Data Dial Tone is OTS Network Services's term for local area network services provided to customer agencies. It is currently available in selected buildings in Capitol Park in metro Baton Rouge. OTS/NS has adopted an architectural model for campus-based, high-availability enterprise networks. OTS/NS provides all local area network services from the cable that plugs into the network interface card (NIC)of the PC or network printer, through the building, to the Shared Data Centers, and to the Internet. The speed of access is fast Ethernet (100Mbps) unless 10Mbps access is specified by the user agency. All connectivity in the core of the network is via fiber and is running at gigabit Ethernet speeds (1000Mbps).
Station wiring is provided in State buildings according to the tenant agency service requirements. As a standard, two data ports and one voice port with a minimum of Category 5 Enhanced type cable shall be installed at each occupied drop or work location within a building. OTS/NS provides all copper and fiber patch cables in the closets, as well as lobe cables from work station data ports to each network interface card. All data ports in each work area are labeled and correspond to labels in the wiring closets. Additional drops installed after initial building occupation shall be coordinated through OTS/NS, but shall be done at the expense of the requesting agency.
Fiber is used within each building for vertical connectivity between Main Distribution Frame (MDF) closets and Intermediate Distribution Frame (IDF) closets on each floor. The buildings served by Data Dial Tone in Capitol Park are also interconnected with multiple strands of fiber optic cable.
Communications among data centers located at the Information Services Building (ISB) at 1800 North Third Street in downtown Baton Rouge, the Department of Public Safety (DPS) on Independence Boulevard in mid-town Baton Rouge, and at LSU are achieved using Gigabit Ethernet links over leased fiber and State-owned Dense Wave Division Multiplexing (DWDM)equipment.
Infrastructure Equipment OTS/NS has deployed access switches supporting Layer 2 to provide 10/100 Ethernet services to desktop devices and network printers. OTS/NS does not plan to maintain a one-to-one correlation between all data ports in a particular building and available switch ports. Therefore, it is likely that patch cables will have to be added or moved in the event that a networked device is moved within a building (see Service Orders).Each workgroup switch is dual-homed to a pair of switches at the building aggregation level. Each building aggregation switch is dual-homed via Gigabit Ethernet links to the core network located in the ISB.
Each building aggregation switch is further dual-homed via Metro Ethernet links to the DPS data center, providing, at a minimum, Internet access under disaster conditions leaving the core network at ISB unavailable. Data Dial Tone agencies located in state-owned Capitol Park buildings will have network access to any diverse resources they have proactively located within the DPS data center. All aggregation and core devices support Layer 3 switching (IP routing). Redundant and diverse core networks, one at the ISB and one at DPS, are connected to redundant LSI Gateway switches via Gigabit Ethernet links for Internet access provided by diverse vendors.
OTS/NS has deployed one of a set of standard network architectures, composed of Layer 2 switching and Layer 3 routing, to provide Data Dial Tone service for agencies located in non-state-owned or non-Capitol Park buildings within the Baton Rouge (225) Local Access and Transport Area (LATA). Such agencies' network connections will be single-homed via bandwidth-customized links and aggregated within the ISB.
Location of Agency Resources
An effort is underway to centralize and consolidate the State's data processing resources at two Shared Data Centers within the State. The first is located at the ISB. The second is at the DPS data center. Agencies that subscribe to Data Dial Tone services will locate all shared resources, servers, printers, mainframe computers and other resources at these Shared Data Center facilities. Agency servers may be located in a building served by Data Dial Tone only when they are used exclusively by tenants of that same building; all shared or public servers must be located at the agency data center in the shared facilities. See
OIT policy IT-POL-002.
OTS/NS supports Data Dial Tone services 24 hours a day, 7 days per week. The network should be available at all times, with the exception of network maintenance intervals. For more details see
Ethernet (10/100/1000 Mbps) is the only Layer 2 LAN protocol supported by Data Dial Tone service; no token-ring or other LAN protocols are used. TCP/IP is the only Layer 3/4 protocol supported by Data Dial Tone services. Other protocols (SNA, IPX) must be encapsulated in IP for transport across the Intranet network.
