An outline of and the guiding principles behind ITS's design for a new campus network infrastructure.

The current Lafayette network infrastructure was installed in 2000 and is at the end of its 5-7 year lifecycle. The current network's utility is compromised by aging hardware and its inability to implement many important developments in network standards that have emerged over the past 6 years. Speed, monitoring, security, admission control, wireless, Internet2, cluster computing, and videoconferencing, are just some examples of technologies and design practices that were not available or not mature in 2000 but are necessary today.

The research and teaching objectives of faculty are more and more dependent on technology, whether for data acquisition, artistic expression, film production, statistical analysis, or the study of a foreign language. The college network infrastructure has become a necessary condition for, and enabler of, student learning, faculty scholarship, and administrative effectiveness. It is within this context that the strategy and objectives for the Network Redesign Project are outlined.

Components of a Successful Project

There are four major requirements for the design of a successful campus network: accessibility, reliability, security and scalability.

Accessibility

Two major factors affecting accessibility are speed and quality of service. Currently, the Lafayette network has a 4 Gbps backbone, 1 Gbps uplinks from buildings to the backbone, and 100 Mbps to the desktop (with few exceptions where there is 1 Gbps to the desktop). Our Internet connectivity is comprised of two connections, one 24 Mbps and one 25 Mbps, for an aggregate of 49 Mbps.

Networks today typically have backbones in multiples of 10 Gbps and 1 Gbps to each desktop system. Our new network design will include a backbone upgrade to 10 Gbps and standard desktop connections of 1 Gbps. The backbone upgrade can be done using existing fiber; to increase throughput speeds we only need to upgrade the hardware which "lights" the fiber, not the fiber itself. To support the 1 Gbps to the desktop upgrade, uplinks from each building will also be increased, likely to 2-20 Gbps depending on the population density of the building.

Considerations for the new network include expanded Internet bandwidth. The demand for Internet bandwidth continues to rise, but as with other commodities, the price per megabit is declining. A well-considered budgeting and technology plan to accommodate this growth and the changing economics of the bandwidth marketplace is integral to the new network plan. Recently we were able to secure a new Internet connection that will allow us to increase our connection to 125 Mbps for the same price we are currently paying for 24 Mbps. This connection will likely be activated some time in spring/early summer of 2007, and will have the capacity to grow to speeds up to 1 Gbps. Our Internet edge infrastructure must be rebuilt to permit an increase in Internet bandwidth.

The other integral component of accessibility is Quality of Service, commonly referred to as QoS. Quality of Service is a policy-driven aspect of networking, and will involve integrating policies and institutional objectives that are developed over time. In basic terms, QoS allows for the enforcement of policies that guarantee different levels of service for different applications. For example, we may want web traffic to have priority over peer-to-peer (P2P) traffic. On a network absent QoS, there is no way to enforce such a policy. QoS will allow us to provision network performance based on the nature of the traffic. Voice over IP (VoIP), videoconferencing, and other real time applications need to receive data packets in the proper order and at high speeds in order for the audio and/or video to be clean and seamless. These applications require QoS enforcement. While the current network is unable to provision QoS, the new network infrastructure will not only support QoS, it will allow us to develop and set scalable and centralized QoS policy.

The current network has many bottlenecks that have prevented us from keeping pace with the technology demands of faculty and students in their teaching and learning. The planned improvements in speeds from the edge to the core to the Internet, as well as the implementation of QoS across the network, will be one of the most notable features of the new network, and one that will enable us to meet increasing demands on the technology infrastructure.

Reliability

Reliability in networking generally refers to keeping systems and services up so that they are always available. Disaster recovery and business continuity are a part of reliability, but there are also components of networking reliability that are more focused on daily access to systems and keeping those systems running under heavy loads, system failures, upgrades, replacements, etc. Although less serious than a disaster recovery scenario, daily reliability is equally important to network users.

Redundant systems are a critical component of a reliable network. From the core to the Internet edge, switches, routers, servers, and systems can be designed with fail-over capability that would allow for higher reliability. Part of our planning process has involved an analysis of what systems need to be highly reliable and at what cost. From a basic network infrastructure view, the cores will be redundant—a network with increased reliability will be a much more robust network.

