Printer Friendly

A common dilemma: Indiana's state government and educational system find the answer to their network security needs, facilitating the use of high-speed video, voice and data services for thousands of users.

The Indiana Telecommunications Network (ITN), managed and operated by the Indiana Higher Education Telecommunications System (IHETS), faces a common dilemma: how to provide first-rate net-world security services to a growing number of clients, despite a tight budget and limited state Recently, ITN settled on an integrated network-security solution to find a way out of its security-management dilemma. The secret to the network's success is simple: a combination of low cost and high performance.

"We were created exclusively to serve the state's public sector," says Tony McClelland, ITN senior state network engineer. "We provide direct network connections and a dedicated network infrastructure that allow our clients to avoid bandwidth or reliability problems associated with commercial Internet links." In addition, McClelland notes, ITN clients receive around-the-clock proactive network monitoring, help-desk assistance, and guaranteed service-response times.

For more than 35 years, IHETS has played a major role in advancing the state's high-technology agenda. In 1967, the Indiana Stare Legislature founded the state-funded, nonprofit consortium to provide efficient, low-cost telecommunications services to the state's higher-education sector. At the time, the system's goal was to create a multimedia telecommunications infrastructure linking Indiana's colleges and universities, and to lay the foundation for new distance- and remote-learning programs.

In the mid-1990s, IHETS, working with the Indiana Intelenet Commission, joined a partnership to create ITN, which includes the state library, the Department of Education mad the state government-based Division of Information Technology. The goal was to consolidate the state's government and education networks, creating an infrastructure for high-speed video, voice and data services.

Intelenet administers the partnership and IHETS manages and operates the network. Today, ITN is the largest public-sector network in the state of Indiana, serving more than 1,900 end points. ITN provides IP-based data, voice and video services to hundreds of colleges and universities, public libraries, K-12 schools, state government and county extension offices, and other public institutions throughout Indiana. More public-sector clients continue to subscribe to ITN services every month, including approximately 300 new connections in the past year.

"We provide advanced network services to our clients, and those services must include the best security capabilities we can offer," says Dave King, IHETS executive director. "Today, our clients absolutely expect reliable, highly effective network security, yet they also expect us to provide the most cost-effective services."

DIVERSITY CAUSES PROBLEMS

According to King, however, the organization's success has been a mixed blessing. "We have an extremely diverse client base, from K-12 schools to government agencies, such as the Bureau of Motor Vehicles," King says. "This sort of diversity means that we have to be all things to all people, yet we have to accomplish that goal with typically limited resources." In addition, King notes, both IHETS and its ITN clients must address a growing list of technology objectives on a tight budget.

ITN clients generally focus on the day-to-day benefits of participating in the state network. Today, however, network security is one of ITN's highest priorities. "We've seen both the number and the sophistication of external attacks increase," McClelland says. "Some of these attacks aren't much oft threat, but others pose a significant risk to the network and to our clients."

According to McClelland, some ITN clients appreciate the value of robust network security, although they may not have an accurate concept of how or where the most serious attack occur. "They may appreciate the importance of perimeter-security solutions, such as firewalls, without recognizing that some of the most dangerous security threats come from within the organization itself," he says. This includes cases where employees receive unauthorized access to sensitive data.

"We try to emphasize a holistic approach to network security, but it can be difficult--we're a nonprofit organization with a very limited ability to do education or outreach efforts."

In addition, many ITN clients, including K-12 schools and public libraries with limited resources and technical expertise, maintain a variety of perimeter security solutions that represent a significant management burden and may not provide the best-possible protection. "These firewalls don't always support IP voice or video services, and our clients' onsite technology coordinators may not want to spend time maintaining them," McClelland says. "Yet we can't manage the firewalls for them, because it would place an impossible burden on our engineering staff."

CONCERN FOR HEALTHCARE DATA

ITN's relationship with the Indiana Department of Health illustrates some of the challenges of building effective network-security solutions.

As the authority responsible for regulating the state's healthcare providers, tracking public-health information and supporting public health initiatives, the Department of Health routinely handles sensitive information, including patient medical records and clinical data. With the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this information became a significant source of concern to the Department of Health.

