Official InteropNet 2008 Backbone and Security Provider

There is nothing more important than our customers.

Page 2

Executive SummaryEnterasys® is proud of our performance as the official InteropNet 2008 backbone and security provider, delivering 100% availability with centralized visibility and control. 2008 saw the largest number of solution providers in the history of the program respond to the RFP to be an official supplier for InteropNet. This was the first time that InteropNet had no firewall* for the Class A network (IP address space for 16 million users), which highlighted the strength of Enterasys’ policy features. This was also the first time that a single vendor supplied both the network backbone and security infrastructure. Here are some quick highlights:

•NetSight® and Dragon® software managed and secured open access to the Internet. InteropNet featured the Enterasys SecureStack™ C-Series, D-Series, G-Series, Matrix® N-Series and X-Series switches and routers, prioritizing and protecting the world’s largest temporary network.

•26rackswithEnterasysequipmentsupported1,830wiredconnections,over30,000IPaddresses and more than 9,000 MAC addresses.

•Over43,000internalandexternalactivehostswereusingInteropNetontheseconddayoftheshow…more than 18,000 at any one time.

•Withover1.4milliondailyattacksonInteropNet,intrusiondetectionandpreventionproducts,along with Enterasys’ embedded policy capabilities in the switches, protected the Interop vendors and users from attackers and each other. Dragon Security Command Console (DSCC) assisted with the identification and remediation of attackers, and produced daily reports of the top assets targeted for attack based on magnitude of impact, as well as the top 10 sources of attacks.

•EnterasysNetworkAccessControl(NAC)authenticatedandprovisionedrole-basedaccessformore than 1,000 Interop systems.

•OneexhibitingvendorinitiatedanattackagainsttheInteropNetbackboneaspartoftheirdemo.Enterasys pinpointed the source and throttled the attack bandwidth. The vendor commented this was the first time they had ever been caught using their attack tools.

The following whitepaper is designed to share some additional insight and details into Enterasys’ support for InteropNet 2008.

The RequirementsIn February 2008, Enterasys announced that it had been selected, from a large complement of competitive proposals, as the official InteropNet 2008 backbone and security provider for Interop Las Vegas & New York.

“2008 saw the largest number of solution providers in the history of the program apply to be an official supplier for InteropNet,” said Lenny Heymann, General Manager for Interop. “We are confident in our choice to partner with Enterasys based on their standards-based, open-architecture interoperability and embedded security capabilities.”

Official InteropNet 2008 Backbone and Security Provider

There is nothing more important than our customers.

At-a-GlanceBenefits

• EnterasyswasselectedtoprovideLAN,WANandSecurity

• InteropNetexperienced100%networkup-time

• EnterasysnetworkpoliciesensuredInteropNetcoreserviceswereonlyprovidedbythecore

• Securityeventswerequicklylocatedandisolated,limitingtheevent’sscope

InteropNet

• 26rackswithEnterasysequipmentsupported1,830wiredconnections

• WANcapacityof180Mbpsexperienced:

–Peaktrafficloadsof160Mbps

–95Mbpsofsustainedtraffic

• 43,000activehosts(internalandexternal)weremonitoredusingInteropNetinasingleday

• 9,000+MACaddresses Secured

• EnterasysDragondiscovered:

–Awormonadesktopinashowbooth; thevendordidnotrealizethesystemwasinfected

–AnInternetscanmaskingasabotnet,correlatedtoasingleIPaddress andlocated

–AnexhibitingvendoraccidentallyinitiatedanattackagainsttheInteropNetbackboneaspartofademogoneastray

• Enterasyspinpointedthesourceofsecurityeventsandthrottledtheeventbandwidthvianetworkpolicies

• DragonSecurityCommandConsoleproduceddailyreportsofthetopassetstargetedforattackbasedonmagnitudeofimpact,andthetop10sources ofattacks

*Note: Enterasys recommends use of an enterprise firewall in most deployments

Page 2

Enterasys networking and security solutions would be required to provide reliable, high-speed networking services for exhibitors, conference rooms, speaking sessions, iLabs, and attendees. Dozens of InteropNet volunteers would build and manage the world’s largest, non-governmental, temporary network, connecting thousands of attendees and hundreds of exhibitors using VoIP and virtualization technologies. Proactive security protection measures would need to provide open access to the Internet while preventing threats and vulnerabilities from impacting Interop operations. InteropNet needed to be simple, stable and secure.

