A leaner, fitter network for Channel 4

How Extreme Networks helped rationalize a corporate network to reduce cost and build flexibility for future data center relocation.

Metropolitan Networks customer Channel FourSince its launch in 1982, Channel 4 has seen major changes in the broadcast industry, and its London base had evolved from traditional television production and broadcast operation to a role more like a corporate multimedia business headquarters. Channel 4 was planning to upgrade its Disaster Recovery (DR) and Business Continuity Planning (BCP) facility—and that called for a rethink of its legacy network.

The plan to locate disaster recovery in a new secure facility presented the double challenge of moving simultaneously to a new data center and a new network—just the sort of complexity that makes it difficult to predict performance and identify the source of faults arising. Instead, Channel 4’s Bruce Rawstorne, head of operations and senior service manager for Channel 4, decided to work on the existing system and redesign the network architecture as if the main and DR functions were already separated: “Let’s make our mistakes and learn from them in advance, rather than while we are in the midst of adapting to a new WAN-linked data center.”

What Bruce found was a legacy system “like a MINI fitted with a Ferrari engine.” The network already boasted Extreme Networks high power Black Diamond switches that could serve an operation many times larger. The 40GB backbone linking the two sites was also over-provisioned with dark fibre. As Bruce explains: “This was the first company I’d worked for where the network was not the issue. Normally, when anything goes wrong everyone begins by blaming the network—they’ll do anything rather than admit that the fault lies in their own systems. This did not apply at Channel 4.”
This system was no doubt its legacy from the days before transmission and broadcast was outsourced, and provision had been made for supporting
massive media file transfers rather than more normal business applications.

What was now being planned did include mirroring production storage clusters between the two sites, but this synchronous transfer required only the transfer of incremental updates, rather than full files, once the mirrors had been initially aligned.
The amount of spare capacity meant that IT operations between the two data centers had grown organically into a campus-style network without the usual discipline of limited resources. Such a system would prove costly and inefficient if migrated to a remote data center in its current state. What was needed was a slimming operation towards a leaner, less wasteful network that could more readily migrate to a remote data center with outsourced connection.

As a BCP system it was necessary to not only mirror the production files between the two sites—so that the loss of one site would mean a replica was immediately available—but also to make the network fully resilient so that it would still operate if one or other other site was shut down or destroyed. While latency was not a problem in the old network, in the future deployment the two data centers could be up to 100km apart and connected by a 20GB virtual private line with a number of DWDM channels instead of all that dark fibre. So latency could also become an issue for certain applications.

The legacy network was based on Extreme Networks equipment provided by Metropolitan Networks, but it was necessary to get comparative quotations for other vendors’ solutions. “We looked at things like capability, throughput, how the company’s technology was developing and price,” explains Bruce Rawstorne. “The cost of the Extreme Networks solution was considerably more attractive, it offered sufficient spare capacity and the end of support date gave us the required five years – so we went for that.”
“While our support and maintenance contract was with Metropolitan, Extreme Networks was very good when we needed their help,” adds Bruce. “We got them to validate our detailed design, and they were very responsive when more complex problems arose.”
A period of intensive testing followed. “There’s quite a bit of important traffic between the two, so we needed to be sure it was working properly before the move when, in theory, the only difference should be the longer link between the sites,” says Bruce.

At Channel 4, network capacity was never really the issue. Bruce Rawstorne had inherited a very powerful system but it was no longer appropriate to the new business strategy: “We are trying to mature Channel 4’s network and ingress to be more like a fully functional media company with serious enterprise capabilities for future growth.”
As a result of this upgrade to industry “best practice,” Channel 4 is now better placed for any future.

What Client’s Say

“We looked at things like capability, throughput, how the company’s technology was developing and price. The cost of the Extreme Networks solution was considerably more attractive, it offered sufficient spare capacity and the end of support date gave us the required five years—so we went for that.”
Bruce Rawstorne, Head of Operations, Senior Service Manager, Channel 4
Download Case Study

Key Partner

University of Cambridge Institute for Sustainability Leadership.

Fortinet Brings Network and Application Visibility and Security to Global Leadership Institute.

Details

Customer Name: University of Cambridge Institute for Sustainability Leadership
Industry: Education
Location: Cambridge UK, offices in Brussels and Cape Town

 Business Impact

  • End-to-end, integrated high performance, high availability security for growing needs.
  • Dramatically improved visibility, reporting and management of application and network behavior.
  • Peace of mind against new and emerging threats at highly competitive performance/price point.

Metropolitan Networks customer University of Cambridge

 Business Impact

  • End-to-end, integrated high performance, high availability security for growing needs.
  • Dramatically improved visibility, reporting and management of application and network behavior.
  • Peace of mind against new and emerging threats at highly competitive performance/price point.