Ethernet Port Configuration
Due to incompatibilities with various implementations of Ethernet auto-negotiation, OTS/NS will configure all desktop access switch ports to operate at 100Mb full duplex. In order to insure compatibility, agencies must also configure the network interface cards of all their devices to operate at 100Mb full duplex rather than allowing auto-negotiation. If the agency has legacy devices that will not support 100Mb, they should request that those specific ports be configured differently.
Virtual LANs are used in all Data Dial Tone buildings and Shared Data Centers. VLANs are not shared by multiple agencies, so each workgroup access switch in a building closet or Shared Data Center may support multiple VLANs. VLAN Tagging as defined by the IEEE 802.1Q standard is used to trunk VLANs between access and aggregation switches as necessary. In the Data Dial Tone buildings a given VLAN does not appear in multiple workgroup switches (i.e., VLANs are not spanned). This creates smaller broadcast domains and reduces the potential for spanning tree issues. In the Shared Data Centers where it is beneficial to provide connection redundancy for critical servers and separation of network connections for clustered servers, VLANs are spanned across multiple access switches.
OTS/NS shall implement a private addressing scheme for all Data Dial Tone subscribers. Each agency shall be assigned private and public address ranges appropriate to the size of their agency. Agencies must re-address their devices prior to moving subscribing to Data Dial Tone services. Private to Public Network Address Translation (NAT) and Port Address Translation (PAT) will take place within the OTS/NS-managed firewalls that divide the State's secure Intranet (LSI) from the Internet. For more details see
IP Addressing Technical Standards.
OSPF is the routing protocol used between Layer 3 switches. The access switches in each building and in the data centers function solely at Layer 2, providing Ethernet connectivity from agency devices to the aggregation switches. The aggregation switches utilize OSPF to route between access switches as well as out of the building or data center to the core switches. The network core is purely Layer 3/OSPF.
Each agency that wishes to have Internet connectivity must subscribe to the LaNet via Data Dial Tone service. Internet traffic for each agency is rate-limited based on that agency's IP subnet(s) according to the level of bandwidth to which the agency subscribes. The rate limit is applied to both outgoing and incoming Internet traffic.
OTS/NS has created a "de-militarized zone" or DMZ between the Internet and the State's internal network or Intranet. This DMZ is defined as an area off the OTS/NS firewalls that is more secure than the "outside" (Internet) and less secure than the "inside" (Intranet). DMZ access is available both at the ISB and at DPS. All publicly accessible servers must reside in this DMZ. Agencies connect their server(s) directly to OTS/NS's DMZ switch at ISB or DPS. Each agency is configured as a separate logical DMZ in order to provide maximum security between servers of different agencies. Incoming traffic is routed only to the appropriate agency's physical ports off the DMZ switch(es). Traffic is not allowed to pass from one agency to another agency within the DMZ without first going through the OTS/NS firewalls. Public IP addressing is used in the DMZ (see IP Addressing Policy ). Each agency pays a per port charge for each device connected to the DMZ. In addition, the agency pays for the aggregate Internet bandwidth required for all devices located in the DMZ.
Shared Areas in Buildings
At an agency's request OTS/NS will provide Internet Only access from areas like conference rooms, training rooms, and other similar locations that will be shared by multiple agencies within a building. Those VLANs designated as Internet Only are outside of any agency's IP range and do not have access to any agency's private resources. Access to agency internal resources requires use of a Virtual Private Network. Alternatively, an agency may request that a port in a shared area be activated in their private VLAN. However, anyone who uses that area will then have access to the agency's network. OTS/NS does not recommend this solution.