InteropNet would provide Enterasys with a highly-visible opportunity to demonstrate its convergence, compliance and connectivity solution strengths. IP telephony and virtualization technologies needed to be discovered, classified, prioritized and secured. Proactive security policies needed to automatically sense and respond to infrastructure threats at Gigabit and 10 Gigabit Ethernet speeds leveraging Dragon advanced Security Information Management (SIEM), Network Behavioral Analysis (NBA), Intrusion Detection/Prevention (IDP), and Network Access Control (NAC) technologies. Security needed to be everywhere – built-in to all access, distribution and core connections – leveraging high-availability Enterasys Matrix and SecureStack networking equipment.

Unlike traditional technology-oriented port and VLAN ACL-based methods, InteropNet volunteers would not need to configure role-based privileges on a box-by-box basis using complex CLI commands. An intuitive NetSight GUI would enable InteropNet NOC staff to define the policies once, and regardless of the number of moves, adds or changes throughout the event, have those user and application policies enforced automatically across the entire network.

GettingStartedIt has long been the mantra of industry that when designing a product or bidding a job, you are asked to pick from the following three attributes: Cost, Quality,andSpeed.Youaretoldthatyoucanpickanytwo,butnotallthree.Sowhichoneofthethreewillyousacrifice?WhenInteropchoseEnterasysto be the official network and security provider for Interop 2008 – all three were not only delivered, expectations were exceeded.

InteropNet is the “perfect storm” combination of some of the most challenging network situations any network operations team would hesitate to tackle. Each year it is designed in concert with a core team of engineers and vendors selected through a competitive RFP process. The design and hot stage implementation take place in a very short window of time, and then the network is placed into production to support the Interop tradeshow. Part enterprise, part university, part ISP by design – InteropNet must deliver 100% reliability. In addition to the basic goal of 100% uptime, it is also to demonstrate interoperability of several new technologies among the show participants.

InteropNet plays a critical role in the success of the Interop tradeshow. Availability is best achieved by applying equal parts of visibility and control. Knowing which end-points are participating on the network, where they are located, and how they are participating is important to operating the world’s largest part-time network. Control is best achieved by leveraging identity-based access controls in the infrastructure, an area that Enterasys has more than 12 years experience in delivering.

Enterasys delivered a solution for InteropNet 2008 Las Vegas that holistically integrated security and availability throughout the entire network infrastructure. This provided Interop show volunteers a network with a level of visibility and security, according to NOC staff, that has never before been achieved. The network was implemented in record time; delivered a high-quality experience for the volunteer engineers and show attendees; optimized daily operations; and the design was cost-effective to implement.

The ChallengeDesign and implement an enterprise network with a diverse set of engineers from around the world, none of whom are familiar with the particular products involved. Use no firewalls and allow open access to show attendees – yet protect key infrastructure assets and remain highly available. Sounds like a very tall order, but InteropNet had the Enterasys advantage.

That advantage starts with the Secure Networks™ architecture. Enterasys Secure Networks embed identity-based priority and security for users and applications. The standards-based open architecture interoperates with multiple vendors, while proactively protecting voice, video and data communications through “what you need is what you get” role-based policies.

Initially there was a lot of practical skepticism among the InteropNet volunteers – they were familiar with other vendors and had little to no experience withEnterasyspeopleortechnologies.WhattheInteropNetvolunteerssoondiscoveredisthateverythingtheyknewabouttheplanning,design,implementation and operation of networks could be applied in an Enterasys environment. CLI commands were familiar and traditional design principles could be leveraged. It was through Enterasys product advantages and the Enterasys NetSight management software suite, however, that the volunteers began to experience the operational efficiencies in an Enterasys network. Location tables detailed the IP-to-ID mappings with booth numbers and exhibitor names to ease troubleshooting and improve help desk response time. Move/add/change activities were automated and new QoS or security privileges could be implemented throughout the entire network in a matter of seconds. Enterasys dedicated an experienced and effective team of highly skilled engineers to work side-by-side with the InteropNet volunteers to leverage the advanced management, priority and security functionality embedded in the Enterasys backbone network infrastructure. Short hands-on informational sessions allowed the InteropNet volunteers to quickly provision the show network in record time. InteropNet was fully operational two days ahead of schedule – Enterasys was the first vendor to achieve that goal in recent years.

