Wide Area Network
§Used solutions
–Leased line
–ATM/Frame Relay
–MPLS
–DSL/ADSL/ISDN
–Internet tunnel (iVPN)
§WAN lines are usually provided by external companies (BT, AT&T, HP, Colt…)
§NOC (1st level) is contact point between customer and provider
§
Today’s trends for WAN
§MPLS = Multiprotocol Label Switching
§QoS = Quality of Service
§SaS = Solution as Service
§Cloud solutions

IBM-logo-50-black
34
WAN Management – providers
MPLS cloud

IBM-logo-50-black
35
WAN Specifications and requirements
§Setting QoS on WAN lines leads to better performance and usage of line
§80 – 100 % WAN link utilization (“we pay 100, we use 100”)
§For monitoring of QoS we need good tools

IBM-logo-50-black
36
QoS – Basic categorization
§Category 1
–interactive applications with non-packet burst traffic (e.g. telnet, VoIP)
–Packet loss should be avoided
§Category 2
–Interactive applications with packet bursts traffic (e.g. http)
–Few packet loss
§Category 3
–Non-interactive batch traffic (e.g. replication, UDP packets)
–Packet loss possible
§Category Default
–Non classified traffic
–High packet loss on congestions, best effort

IBM-logo-50-black
37
WAN incident determination

IBM-logo-50-black
38
Firewall
§Firewall types
§Standard used FW
§Checkpoint ProviderOne
§Usage of FW
§

IBM-logo-50-black
39
Types of existing Firewalls
§Software
–Checkpoint Firewall-1 (diverse versions)
–Cisco PIX
§Operating Systems
–Checkpoint Secure Platform (SPlat)
–Sun Solaris
–Microsoft Windows
–Linux
–Nokia IPSO
–Cisco PIX Firewall OS
§Hardware
–PC Architecture
–Sun
–Nokia
–Cisco PIX
–IBM x-Series Servers
–

IBM-logo-50-black
40
Checkpoint - ProviderOne
§Easy centralized management
§Saved all FW rule sets
§Central Logging
§Multi-platform management (Nokia, Splat)
§
–

IBM-logo-50-black
41
Checkpoint - ProviderOne

IBM-logo-50-black
42
Checkpoint - ProviderOne

IBM-logo-50-black
43
Usage of Firewalls
§All network environments (Internet/DMZ/Corporate networks)
§Secure separation of networks
§Advanced security (not only ACLs – access control list)
§Implementation of statefull FW
§VPN implementation – VPN concentrators

IBM-logo-50-black
44
IP Services (IPSE)
§DNS/DHCP
§NTP
§Proxy

IBM-logo-50-black
45
QIP – central management for DNS/DHCP
§One central (with backup feature) QIP management server
§Structure-based implementation of QIP provides opportunity to use other QIP servers which are
reporting to QIP management server
§Location types:
–Less than 250 users DHCP – IP helper
–Less than 499 users local DHCP server or IP helper
–More than 500 users (Super location), local DHCP is provided by redundant servers
§Rules
–Static Addresses for Servers and active network devices
–Dynamic addresses for PCs and Printers
DNS management
§Central management of all DNS records
–2nd level domain (customer.com)
–Sub-domains (location.customer.com)
§Domain management can be delegated to another server

IBM-logo-50-black
46


IBM-logo-50-black
47
NTP
§Time synchronization service
§NTP is installed on Intranet DNS servers
§NTP could be distributed for each domain to different servers (location based)
§More NTP for one location provide redundancy. Also internet backup is possible.

IBM-logo-50-black
48
Proxy Solution
§
§In past main scope of proxy servers was to provide better usage of WAN lines (http proxy)
§Today’s usage of Proxy servers is to provide secure and balanced connection
§We can recognize two types of proxies
– Transparent (act as proxy for any traffic – mainly socks proxies)
– Passive (use proxy feature only if application provide such functionality – http/ftp)
§

IBM-logo-50-black
49
Network Security
§Configuration standards
§Checking or real configuration
§Actualized SW/HW
§User revalidation
§

IBM-logo-50-black
50
Network Security – Standard configuration
§General Rules
§Applicable for different HW/OS
§Pre-defined standards pro Cisco, Nortel, IPSO and other platforms
§

IBM-logo-50-black
51
Network Security – Checking actual configuration
§Correct setup for new device in network
§Revalidation is made at least each half of year
§Documentation of findings
§Corrective actions if applicable
§

IBM-logo-50-black
52
Network security – Actual versions SW/HW
§Monitoring for new information/releases
– Patches
– New versions
§Risk management
§Planning upgrade

IBM-logo-50-black
53
Network Security – User revalidation
§Quarterly revalidation if users still exists – User verification
§Yearly revalidation if users still needs access – Business need
§Storing of evidence
§

IBM-logo-50-black
54
Typical problems LAN/WAN
§Slow network
– LAN
– Internet/WAN
§Device unreachable - LAN
§Location unreachable - WAN
§

IBM-logo-50-black
55
SSO pro FI MU
5/3/2016
Questions ?
question_mark