Sotema Edge Router / Firewall Installation
05.15.07

Introduction

Excel Technologie in cooperation with Fiberhaus was selected to deploy a secure edge router and firewall solution to help optimize the current bandwidth issues that exist within Sotelma and secure the edge network against unauthorized access or attack. Additional reporting and reconciliation features were required by upper management to make proactive security and bandwidth decisions. IT staff and network operators needed a scalable solution capable of protecting a government level entity at the edge of the network.

Findings

Current Sotelma network configurations did not allow a centralized firewall to be deployed due to no separation between edge networks and internal core private networks. Multiple routers were located network wide that controlled external Internet access through a variety of mediums and multiple default routes existed. This made the project significantly challenging due to the fact that the entire network had to be reengineered to provide a truly secure deployment. It was Fiberhaus’ recommendation that Sotelma consolidate external network access to a centralized edge router and to place a firewall in between the edge network and the public/private internal network.

Solution – Edge Routing

Cisco Systems was selected as the vendor to provide the edge router for Sotelma’s network. We selected the Cisco 2811 Integrated Services router for a variety of different reasons.



We were limited by Sotelma’s current network architecture and the E3 connection provided by Sonatel (Senegal), Sotelma’s Internet provider. There were few options in Cisco’s routing portfolio that accepted the EMEA E3 standard. Since this was an edge router and wasn’t providing any core routing, we didn’t need a router with multiple interface support. The 2811, a compact platform, delivers multiple services – including stateful firewall, NAT and hardware-based intrusion detection (IDS) – along with high-capacity WAN transport, obviating the need for multiple separate appliances. Since we were deploying a larger firewall-only solution, the IDS and stateful firewall features were not used, reserving the processing power of the unit for routing duties.

This solution allows Sotelma to add further edge routers when their current bandwidth needs exceed the capabilities of the Sonatel link without the need of a network wide reconfiguration or an extended duration of downtime.

Solution – Firewall

Juniper Networks was selected as the vendor to provide the network wide firewall product for Sotelma. We selected the Netscreen 204 for its expansion capabilities, high level of availability, policy based administration, and worldwide support features, to name a few. Given that Sotelma is a government run telecommunications company, certain needs were required to provide compliance with international standards and to secure internetwork communications, where in the past they had none. The Netscreen’s four interfaces allowed us to use it to secure multiple edge networks and allow Sotelma to expand outside of its one Internet carrier for added availability, redundancy, and capacity. Key features that upper management required were the ability to limit access to certain internal networks and to monitor the activity of all network users across Sotelma’s internet connection. Given that Sotelma is an ISP of some sort for the country of Mali, we needed a solution that was capable of withstanding many distributed attacks as well as many individual concurrent sessions. Netscreen’s battle tested units were very up to such tasks.



We positioned the Netscreen in a transparent filtering mode between Sotelma’s current internal network and the new Cisco edge router that we deployed on the end of Sotelma’s network. This way all traffic traversing the internal and external networks will be monitored.

Sotelma manages the landline PTT for the country of Mali as well as serves as a wireless operator for its Malitel product line. In the past, external telecommunications capabilities were facilitated over satellite TDM connections. With the advent of new VOIP technologies, Sotelma has made the decision to migrate over to VOIP origination and termination for its wholesale and intercountry carriers. They needed a solution capable of limiting access to their VOIP networks and preventing illegal VOIP operators from existing on Sotelma’s network. Netscreen’s operating system has full support for VOIP operations and has been deployed to be a security gatekeeper for the network.

Sotelma’s firewall solution needed to be easy to manage through a visual interface and allow network administrators to deploy policies and rules at a moments notice.



The Netscreen Security-Manager allows administrators to implement and monitor traffic and security policies on Sotelma’s network from an external workstation and export values to a Syslog server for futher reporting and analysis. This allows upper management to maintain realtime reporting to proactively make decisions on bandwidth requirements, trends, and protocol models. Sotelma’s further decision to deploy a syslog server for reporting an monitoring was a wise choice as it allows information to be aggregated and graphs to be generated for easy access to information and a clean presentation of network metrics.



Conclusion

Full deployment of the firewall and edge router solution occurred on June 26th with little downtime to Sotelma’s customers and users. The solution has run flawlessly since its inception and has made it through the 2 week trial monitoring phase and been placed in full operation. It is ready for policies to be loaded based upon upper management recommendations.

This project was project managed by T. Francis of Fiberhaus in cooperation with Ousmane Doukara of Excel Technologie. Lead field engineer was Mimoun Choukri of Fiberhaus and domestic field engineer was Dmitri Ingov of Fiberhaus. Project was performed at the request of the Sotelma Director General.