A highly available and reliable network infrastructure has environmental requirements. Power, emergency power generation, heating, cooling, and security all play a role. Sometimes these factors are overlooked in a network project, but by keeping them at the front of our planning, the new network will be more reliable and our technology investments will be better protected.

The last component of a reliable network is a network monitoring system. Such systems enable network staff to gain intelligence about trends in network use, bottlenecks, and growth. This information will be invaluable in helping sustain the investment made in the new network and will allow us to scale and modify the network based on the changing needs of the college. The type of information gained from network monitoring plays a crucial role in developing QoS policy, continued network development, and strategic planning for technology, and will be a critical component in the success of the project.

Security

Any good network design should incorporate multiple layers of security. One major and highly visible layer of security is admission control, the term given to a system that helps determine whether a device attaching to the network is clear of viruses and vulnerabilities and belongs to a known user. In order to gain access to the network, a device must pass a posture validation which (for example) would be able to verify that operating system and application patches are up to date and the approved virus scanner is installed and up to date. Once a device passes the validation, the user or device must authenticate, or demonstrate her/his/its identity. In this way devices can be assigned a QoS dictated by roles associated with their users.

Even known users and devices with reasonably up to date systems sometimes misbehave or become victims of attacks. Using security devices that work in concert with each other, security events can be correlated, making incident handling easier and thereby reducing exposure. Security breaches and data theft can often lead to negative publicity as well as legal action. This makes the ability to track security events, if not prevent them outright, even more important. In addition, there are a number of regulations that govern securing data stored on or transmitted over a network, including HIPAA, FERPA, GLB, and others. The network will comply with these security regulations and be able to accommodate future regulations such as CALEA.

The current network has firewalls and intrusion prevention and detection systems in place, but they all act and report independently of one another. Multiple systems must be monitored and events must be manually correlated. This is a time-intensive process, and can often lead to missed diagnoses. The new network will include technology that can be used to centrally manage security infrastructure and help mitigate events while they are in progress.

Demand for Virtual Private Networks (VPNs) has also been on the rise. Many administrative departments have asked for remote access to college IT resources, and a VPN solution would allow secure access. A scalable, cross-platform, integrated, and secure VPN is included in the new network design.

No matter how well planned and executed the network security strategy, no network is completely immune to security breaches. When breaches occur, they must be identified, reported, and acted upon, and evidence must be available for post-event forensics. The absence of any ability to do this today is perhaps the highest risk factor with our current infrastructure and a primary driver for the swift completion of the upgrade from both IT support and business/legal perspectives.

Scalability

Any good network is designed for longevity and growth. A properly executed plan can make the initial investment last much longer and includes a clear upgrade path as well as a thoughtful approach to network expansion. The new network will be able to grow to meet user demands without requiring a redesign of the entire network. A best practice is to implement a modular design in which the whole network is built out of smaller pieces, each containing its own specialized function. These smaller modules are connected together, creating a larger, scalable whole. Managing the day-to-day operations of the network as well as troubleshooting problems becomes easier using this design method. This is a time-tested design methodology dating from the earliest days of microcomputers and is well documented in modern campus network design guides.

In contrast to this scalable, modular design, the current network's design is monolithic, with few parts performing many functions. Adding to the network requires redesigns of large portions of the network, while additional features or redundancy must be retrofitted. By adopting a modular design, features can be added without impacting the entire network. Bandwidth and redundancy can be upgraded or added, and new locations can be added, all with no service interruptions. This will increase the useful lifetime of the network and make network growth a logical extension of the original design.

Why are we doing this?

There will be many benefits for the College once the Lafayette Network Redesign Project is complete. Aside from the many technical benefits that come with an upgrade such as this, the new network will enable the support of a variety of new applications to advance the use of technology in teaching, research, learning, and productivity in the workplace.

Speed and QoS enhancements will enable time-based technologies like Voice over IP (VoIP), HD videoconferencing, and HD video streaming. ITunesU, a repository of multimedia created by the college and hosted offsite, will require the ability to upload and download large files on demand. Increased use of video streaming and multimedia in the classroom and a rising demand for videoconferencing will require more network capacity. A faster network will allow us to take greater advantage of the wealth of resources available through our connectivity to Internet2. Not only will we be able to do more with videoconferencing over Internet2, but remote instrumentation and R1 research tools will be more accessible and reliable for use in teaching and research at Lafayette.

Improved throughput will also allow us to support the movement of large amounts of data across the network. Applications that require this level of speed include GIS, data acquired from lab equipment (both locally and via I2), CAD, and art and multimedia projects. The primary media for an increasing number of artists are rooted in technology. Creation, storage, exhibition, printing, and performance of artistic works is increasingly dependent on a technology infrastructure that is fast and reliable.

Another demand for moving large files is the use of video editing projects across the curriculum. This growth area for Instructional Technology will benefit from the new network design, as video editing and access to raw footage will be possible from anywhere on campus, not just from specialized high-speed segments of the network. An expected SAN (Storage Area Network) will allow us to support the centralized storage of massive amounts of data; the need for high-speed and reliable access to large data stores permeates the college and will be at the center of what we do with technology in the next few years.

Many new services cannot be implemented until the network infrastructure can support it. A robust network will allow Athletics to employ video broadcasting and e-ticketing; location-based services using wireless could be made available for campus tours; demand for streaming content is on the rise from the academic as well the administrative side; many aspects of IT support and management are dependent on a new infrastructure.

As a residential college, we also have an obligation to provide a robust network for the social and residential life of our increasingly tech-savvy students. From gaming to surfing, video chatting, Facebooking, instant messaging, and email, college students have come to expect a certain level of technology in their residential and social lives. It is critical that we recognize the importance of the network to the residential and recreational lives of our students.

Summary

As we embark on the Lafayette Network Redesign Project in conjunction with the College's strategic planning process, we will be able to more tightly weave together the goals and needs of the college as outlined in the planning process with the proper technology infrastructure to support those goals. A well designed network will enable Lafayette to move to the front of technology innovation in teaching and learning, and to create an exciting new environment for student and faculty research. It will also help to support the increasing demand for technology from the College's administrative division and in the residential lives of our students. Once completed, this project will have a profound effect on the college and all of its constituencies, and will be an investment that will yield benefits for years to come.

Technology Strategies

Authentication

Problem – With an increasing number of networked resources and an increasing number of regulations governing access to and transmission of data, authentication has become a critical component of network services. Security experts have been advocating the development of a strong, single user ID and password to address the growing complexity in network authentication. However, the importance and security of that set of credentials increases with the number of systems to which it allows access. Federated Identity, or the ability for colleges and universities to share credentials to promote collaboration, will play a role as we develop authentication systems at Lafayette.

Current Status – Today we are developing a system that will allow us to issue a single user ID and password to each network user. It is standards-based, leveraging LDAP technology, and will allow us to grow to advanced, more secure authentication methods in the future. Most of our systems already use LDAP credentials, including Novell, email, web applications, and wireless. We have also begun to implement the eduPerson schema to LDAP which will enable us to move to Shibboleth, the federated identity solution for higher education. The implementation of a campus portal will also take advantage of our existing LDAP solution for authentication.

Future Goals - Technologies like multi-factor authentication, biometrics, or a college-issued token/key are on the horizon for Lafayette. Widespread adoption of Shibboleth in higher education will also play a role in our authentication planning. Further, we are now exploring password policies and reset mechanisms that are easier for end users yet do not compromise security.

Network Access Control

Problem – Knowing what and who is connecting to a network has become integral to the reliability and security of a residential, higher education network such as ours. Provisioning access and service level based on a user's role, as well as on the state of a device (patches, virus prevention software, etc.), has emerged as a common practice to ensure the stability and reliability of the network.

Current Status – We currently have an open-source, mostly home grown solution in place. It can do rudimentary posture validation, and does associate user names with devices. However, we cannot dynamically provision network access and security based on this information. Also, our posture validation can not accurately assess the patch level or security level of a system. Furthermore, we have no reporting or management system in place, so getting forensics or other information from the system is difficult and time consuming.