HIPAA dictates strict standards for protecting the privacy and confidentiality of patient data, including electronic data. As a result, when the Department of Health turned to ITN to upgrade the department's network services, security became a top priority--especially given the state of the department's network-security infrastructure at the time.

"In many cases, Department of Health offices accessed the network through unsecure DSL or cable connections, with little of no network security in place," McClelland says. "In addition to moving them over to our own dedicated T-1 links for network connectivity, we needed to get firewalls in place to secure their LANs and protect them from outside attack."

The resulting infrastructure upgrade, including 100 additional firewalls located throughout the state, could have stretched ITN resources to the breaking point. "The prospect of managing 100 Firewalls on an individual basis would have been a logistical nightmare," McClelland says. "We can't hire another engineer just to manage firewalls."

After evaluating network-security options from several vendors, ITN implemented Cisco PIX firewall solutions for its Department of Health upgrade project. IHETS was already using Cisco touters and switches to link all 1,900-plus end points on the network.

CENTRALIZED SECURITY APPROACH

For Shawn Solomon, senior network engineer, and his colleagues working on ITN, the decision to implement Cisco PIX firewalls was not merely a question of price and performance. The Cisco solution also enabled the IHETS team to take an automated, highly centralized approach to network-security management.

The key to this approach, according to McClelland, was the CiscoWorks VPN and Security Management Solution (VMS), which allowed ITN to manage its Cisco PIX firewalls, as well as the organization's Cisco touters and switches. The solution included the CiscoWorks Management Center for Firewalls, a set of Web-based tools to manage access rules, network-address translation, intrusion detection and other network-security components. It also includes the CiscoWorks Monitoring Center for Security, used to alert the ITN team to critical security events.

Enforcement of the security policies is accomplished by adding centralized management tools, with distributed security responsibility pushed to each component. "Using CiscoWorks VMS, one engineer can manage up to 1,000 firewalls and still perform other tasks," says McClelland. "In addition, once we had the software installed and logged the network end points, it took just a few hours to get VMS up and running."

According to McClelland, the security-management solution also enables ITN to maintain an open relationship with its clients. "Out clients' network administrators are generally a savvy bunch," he says. "They want to see what types of traffic their firewalls are blocking, and they want to study the raw log data. VMS allows me to e-mail the logs automatically when they want the data."

The VMS solution also allows McClelland to perform tasks such as updating each firewall's port-blocking configuration automatically, without addressing each firewall individually-a process that could take hours to do manually. "If I want to schedule an automatic update in take place in the middle of the night, I can do that," he says.

VPN MANAGEMENT IS NEXT TASK

The Cisco solution also extends to the management of VPNs a new but potentially important service for ITN clients. Today, the organization manages approximately 20 Cisco VPN clients for the Department of Health, mostly for department employees working from their homes. Although ITN currently manages these VPNs individually, Cisco management tools could play a role as more clients embrace the technology.

"We're not managing those through VMS yet, but we can do that as we see more VPN deployments," McClelland says. "It's really a matter of educating our clients. If they knew more about the benefits of using VPNs, they probably would."

Solomon says he also expects Cisco VPN technology to play a more prominent network-security role. "Our concept is to deliver a single (broadband) pipe to the county, which we then virtually divide using the VPN solution. That is proving to be a highly attractive proposition to the user base," he says. "This design allows each user group to enjoy the benefits of having its own network, without the issues of having to provide each user group with its own separate circuit."

According to McClelland, the network-security choices ITN makes today will have an impact on the organization's ability to provide cost-effective services to its customers in the future. The cost and complexity of managing firewalls, for example, could be a make-or-break issue for many of the organization's clients.

"If a client wants ITN to manage its network security, we will help them transition to a Cisco PIX firewall solution," Mcclelland says. "We did a business case for the firewall, and we can charge less than half of what (private-sector service providers) were doing in terms of the cost required to maintain the firewalls." ITN can, for example, charge just $200 a month for "bare bones" firewall management, while it might cost individual sites as much as $600 a month for the same level of separate service.

The ability to offer low-cost security services, McClelland notes, is especially important to Indiana's public-education sector, and in particular to K-12 schools. "Most schools and libraries don't have much money, but they still need this protection," he says.

