We have carefully considered the number of services required at the core of the network and streamlined these to provide essential services only. This has been carefully balanced so as not to degrade the integrity of the network, whilst keeping it secure and enabling a greater user experience. Under the BLN3 contract we have also reduced the number of suppliers in the supply chain from 3 down to 2, namely Virgin Media and Smoothwall. This will further reduce the complexity of the customer service experience and logging of support calls.
At the core of the network we have 2 Palo Alto 5050 firewalls with 10Gb throughput (5gb in and 5gb out). These are in place to protect the core of the network from potential harmful traffic coming into the BLN network from the world wide web. They are managed by Virgin Media and are housed in a Bradford located data centre. The 2 firewalls work in active / passive mode for resilience.
There are 2 infoblox DNS servers at the core of the network, housed in the Bradford data centre, that manage all BLN3 internal DNS queries. Infoblox is a product developed by Nebulas, however Virgin Media provide the first and second line support on these products. Schools who complete the relevant DNS portal training will have access to be able to make their own DNS changes without logging any calls with a service desk should they prefer.
The DNS servers also protect the network from external threats such as DDOS attacks. A list of other threats that the servers protect against are as follows
- DNS reflection/DrDOS
- DNS Amplification
- DNS-based exploits
- TCP/UDP/ICMP floods
- DNS cache poisoning
- Protocol anomalies
- DNS Tunneling
All schools should still ensure all local devices are protected with anti virus/ anti spam software.
Connections out to the Internet
We have a 3Gb Virgin Media connection (MIA), out to the internet from the core of the network. This is monitored to make sure that it is providing optimum throughput traffic volumes. There is also a 3Gb failover connection should a fault occur on the MIA.
All schools wil be given a unique public IP address out to the internet from the BLN range. This address is then natted through the Smoothwall to your external services. This minimises the need for additional external firewall changes everytime a new service is added / changed. If you are a bridged site or require a separate IP address for a particular service this will be accomodated.