Contingency Managment/Fault Tolerant Network Access Control Architectures

[Gary Flynn <flynngn () JMU EDU>]

On our campus, the communications infrastructure is
centralized. That has allowed us to use what is
basically a star distribution system emanating
from two core routers.

To help meet contingency and availability goals, we
are adding additional machine rooms. To go along with
that, it has been proposed to dedicate routers to those
machines rooms, connect them in a mesh, and use Cisco's
HSRP to provide automated fail over capabilities.

Without going into too much detail on the list, our
present network access controls depend a lot on large
Cisco ACLs on several VLANS feeding the machine rooms.
VLANs are defined for particular types of hosts with
common security and access needs.

In the past, we've trunked the same vlans to different
machine rooms allowing us to use one ACL set for each
vlan regardless of geographic location. With the proposed
HSRP configuration, this will no longer be possible
meaning multiple large ACL sets will need to be duplicated
at each machine room router and expanded to provide the
meshed access. This is looking very ugly and I'd like to
look at alternatives. Complexity and the resulting
mean-time-to-repair and mean-time-between-failures
may hurt uptime more than potential failures.

Any opinions on alternatives? ;)

Some thoughts that come to mind:

1) Using discrete firewall appliances.
   Con - Expensive. Multiport boxes would be needed at
   each machine room and unless duplicated would ruin
   the fault tolerance we are trying to attain.

2) Collapse the different system definitions so that
   central systems would all be on the same network
   reducing the number of firewalls/ACL sets needed
   at each location.
   Con - various systems of varying sensitivity and trust
   would be on the same network.

3) Other network topologies that provide fault tolerant
   communications but still allow vlan trunking and
   presence in multiple geographic locations.

4) Cisco firewall blade in multiple HSRP routers in a
   fault-tolerant configuration.
   Con - expensive and complicated

If you'd be willing to talk about how you are providing
network access controls to your machine rooms, particularly
if you have multiple machine rooms in a contingency management
configuration, and how the scheme is working out for you
that would be great. I know this is sensitive so off-line
or telephone conversations are perfectly understandable as
well as any reluctance to discuss this at all. But if
you're willing to discuss it, I'd very much appreciate it.

Thank you for any ideas.
540-568-2364


--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.