Page 2

Page 3

According to one senior InteropNet NOC staffer … “After 2-days into the show with zero network outages or major problems, I started to get very nervous. Over the years, we have always seen major issues with the show network and we fully expected this pattern to continue. The preparedness of the Enterasys team coupled with outstanding technology resulted in one of the best show networks we’ve ever built and managed. To our delight, with just half a day left, we have had no issues!!!” – Bill Jensen, Troubleshooting Lead InteropNet

The NetworkProducts from the entire Enterasys catalogue were used throughout the InteropNet network. The network implemented a best practice design with core, distribution and edge tiers. In addition to connectivity, Enterasys leveraged its NetSight management suite to manage its network devices and provide visibility into the network operations layer. All of the Enterasys infrastructure products were polled and managed by third party management systems selected by InteropNet to provide specific functionality. This was possible due to Enterasys’ broad adoption and implementation of industry standards throughout the product line.

BelowisalogicaldiagramoftheInteropNetdesign.Deployedin26connectivitypedestels,InteropNetsupportedover40,000connectionsthroughoutInterop Las Vegas 2008.

QwestCo-Location

FacilitiesX-Series X-Series

X-Series

N-Series

X-Series

Qwest

Core

Distribution

Show Floor Off Show Floor

iLabs

x9 Tables

x10 Closets x16 ClosetsSecureStackA, B, C-Series

SecureStackA, B, C-Series

D-Series

Dragon SIEM

Dragon IDP/NBA

HD MediaSystems

VoIP Phones

Laptops

IP videocameras

PC’s - LaptopsIP Video SurveillanceHigh Definition IP Video Conferencing

Productivity ApplicationsWeb, Email, etc

Voice over IP

Applications supported:

Interop Las Vegas 500+ Booths

G-Series

PhysicalServers

PhysicalServers

VirtualServers

NAC

N-Series

VMWare ESX Blade ChassisNetSightMangement

Server

InteropNet Las Vegas 2008

Network Core

Enterasys supplied InteropNet with a pair of Matrix X-Series core routers to consolidate network connectivity, consolidate the Class A address space and connect InteropNet to the Internet, as well as a second pair at the ISP co-location facilities using gigabit links. The Matrix X-Series chassis provided a stable, distributed core – capable of balancing Internet connectivity across multiple ISP co-location facilities.

The Matrix X-Series core routers were configured fully redundant, implementing BGP and OSPF routing protocols to keep routes available should a failure occur. The Matrix X-Series routers were configured with dual controller modules, which provided high-availability, run-time firmware upgrade/downgrade functionality. This allowed for patches to be applied to the routers without loss of connectivity or services.

Page 4

2008 would be very different than previous years. It was the first year in more than a decade that InteropNet would operate without a firewall in the core.Enterasysengineersloggedover1.4millionscanandattackattemptsfromInternethostsinany24-hourperiodduringtheshow.Usingindustrybest-practices, the Interop team implemented dark routes and wire speed access control lists (ACLs) to contain these scans without affecting routing performance or users of the InteropNet. The implementation of these router best practices reduced Internet-based attack volume by greater 85%, improving bandwidth available for the show.

Distribution Layer

InteropNet leveraged the Matrix N-Series to consolidate network edge connectivity and provide LAN services to the InteropNet data center (NOC). The Matrix N-Series implemented a number of Secure Networks features to prioritize application traffic for voice over IP (VoIP), hi-definition video streams and network management protocols (SNMP) – and ensure that only services provided for the NOC were transmitted by NOC equipment.

