2007 Campus Technology Innovators: Network Management

• 08/01/07

TECHNOLOGY AREA: NETWORK MANAGEMENT
Innovator: Harvard Business School

Shaping internet traffic by understanding how a network is used

For years, the network at Harvard Business School (MA) was a typical open education environment that led to many distributed denial of service (DDoS) attacks, infected PCs, daily problem chasing and remediation, and an unacceptable risk of the school's data being accessed by unauthorized entities. The school's IT support teams spent around 50 hours a month addressing network concerns related to viruses and attacks, and for each instance that the network suffered, enduser productivity suffered as well.

The goal behind changes in the network management picture was to implement security measures that solved some of the fundamental problems around access and control, but to do it in a way where user impact was either undetectable or positive. The effort involved a series of sophisticated firewall technologies from Juniper Networks, plus top-notch antivirus and anti-spyware software from McAfee. It also incorporated PacketShaper technology from Packeteer—a combination hardware/software box designed to maximize application performance.

Analyzing application performance. According to John Arsneault, director of network operations, one of the keys to this project was an application performance audit. Often, when implementing security systems, organizations put up firewalls at the port level, guessing at which of the 130,000 ports need to stay open and which should be blocked. This leaves the end users frustrated and unable to access commonly used applications. In many cases, it also frustrates IT workers, since they can't figure out why applications aren't doing what they should.

HBS IT staffers used PacketShaper both to analyze which applications and processes were being used at layer 7 (the network layer that supports end-user processes), and then to map the appropriate services to ports. For 90 days, a team of IT staffers logged which applications were being used, and made sure to leave the ports used by those applications open; then they closed the rest. This not only allowed the team to gain a better sense of which services were being utilized, but it also allowed them to close most ports, confident that they were not going to be needed.

Network protection without service interruption. The result was a tougher, more reliable network. By embracing the new network, HBS has eradicated DDoS attacks, virus infections, and system vulnerabilities almost entirely. School officials also have reduced just about all illegal P2P traffic on the ISP connection. Result: Not only did the HBS IT group devise a security policy for the good of the school, it did so without interrupting the way the school community functioned. Unless students were to pick up this issue of Campus Technology, they would never know what had gone on behind the scenes to ensure their daily network usage was not disturbed.

Ultimately, all four of the school's user populations (faculty and staff, MBA students, executive education participants, and guests) benefited from the more reliable and secure network. Uptime improved as well: With the new firewall policy keeping out viruses and other dangers, HBS achieved 99 percent uptime. Other successes include reduced vulnerability to attack, and lowered ISP administrative costs. Perhaps most importantly, the school's 1.5 network engineers were able to return to focusing on other tasks.

Cost savings. There were other bonuses, too: Overall, Arsneault estimates the school has saved $220,000 per year due to reduced ISP expenses, decreased administrative and support costs, and reduced stress on network managers and support staff. Of course, the new network also has resulted in more productive end users across the board, since each machine that was infected had to be cleaned (and, often, reconfigured), a process which sometimes took about four hours a pop.

"Network security problems are still very widespread in education," Arsneault maintains. "This represents a new level of technology use within the education industry: Implementing security measures in a way where user impact is either undetectable or positive, is practically unheard of."