Future Goals – We will develop a system that can be flexible, scalable, and that will allow for customization and exceptions. This sector of the networking market is still fairly young, and there seem to be several technologies on the horizon that are not yet fully tested. As the market matures and systems begin to morph towards a standard, we can implement a more robust solution. Our network design plans have been made with a view towards these emerging standards, so we should be in a position to take advantage of a system when the time comes.

Video Services

Problem – There has been an increasing demand for video editing, video streaming, and video conferencing on campus in recent years. These applications not only require moving large files quickly across the network, they involve time-sensitive transmission of the packets that comprise these files. Video has much higher demands on the network, not only in provisioning backbone and uplink speeds, but also in provisioning QoS on the network.

Current Status – The network today has a very limited capacity to handle video-related applications. Although we support videoconferencing using both commodity Internet and Internet2, we cannot easily provision that technology campus-wide. It requires a highly specialized facility with special networking configuration exceptions that do not scale easily. The same holds true for video editing. It is limited to a single segment of the network in Skillman Library, and cannot scale across the network. Even though scalable technologies now exist in these areas, our current network infrastructure is unable to accommodate them. Video distribution via the campus network is not possible; it is limited to a cable system that is difficult to manage and not integrated with the campus IP network.

Future Goals – Our network infrastructure upgrade was planned with a view to the growing demand for video services on the network. Increased speeds in the backbone and to the desktop coupled with the ability to provision QoS for video will be major improvements. These features will make it possible to explore more robust and advanced IP-based video distribution systems and replace the outdated cable system. This new infrastructure will enable growth in the use of video technologies for teaching, learning, collaboration, and research.

VoIP

Problem – Voice over IP (VoIP) has moved from a cutting edge, expensive technology, to a more reliable, secure, and standards-based technology. Many institutions, corporations, and even home users are now starting to adopt VoIP and move away from traditional POTS or PBX-based telephony. As is the case with video applications, the time-based nature of voice calls requires the ability to provision QoS on a network. Also, due to the importance of the phone in communication, and especially as it relates to emergency 911 services, the network must be able to stay up during emergency situations.

Current Status – Today, only our PBX-based phone network has the level of reliability required to deliver phone service. In addition to QoS issues, not all network components have backup generator power. Until such time when we can power the network infrastructure from the core to the edge during a power outage, VoIP at Lafayette will not be a realistic endeavor.

Future Goals – The new network design allows us to provision QoS required for VoIP implementation. We are also configuring network switches to supply the required Power over Ethernet (PoE) used to power VoIP phones. But until the network infrastructure power generation/supply issues are resolved, we will not be able to implement VoIP. We are currently examining the power situation in the critical core locations and will explore the options and costs required to meet the requirements for power.

VPN

Problem – Secure remote access to Lafayette resources is of growing importance for a variety of reasons. These include college employees who require secure access to Lafayette resources from off-campus and from wireless locations on-campus, and emergency preparedness for H5N1, natural disasters, and other personnel-affecting events. Lack of a VPN encourages employees to keep local copies of sensitive data on mobile devices (e.g., laptops and flash drives). Furthermore, account information (usernames and passwords) and data transmitted in clear text over open media such as personal wireless home networks puts this information at risk of being intercepted.

Current Status – The new VPN solution is currently being tested and will soon be ready for wider use.

Future Goals – The new VPN solution will integrate into the new network, will utilize our campus-wide authentication system, and will allow for posture validation on VPN clients. Access to the VPN will be programmatic based on LDAP credentials and roles, making it easier to provision VPN for those who need it. Users will also be able to access the VPN using multiple operating systems and without requiring additional connections to remote workstations on campus.

Wireless

Problem – Wireless networking has been in high demand since its availability in the late 90s. Security, scalability, and interoperability hindered early growth, but the technology has matured to a point where there are general standards and best practices we can follow to grow a robust wireless network.

Current Status – We have completed configuring residence halls with our wireless solution. It works with our campus-wide authentication system and uses standard GRE technology to allow for the central management of access points.

Future Goals – Now that residence hall installations are complete, next up will be the installation of wireless in academic buildings. A survey of each facility and conversations with faculty will help us determine where and when and in what order we should install access points. Outdoor wireless to cover areas like the quad and common areas will likely be part of our wireless planning in the near future.