Networking & Security
When the School Network Is Shared
Securely sharing a network with the town where your district is located doesn't have to be a major undertaking. Chelmsford Public Schools in Massachusetts shows that all it takes is the right tools and the right attitude.
- By Dian Schaffhauser
The Town of Chelmsford, located 30 miles northwest of Boston, shares its network with Chelmsford Public Schools. The historic arrangement began when cable company Comcast came to the area promising to deliver FCC-mandated public, education, and government (PEG) access for television (and, later, for data) in exchange for the cable franchise. The shared setup, which ran on donated networking equipment, worked out fairly well for the first few years. The network infrastructure belonged to the town, whose one-man IT crew kept the network up and operating.
But the schools quickly found that their data demands were much greater than the town's, according to Bruce Forster, executive director of information and educational technology for the district. "The town had the network. The school had the need," he said.
By 2007 the relationship was beginning to fray. "We just couldn't coexist anymore," recalled Forster. "During March the town employees would watch basketball during the playoffs for March Madness on the network during lunch. The bandwidth would just dry up. We could tell when the latest episode of Survivor was on. Our network wouldn't work. It was completely impossible for us to do anything."
A New Backbone, a New Data Center, a New Set of Switches
Both sides came to the conclusion that they needed to work together to put in a data communications platform that could accommodate the growing networking needs of the district as well as the local government and library system. And it required the technical expertise of Forster's slightly larger crew to manage it. A new data center would be located in the district's offices. Each entity--town and district--would have a key to get in.
Chelmsford put in 21 miles of fiber optic cable connecting all the town buildings, the schools, and the libraries. At the same time, it put out a request for proposal for new switching solutions to outfit 22 separate locations, including nine K-12 sites, town offices, public safety offices, and two public library locations. The purchase would be considerable--more than 50 switches. Responses came from a variety of vendors.
"We were looking for something that would last 10 to 15 years," Forster said. "We were very focused on security being an integral part of the solution because this was a blended network between town and school. It had to be easily managed and deployed."
Forster compared the choices among vendors to buying a new automobile. "All cars have airbags," he said. "However, when you really start looking closely at automobiles, those autos with side airbags are much safer than vehicles with airbags in the steering wheels. The Enterasys switches were full of side airbags. They were built to add more airbags if they needed to. It was built into the switch as opposed to being applied to the switch. That was one of the first selling points."
The second selling point: The cost of service contracts. "A year's worth of service contracts for one of the companies would have cost me the same as hiring four teachers," he said. "It was a no brainer. Enterasys didn't have that."
That's not to say that all Enterasys switches lack service contracts, he pointed out. The biggest switch in the data center--an Enterasys N-Series 7, which provides "the brains of the operations"--does have a service contract.
In fact, shortly after the installation, one of the switches--located at the high school--went down. An Enterasys technician showed up with a replacement switch under his arm and handed it over to Forster. The problem turned out not to be the switch. It involved electricity at the data center instead. "But that indicated to me that the company was focused on our pain points," Forster added.
The core switch bifurcates the network so that the town's traffic is handled on one portion of the fiber cable and the school traffic is handled on another. That prevents traffic from either side impacting network performance on the other. The only time they meet, he explained, is when students get into their My Documents folder, set up by the district, from the public library.
The district uses the Enterasys Intrusion Prevention System (also known as Dragon IPS) to manage the network and watch for anomalies, though most of the threats actually come from inside the schools. "Not that the kids are bad, but they're inquisitive," insisted Forster. "And not that the teachers aren't paying attention. They're trying to do good things. They just have no experience with corporate networking."
That means that if a student decides to share out a copy of some movie online, the IPS will detect the amount of bandwidth being consumed and generate an alert. IT will "turn on the 'data sphincter,'" said Forster, "and slow that traffic way down, and then we do the traditional thing of walking up behind somebody and tapping them on the shoulder."
But here's where a school district network differs from the corporate operation: Sometimes when Forster discovers that a huge number of users at a particular middle school is on shopping channels, he doesn't jump to the conclusion that because it's Thanksgiving, people are goofing off and shopping. "It's because in math curriculum, in the seventh grade, everybody is given a thousand virtual dollars, and they're out there putting it to use. Now what we can do is understand these anomalies and match them against the curriculum."
Likewise, if high schoolers are visiting hate sites or child trafficking sites, said Forster, "I know what switch that's coming from, and I know my buildings, and I know that's in the social studies department. I know the chairman of the social studies department. I can give him a quick call and see what they're studying that week. Then we can slow down traffic where kids are looking up information about saving whales and allocate more bandwidth to the topic that matters." That quality of service is handled by Cymphonix.
Getting the District out of the Computer Resale Business
Slowly, the district is also introducing Enterasys' network access control product because, said Forster, it needs to get out of the "resale business." I can't keep buying $400,000 worth of desktops," he explained. "My budget has dried up."
To address an aging population of computers--half are at least six years old--he's pursuing two routes. One is to move to Citrix XenDesktop; the other is to allow students to provide their own devices.
Citrix XenDesktop allows administrators to download an image from the server to a thin client, thereby offering several advantages: By being able to use terminal computers, the district will reduce the expense of higher-priced desktops or laptops. The program will be able to deliver a given application to whatever device the user is logged into, which means parents won't have to buy district software to run on their home computers.
Plus, the use of a virtual desktop will reduce software expense by allowing the district to buy a limited number of licenses for simultaneous use rather than licenses for every computer owned by the district. "I have 2,000 copies of PowerPoint. How many are being used at any given time? Probably about 12," Forster said. "But I'm paying for 2,000. If I move to the Citrix solution, I don't have to buy all that. When I move from Office 2003 to 2007, I'm just going to buy 100 copies of PowerPoint and see what happens. My software costs are going to go right down."
Also, he pointed out, he can buy them under a capital improvement expenditure. "A regular computer has moving parts and it's only good for a few years. A thin client has no moving parts." Likewise, "because there's no computing happening on the devices--all they're doing is resolving images on the server--I expect to get eight to 10 years on them," Forster said.
Currently, the district has 200 concurrent XenDesktop accounts running; by the summertime, he said, Forster expects that to grow by 300. The town is also committed to thin computing and is looking to be running a thousand concurrent accounts in three years. By that time, the area will have a new wireless infrastructure in place as well, Forster predicted.
He also said he's also looking forward to the day when students can supply their own devices. The network access control program will allow the student to be authenticated on the network, whether he or she is in school or at home and will also ensure that any device tapping into the network has current anti-virus software loaded on it.
"In many respects, I'm building my own little cloud here," said Forster. "And then I'm allowing my users to use whatever access device they want--because I'm not really interested in controlling that."
But the new approach won't minimize security concerns, Forster said. Currently, teachers are allowed to download content to their home computers. As of mid-March, when a Massachusetts breach of security compliance law called 201 CMR 17.00 goes into effect, that will change. "It's one of the most stringent personal information laws in effect in the country," he explained. "If there's a data breach, it'll cost me for each violation. If I have a teacher lose a thumbdrive, with 6,000 kids, there goes my budget for the next five years. People have no concept of how expensive and dangerous this is."
The challenge, according to Forster, is that the more access students, teachers, and staff have to information, "The easier it is for that information to be handled capriciously. There's no switch on the face of this earth that can stop that. It's going to be human beings and training and getting people to recognize the dangers of having the data."
What Forster doesn't worry about is the joint responsibility he and his colleagues on the town side have for maintaining the network. Surprisingly, there's nothing formal about the arrangement--no governance model, no policies, no procedures. "They have a key. I have a key," he said. "It's in everybody's interest that we all work together."