The world needs practical solutions to sustainability challenges such as climate change and energy security, and global leaders are expected to deliver. This is the purpose of the University of Cambridge’s Institute for Sustainability Leadership (CISL) – a specialised institute delivering the highest quality executive education and support to government, NGO and corporate leaders from around the world.

Based in the UK city of Cambridge and with offices in Cape Town (South Africa) and Brussels (Belgium), CISL retains around 50 full time staff and collaborates closely with many other key industry and academic contributors in the delivery of sustainability leadership courses and events. This international collaboration has placed increasing pressure on internal IT resources to ensure network services are continually available,
and that the user experience of applications and access to shared files is unimpinged and highly secure.

Concerned about new and emerging threats, time-consuming configuration and management challenges, poor throughput performance and a lack of visibility into applications on the network, CISL sought to replace its 3Com Superstack 3 firewall with a far more robust, high performance security solution for the network perimeter. This has led to the deployment of two FortiGate-100D integrated security appliances to provide a host of protection capabilities including next-generation firewall, application control, IPS, anti-virus scanning and traffic shaping.

Solutions & Results

As an institute within University of Cambridge, CISL has sufficient autonomy to seek out the best possible solution to its unique IT needs, and drew up a ‘wish-list’ of technical capabilities for its replacement firewall, including: Application control, URL filtering, AV scanning, intrusion alerting (IPS), high availability (HA) mode, identity based policy enforcement, on-premise IP routing and browser-based management providing an understandable, actionable dashboard view and quick, easy configuration.

Having helped thousands of leaders over 25 years, CISL wanted to grow its business and its IT network into the future, as CISL IT Manager Ellis Karim explained. “We’re a small IT team who cover everything and, while we aren’t firewall experts, we just knew that the old devices would only get more troublesome in the face of extra demands. We were worried that threats were in danger of breaking through though we had no visibility of what was going over the network. We felt there must be firewalling capabilities out there which went beyond simple port and protocol blocking.”

Karim turned to his peer group of IT managers at other institutes and colleges, to gather views and advice about where to turn for a solution. The turning point was the successful Fortinet implementations he encountered, which led to an install project for two FortiGate 100Ds (in High Availability cluster) at CISL planned with Fortinet Gold Partner, Metropolitan Networks.

“Suddenly the network was made visible to us and we started to see where the bandwidth was being spent and where to take action,” recalled Karim. “The FortiGate-100D gives us great value per Gigabit performance and terrific functionality, including the ability to now route all our traffic internally
with each IP packet security-inspected, and receive daily emailed reports. We’re able to create simple, clear rules about specific applications and user groups – which is a great benefit that reduces the burden on me being the only person on the IT team with the skills to manage security.”

Helping each stage of the implementation was the team at Metropolitan Networks. “Setting up the FortiGate solutions and segmenting each virtual network domain is very straightforward, but we chose to take a two-stage approach to the rollout because of the challenge caused by the extremely
complex, non-standard configuration on the old firewall,” added Karim. “Metropolitan Networks were fantastic and we relied heavily on them to ensure no downtime during the changeover. We weren’t firewall experts before, and now we never have to be thanks to Fortinet and Metropolitan Networks.”

Each FortiGate-100D is backed by FortiGuard, Fortinet’s extensive global research capability, that protects against new and emerging threats by examining the latest cyber-criminal activities and techniques to deliver real-time, around-theclock protection.
Looking to the future, CISL are cognisant of the potential to derive even greater value out of their FortiGate-100Ds by exploiting more of its on-board integrated capabilities.
Among these is the two-factor authentication server that comes with every FortiGate, and extracting more use from its IPSec and SSL VPN functions. “Time will tell what else we select from the toolset, but we’re confident we can do more without affecting performance or the stability of our growing.

What Client’s Say

“Metropolitan Networks were fantastic and we relied heavily on them to ensure no downtime during the changeover. We weren’t firewall experts before, and now we never have to be thanks to Fortinet and Metropolitan Networks.”
Ellis Karim, Head of Operations, IT Manager, CISL - University of Cambridge Cavendish Labs.
Download Case Study

Key Partner

Increased visibility brings increased security to University

University of Cambridge Department of Physics

Metropolitan Networks customer University of CambridgeMetropolitan Networks were able to bring visibility to the University of Cambridge’s internet connection through the implementation of an effective traffic surveillance/ shaping tool from Netintact. This new found visibility offered protection from attacks, as well as making important publications available to the world for research.