As the Department of Health project illustrates, the best way to scale these types of low-cost services without sacrificing quality is to create a centralized network-management infrastructure. "Our greatest source of cost savings comes from personnel," McClelland says. "We expect to install up to 500 additional firewalls within the next year, and up to 1,000 within the next two years. Because of this technology, existing staff can easily maintain the network without adding new head count. As the technology takes off, current productivity increases and new resources can be deployed to other valuable activities."

CONFERENCING APPS SUPPORTED

McClelland suggests that many ITN clients may have to rethink their existing firewall solutions in order to take advantage of a new generation of IP video and voice services. Like many organizations today, ITN clients commonly use voice and video applications based on H.323, an audiovisual conferencing data protocol defined by the International Telecommunications Union. Such applications represent an important technology for the state's educational institutions, many of which provide distance-learning programs.

In addition, many Indiana public-sector institutions, like their private-sector counterparts, have also turned to videoconferencing as a cost-savings measure. "Our clients have discovered they can save even more money by conducting online meetings, as opposed to traveling," McClelland says.

This created another challenge for the IHETS staff as it evaluated different vendors' firewall solutions. "Many firewalls on the market today don't support H.323," McClelland says. "We needed a solution that would provide effective network security without sacrificing potentially important network services." The Cisco PIX firewall solves this dilemma by providing full support for H.323 voice and video services.

ITN also faces the task of protecting its clients from internal, as well as external, security threats, McClelland notes. A new generation of intrusion-detection systems (IDSs) will help ITN accomplish this goal, complementing existing perimeter security tools and enabling a defense-in-depth approach to network security. This approach means taking a coordinated, comprehensive view of network security, and using centralized management tools to help ensure all aspects of that security from policies and procedures to installed security devices and software-actually protect information and applications.

"IDSs are right around the corner for us," McClelland says. "Once (companies) learn more about the technology, everyone is going to want IDS sensors on their networks." Once again, how ever, he notes that such systems could severely stretch the organization's resources unless it takes a centralized approach to network-security management.

"If I did IDS without a management system, I'd have to go in every day and look at each alarm event and evaluate the logs manually," McClelland says. "With a management system in place, it can send that information to one of my engineers automatically."

As a result, McClelland again cites the VMS solution as an important part of ITN's expansion plan. "VMS gives me the option of managing our IDS infrastructure and VPN clients off the same box," he says. "Right now, the management system for firewalls is valuable to me, and when we start to do IDS it will be even more valuable."

The future of ITN, McClelland adds, will depend on its ability to manage network security cost-effectively, without sacrificing either the advanced services its customers want or the protection that they need. "We can't afford to take a piecemeal approach to network security," he says. "Each of these components will play an important role, whether it's the firewall, IDS or VPN systems. As we continue to grow, we also have to rely on technology that will allow us to build an automated, extremely efficient security-management model."

For more information from Cisco Systems: www.rsleads.com/403cn-254

Edward A. Stockey is the assistant director of research and development at the Indiana Higher Education Telecommunications System.
COPYRIGHT 2004 Nelson Publishing
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Stockey, Edward A.
Publication:Communications News
Date:Mar 1, 2004
Words:2275
Previous Article:Events.
Next Article:Traffic control: remote monitoring and management of enterprise LANs and WANs have become priority considerations for most network managers--one...


Related Articles
BELLSOUTH STRENGTHENS OPTICAL DATA PORTFOLIO.
Broadband options: high-speed Internet choices for businesses are growing. (Information Technolgy).
Broadband in Indiana: wiring the last mile to Hoosiers.
THALES E-SECURITY DEBUTS 100MBPS HIGH-SPEED IP ENCRYPTOR.
Unified communications: where the world is heading; The convergence of network appliances with employees' electronic devices is helping businesses...
Is your network slowing you down? Many older networks can't keep up with the applications schools want to offer and the data requirements of NCLB....
MORE OHIO CUSTOMERS HAVE ACCESS TO VERISON INTERNET SERVICE.
Bandwidth: how much is enough?
VERIZON WIRELESS EXPANDS NETWORK TO BATESVILLE, INDIANA.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters