2007 Campus Technology Innovators: Network Management
TECHNOLOGY AREA: NETWORK MANAGEMENT
Innovator: Harvard Business School
Shaping internet traffic by understanding how a
network is used
For years, the network at Harvard Business School (MA)
was a typical open education environment that led to many
distributed denial of service (DDoS) attacks, infected PCs,
daily problem chasing and remediation, and an unacceptable
risk of the school's data being accessed by unauthorized entities.
The school's IT support teams spent around 50 hours a
month addressing network concerns related to viruses and
attacks, and for each instance that the network suffered, enduser
productivity suffered as well.
HBS Director of Network
Operations Arsneault
The goal behind changes in the network management picture
was to implement security measures that solved some of the
fundamental problems around access and control, but to do it
in a way where user impact was either undetectable or positive.
The effort involved a series of sophisticated firewall technologies
from Juniper Networks, plus top-notch
antivirus and anti-spyware software from McAfee. It also incorporated PacketShaper technology from Packeteer—a combination hardware/software
box designed to maximize application performance.
Analyzing application performance. According to
John Arsneault, director of network operations, one of the
keys to this project was an application performance audit.
Often, when implementing security systems, organizations put
up firewalls at the port level, guessing at which of the 130,000
ports need to stay open and which should be blocked. This
leaves the end users frustrated and unable to access commonly
used applications. In many cases, it also frustrates IT
workers, since they can't figure out why applications aren't
doing what they should.
HBS IT staffers used PacketShaper both to analyze which
applications and processes were being used at layer 7 (the
network layer that supports end-user processes), and then to
map the appropriate services to ports. For 90 days, a team of IT staffers logged which applications were being used, and
made sure to leave the ports used by those applications
open; then they closed the rest. This not only allowed the
team to gain a better sense of which services were being
utilized, but it also allowed them to close most ports, confident
that they were not going to be needed.
HBS tackled its network security problems while making
sure user impact was either undetectable or positive.
Network protection without service interruption.
The result was a tougher, more reliable network. By
embracing the new network, HBS has eradicated DDoS
attacks, virus infections, and system vulnerabilities almost
entirely. School officials also have reduced just about all
illegal P2P traffic on the ISP connection. Result: Not only
did the HBS IT group devise a security policy for the good
of the school, it did so without interrupting the way the
school community functioned. Unless students were to
pick up this issue of Campus Technology, they would never
know what had gone on behind the scenes to ensure their
daily network usage was not disturbed.
Ultimately, all four of the school's user populations (faculty
and staff, MBA students, executive education participants,
and guests) benefited from the more reliable and secure network.
Uptime improved as well: With the new firewall policy
keeping out viruses and other dangers, HBS achieved 99 percent
uptime. Other successes include reduced vulnerability
to attack, and lowered ISP administrative costs. Perhaps most
importantly, the school's 1.5 network engineers were able to
return to focusing on other tasks.
Cost savings. There were other bonuses, too: Overall,
Arsneault estimates the school has saved $220,000 per year
due to reduced ISP expenses, decreased administrative and
support costs, and reduced stress on network managers and
support staff. Of course, the new network also has resulted in
more productive end users across the board, since each
machine that was infected had to be cleaned (and, often,
reconfigured), a process which sometimes took about four
hours a pop.
"Network security problems are still very widespread in education,"
Arsneault maintains. "This represents a new level of
technology use within the education industry: Implementing
security measures in a way where user impact is either undetectable
or positive, is practically unheard of."