Similar to the network core, the Matrix N-Series switches were deployed in redundant configurations and implemented industry standard VRRP and OSPF to reliably deliver IP services. Dual gigabit connections from the distribution layer to the network edge were configured with industry standard rapid-spanningtree(IEEE802.1W).Flow-setupthrottlingwasleveragedinthecoretoprovidebandwidthmanagementtomaintainconnectivityduring high utilization.

The InteropNet team and network analysis providers were able to leverage NetFlow feeds from the Matrix N-Series switches, which provided NetFlow versions 5 & 9 to NetFlow collectors at wire speed without packet sampling. Unsampled NetFlow data from all the gigabit interfaces provided valuable insight to traffic patterns on InteropNet.

Enterasys also introduced the G-Series modular switching platform. The G-Series was leveraged in the data center to provide connectivity for two racksofserverhardware.TheMatrixN3andtheG-Seriesleveragedrole-basedpoliciestoprovideQoSprofilesformediaserversandaccesscontrolsforall servers.

Virtualization was a focus area at the Interop tradeshow, and was a key application in the InteropNet data center. The mandate from InteropNet staff was to virtualize every application possible. Enterasys contributed a virtual machine running NetSight management software to manage the Enterasys deployment.ToconnecttheVMWareESXbladeserverchassis,InteropNetusedfourgigabitportsontheEnterasysMatrixN3switch.

JustasVMWarehasvirtualizedtheserverenvironment,Enterasysvirtualizedtheswitchport.TheVMWareESXserverhadjustfourphysicalgigabitEthernet connections – but each connection had a number of virtual servers, each with their own IP address and switching requirements. InteropNet leveraged a key feature of the Matrix N-Series – multi-user role-based access control. The Matrix N-Series was configured to provide discrete network accessforamaximumof256virtualmachinesoneachgigabitport.ThisallowedthenetworktomaintaintheQoSprofilesestablishedintheVMWareenvironment to be applied throughout the physical network environment. Combined with centralized network access control (NAC), virtual machines consistently received the services they required from the network.

Page 5

Edge Connectivity – Security – Visibility

EnterasyssuppliedtheSecureStackC-SeriesswitcheswithpoweroverEthernet(PoE)tosupplygigabitconnectivitytoeachvendor’sbooth,theWLANaccess points, VoIP phones and IP cameras used in the show. Every port was configured to authenticate each system attaching and provision a network access role based on that system’s role in the network. For example, each IP phone was known and provisioned to a VoIP phone role, while wireless accesspointsreceivedaWLANrole.Systemsthatwerenotknownwereprovisioneda“showfloor”role.

Role-based policies allowed for the simplification of managing access and prioritization schemas, allowing VoIP telephones deployed in each network racktoconsistentlyreceiveservices.WLANroleprovisionedanetworkpeeringwiththatvendor’saccesspoints,butensuredthatWiFiuserscouldnotsupply the network with services that are provided by the NOC. For example, critical network services for DHCP, DNS, default gateways and router peering points were automatically protected from any accidental misconfiguration or improper installation of networking equipment in vendor booths. Asimilarsetofaccesscontrolswereprovisionedfortheshowfloorrole.

One of the largest measures of success was the ability of each user to get an IP address. In past years, one of every three help desk trouble tickets was related to IP addressing problems according to InteropNet team lead Geoff Horne at the pre-planning meeting. The Enterasys policy applied at the network edge prevented rogue DHCP servers injecting false DHCP offers onto the InteropNet, yet allowed each end-system to readily obtain an IP address via InteropNet DHCP servers and participate on the network. No DHCP-related trouble tickets were issued for InteropNet 2008 thanks to Enterasys proactive protection policies.

Enterasys leveraged InteropNet to introduce the new D-Series switching platform. In the InteropNet NOC, there is a requirement for desktop switches to fan-out connectivity. The devices on the table tops ranged from laptops and VoIP phones to IP cameras and media systems. The D-Series was able to providerole-basedpoliciesandIEEE802.3afpoweroverEthernetClass3supportacrosseachofits12portsof10/100/1000Ethernet.Thissimplifiedthe deployment of devices – just plug in to any port and the network automatically sensed and applied quality of service (QoS) and other controls based on end-point requirements.