OTS Network Services provides wireless LAN (WLAN) access in OTS/NS managed Data Dial Tone buildings. The service is designed for building residents and authorized guests. OTS/NS will not provide "open" wireless access for the general public. WLAN access may be set up for private agency access or for guest internet use (Internet Only). Guests to the Capitol Park must be authorized by the hosting agency to use WLAN access. The agency must request an Internet Only SSID with a WPA2 Pre-Shared Key (PSK) to serve wireless guests. Users connected to a public Internet Only SSID will not be able to access resources in the private LAN without a VPN connection. Employees accessing a private SSID will be required to authenticate via WPA2 Enterprise and will have direct access to internal agency resources. Agencies may be assigned one SSID for private agency access and one SSID for Internet Only access. Those with a business need for additional SSIDs should email firstname.lastname@example.org. Wireless access charges are based on the number of simultaneous users on a WLAN network (per SSID). Each agency’s Data Dial Tone service will include 27 each of private and public simultaneous IP hosts free of charge. This is equivalent to a /27 (255.255.255.224) IP subnet minus five reserved or unusable addresses. Refer to Billing Rates for Data Dial Tone to price other options.
Wireless access points will be installed according to a radio frequency (RF) study conducted by OTS/NS that will allow for optimum speed and access on that floor. Installation will be designed to serve the entire area where wireless access is needed. WLAN is offered as a convenience but is not designed to be a replacement for the wired desktop line of service. It is a shared technology and offers best effort service, with no guarantee as to speed of transmission, although OTS/NS plans to place access points at locations which optimize service.
Agencies should not implement their own wireless LAN solutions within Data Dial Tone buildings as they may conflict with OTS/NS solutions and may present significant security risks to the entire network. OTS/NS also suggests that agencies not purchase or use 2.4Ghz wireless telephones as they may interfere with wireless LAN signal.
Virtual Private Networking (VPN)
OTS/NS offers a VPN line of service in order to provide individual clients and branch offices with remote access to agency resources in LSI. Agencies may subscribe to a Group service and/or to a Site-to-Site service. Two VPN concentrators have been deployed for redundancy, one at ISB and one at DPS. The VPN concentrators' public interfaces are placed in a central DMZ at each data center, and the private interfaces connect to the Data Center Aggregation switches.
The Group service is intended for use by individuals who need access to the Intranet from remote locations (home, customer networks, etc). Two options are available for Group access, IPsec or SSL. For IPsec access, each client workstation must have the Cisco VPN client software installed and must be configured with the appropriate group name and password. For SSL access clients use a supported browser and simply https to the public interface of one of the VPN concentrators. At this time SSL access is not supported on the Microsoft Vista or Apple Mac operating systems. Both IPsec and SSL assign the remote client a private IP address within the agency's assigned range, and beyond the login process the user experience is the same for both. An agency may choose to have some clients connect via IPsec and others via SSL. Split tunneling will not be allowed due to the security risk it poses to the internal network. OTS/NS also requires that anti-virus protection be installed and maintained on each remote machine accessing the VPN services. The agency pays a monthly fee for a collective amount of bandwidth to be shared among all of its individual remote users. There is no limit imposed on the number of remote users allowed to use the service.
The Site-to-Site service should be used for connecting small remote offices to the Intranet via an ISP. In this scenario, there is a single VPN termination device (concentrator, router, or firewall) at the remote office which must have a public IP address on the Internet. This device is also connected to the remote office's LAN. The workstations/servers on the LAN access the Intranet through this VPN termination device and are not required to have VPN client software installed. IP addressing on the remote LAN must comply with the LSI IP addressing standard. If existing IP addresses do not comply and conversion is not possible, NAT must be configured on the site-to-site tunnel. Because this service utilizes split tunneling and therefore increases the security risk to the Intranet, the remote site’s Internet connection must be firewalled. In addition, all workstations and servers on the remote network must have anti-virus software installed and signatures must be current. The agency is charged a monthly fee for the bandwidth associated with each site-to-site connection.
OTS/NS configures port security on the workgroup switches in each building to restrict access on each user port to a single but undefined MAC address. End users should not plug hubs, switches, or routers into Desktop or Server ports.