Management and Security

To manage the Enterasys backbone infrastructure devices and provide security insight, InteropNet leveraged the Enterasys NetSight management suite, Enterasys NAC, and Dragon distributed intrusion prevention products. Leveraging Secure Networks features, each system shared information not only among the Enterasys software solutions, but also with other InteropNet management systems. The result was a level of visibility never before experienced by the InteropNet show team.

EnterasysNetSightprovidedacentralizedvisibilityandcontrolpointformanagementoftheEnterasysLAN/WANinfrastructurecomponents.Italsoprovided a centralized database for Enterasys Network Access Control (NAC) systems. Each show media end-point (VoIP and video over IP) was provided a role-based access profile for QoS provisioning. Leveraging a centralized database, Enterasys NAC Manager could accurately show the diversity of systems accessing InteropNet and where they were located.

Page 6

Delivering visibility is important for reducing the effect of systems that negatively impact the network. NetSight Automated Security Manager leveraged the NAC database and network end-point discovery to accurately locate systems on-demand or because of a network security event. This function allowed help desk staff to reduce the time to resolve issues with particular end-points.

Visibility into network end-point behavior was managed by Enterasys Dragon Security Command Console, and the deployment of Network Behavioral Analysis sensors and Distributed Intrusion Prevention sensors. Network Behavioral Analysis sensors were distributed at the network distribution layer and collected information for each end-point on the network. Network traffic was also inspected by the Dragon Intrusion Prevention Sensors monitoring the same traffic feeds. Information from the Network Behavioral Analysis sensors and the Intrusion Prevention sensors was aggregated into the Dragon Security Command Console security information manager where advanced analysis and correlation was performed.

The Dragon Security Command Console provided InteropNet with an industry leading security event and information management (SIEM) console that normalized information from the sensors to provide actionable information prioritized based on severity of impact. By reducing the raw event feeds to actionable information, Enterasys’ Dragon Security Command Console provided visibility into end-point security events and network utilization.

Realized Partnering with Enterasys, InteropNet staff realized several gains. Implementing quality of service (QoS) for media devices and role-based access controls was made easy leveraging NetSight Policy Manager. Changes to QoS or access profiles were validated in the application and took just one minute to deploy across the entire network. This greatly simplified deployment changes and accelerated deployment testing.

The time to locate systems during troubleshooting was fast and accurate. During testing before the show, the show staff would ask “where is this IP address” – a response seconds later provided not only the switch number and port, but also the closet, booth exhibitor the port served and cable drop information. This level of accuracy provided great visibility into the location of systems on the network and accelerated troubleshooting and resolution times by an order of magnitude.

“ The Enterasys people are above par, dedicated professionals who stepped up to the plate and worked well with the rest of the InteropNet volunteers to achieve our goals of keeping InteropNet simple, stable and secure. I experienced first-hand the great value of Enterasys gear as it quickly and easily located every device and user on the network. I have never had such visibility in all the years I have worked on InteropNet.” – Geoff Horne, InteropNet Lead Engineer

The ability to locate systems with speed provided a great benefit during the show operation. There were a number of isolated incidents where a system would be discovered to be infected with a worm, participating in a botnet or aggressively scanning the network. Dragon Security Command Console’s ability to summarize all the event information into a single recommended action view helped the InteropNet help desk staff make critical decisions to either isolate the end-point or inform the owner. Event intelligence, location awareness and pin-point controls – all delivered in an easy to understand interface – was a key component to producing a happy help desk and delivering a great show experience for all.

ContactUs

© 2008 Enterasys Networks, Inc. All rights reserved. Enterasys is a registered trademark. Secure Networks is a trademark of Enterasys Networks. All other products or services referenced herein are identified by the trademarks or service marks of their respective companies or organizations. NOTE: Enterasys Networks reserves the right to change specifications without notice. Please contact your representative to confirm current specifications.

06/08 Delivering on our promises. On-time. On-budget.

Formoreinformation,callEnterasysNetworkstollfreeat1-877-801-7082, or+1-978-684-1000andvisitusontheWebatenterasys.com