Firewall OTS/NS uses a pair of redundant firewalls to restrict access to the LSI DMZ and Inside networks. By default no sessions generated from the outside (public) network are allowed through the OTS/NS firewall to the inside (private) network. Agencies must make specific requests regarding the source, destination and type of traffic that should be allowed from outside through the firewall to the private network using the NS-30 LSI Firewall Change Request Form found on OTS's website. Most agencies will not require this access. An example of an exception might be for video conferencing sessions that will be initiated from the Internet.
OTS/NS works with each agency to establish appropriate firewall rules which allow public access as needed to each server or device in the DMZ. It is OTS/NS's intention to make the DMZ as secure as possible while allowing specific access to services within the DMZ. By default no sessions generated from the outside (public) network will be allowed through the OTS/NS firewall to the DMZ. Agencies must make specific requests regarding the destination and type of traffic that should be allowed from outside through the firewall to the DMZ using the NS-30 LSI Firewall Change Request Form found on OTS/NS's website.
Agencies should not connect their DMZ servers directly to their internal network via a second NIC. The only secure way for DMZ servers to talk to servers on the Inside of the network is through the OTS/NS firewalls. Those requests must be made using the Firewall Change Request form also. OTS/NS will also provide a pair of redundant firewalls to restrict access from the users inside LSI to each data center. Agencies must make specific requests regarding the source, destination and type of traffic that should be allowed from the LSI user community through the firewall to the agencies' data center resources using the NS-30 LSI Firewall Change Request Form found on OTS/NS's website.
OTS/NS's LSI Intrusion Prevention System (IPS)
The IPS function is to protect critical IT assets within the LSI consolidated data center, identify internal and external threats to the network, and respond to each threat appropriately. It offers real-time in-line inspection of traffic, and is positioned at the LSI consolidated data center and also at the LSI perimeter gateways to the Internet. The system has over 20,000 signatures and derives its database of high risk vulnerabilities from sources such as SANs Institute, Department of Homeland Security (DHS) and Computer Emergency Response Team (CERT).
Events triggered on the IPS are prioritized based on severity level, ranging from Critical to Low. Those events that are known with a high degree of confidence to be malicious are blocked before the inspected traffic can reach the intended targets. When the system identifies a threat, an OTS/NS security engineer will examine the traffic in question and log the event in a daily report. The engineer will then notify the security contact(s) via email at the affected agency and provide detailed information concerning the event. The agency must then determine if the traffic is legitimate as some specialized programs may send traffic that the IPS will incorrectly interpret as a threat (termed a false positive). If the threat is real OTS/NS will work with the agency to determine the best course of action (i.e., remove virus from computers or block traffic).
Remote Access to Agency Resources
For security reasons, remote access is not allowed from either the Internet or by direct access by modem to a PC of an agency that subscribes to Data Dial Tone. The only acceptable remote access is via OTS/NS's VPN services.
Access to Telecommunications Closets
Agency access to building telecommunications closets is not permitted. OTS/NS and its authorized contractors will perform all work in the closets. See the
Telecommunications Room Access Policy
for more details.
The OTS/NS Network Services LAN Support group performs all adds, moves, and changes within the network. There are fees associated with adding, moving, or changing features after Data Dial Tone service is initially established in a tenant building. Refer to the OTS/NS Catalog of Services for rate information. Simple changes, such as activating a new port for a user, involve standard charges and will usually be completed by the next business day. For complex changes, OTS/NS will provide a quotation of the charges to the requesting agency for approval prior to beginning the work. Agencies should submit requests to the OTS/NS Advanced Services Unit using the forms listed below. See the
Service Orders Workflow for more details.
NS-25 Data Dial Tone Service Order Form
NS-30 LSI Firewall Change Request Form No fees associated with firewall change requests
The OTS Network Services LAN Support group provides day to day support for Data Dial Tone services, including problem determination and repair. OTS/NS also contracts with the Office of Computing Services' (OCS) Centralized Monitoring Service (CMS) within the Division of Administration (DOA) to monitor all network elements within LSI and to provide a call center for Data Dial Tone trouble reporting. When LAN problems are reported to an agency's IT department, those personnel should review the problem and try to determine if it is a network issue. Network problems should then be reported to the CMS group. See the
Trouble Reporting Workflow for more details.