The Department is one of the top Physics departments in the world. There is over 600 staff, and around 3000 students on courses and academics. The Cavendish Laboratory has a 1 GB link to the University data network and the “outside world” and internally, multi-Gb trunked connections to adjacent institutes. With 58 * 48-port switches and 6 multi-frequency wireless access points the Laboratory needs automated security.

Issue:

As one of the worlds leading educational Physics laboratories, the University of Cambridge has research publications that are of interest to institutions and individuals all over the world. The different international research requirements necessitate massive bandwidth allowances at different times of the day, yet that information must be freely available 24 hours a day, seven days a week.
Not all interest in the University’s data is from legitimate sources however. The University of Cambridge’s status brings fame, and with that comes a certain amount of undesirable attention from individuals seeking to launch high profile attacks.
The challenge presented to the Physics department was how to monitor, assess and deal with un-authorized access attempts to potentially critical data, and at the same time allow freedom of access from around the world to research publications on an uninterrupted basis. All this without causing disruption to the 3000 students who use University bandwidth for educational and some recreational use.

Solution:

Metropolitan Networks recommended PacketLogic from Netintact as an effective solution to this problem. Its advanced traffic shaping tools enabled the University to allocate bandwidth discriminately for its mission critical applications. Powerful deep packet inspection capabilities offered the much needed surveillance to identify inbound and outgoing traffic in real time on a full Layer 7 analysis, collecting statistics and shaping or blocking as required.

Result:

The University of Cambridge were overjoyed with the result. Ian Mackey, IT Manager explains: “Within one week we had identified and blocked no less
than 220 intrusion attempts – some using normally acceptable ports. We had tangibly increased the speed of network access. We had isolated existing un-authorised software installations. We had saved an estimated 12k on human resources that would have been necessary to investigate these potential intrusions and development time monitoring and investigating Layer 4-7 access.
“By the end of the month I was able to present a breakdown of bandwidth use and abuse to the various management committees and demonstrate graphically how the network could be improved.
“We have since been able to utilize the PacketLogic with our IT intranet (primarily comprising of Extreme switches) to allow automated bandwidth allocations and QoS for specific research groups (averaging 380Tb data transfer) with no impact on other users.
“We have been able to maintain a high level of security even in high-bandwidth usage on normally innocuous traffic like port 80, 21, 23, 8080, etc and more especially secured or encrypted traffic on ports 443, 22, etc.”

Summary:

It does what it says on the tin … and more. Restricting what shouldn’t be there, assisting what should, providing essential network management information and statistics of detailed packet-contents. “With Metropolitan Networks knowledge and assistance I have managed to condense what would have taken around eight hours a week into literally a 20 minute job.”

What Client’s Say

“With Metropolitan Networks knowledge and assistance I have managed to condense what would have taken around eight hours a week into literally a 20 minute job.”
Ian Mackey, Head of Operations, IT Manager, University of Cambridge Cavendish Labs.
Download Case Study

Key Partner

From congested to clean – how to manage internet abuse – Judiciary of Trinidad and Tobago

Bring visibility to the Judiciary’s internet connection through the implementation of an effective traffic surveillance/ shaping tool from Procera Networks.

The Judiciary of Trinidad and Tobago

The Judiciary works towards the resolution of conflict in the society by resolving disputes which arise out of the operation of laws and involve the application of remedies and the punishment of offenders.

Issue:

The Judiciary found its 4 mbps WAN connection was heavily overloaded and work was grinding to a halt. There was no way to identify the causes or prioritize mission-critical applications. The Network Administrator, Anthony Mathison explains: “Even though our bandwidth was increased from 1.5 mb to 4 mb it made no difference, our internet was still extremely slow and our ISP was threatening to disconnect our service because of all the BitTorent traffic and P2P traffic that they were seeing on the line.”

Solution:Hall of justice Trinidad and Tobago

Metropolitan Networks recommended Packet Logic from Procera Networks as an effective solution to this problem. Its advanced traffic shaping tools enables the Judiciary to allocate bandwidth discriminately for mission-critical applications. Powerful deep packet inspection capabilities offered the much needed surveillance to identify inbound and outgoing traffic in real time on a full Layer 7 analysis, collecting statistics and shaping or blocking as required.

The Packet Logic not only allowed the Judiciary to inspect how their bandwidth was being used and identify problems, but also offered a solution to those problems. As an application layer firewall it is also able to block non-essential bandwidth consuming applications such as instant messaging and file sharing. It can also divide and assign bandwidth for different activities and reserve a premium for the most mission critical traffic.

Result:

Restricting what shouldn’t be there, allowing what should, providing essential network management information and statistics of detailed packet-contents, the Packet Logic is an invaluable tool. Mr Mathison said, “On the day the Packet Logic was installed internet traffic improved dramatically, we have over 200 internet users sharing a 4 mb connection and they are now all extremely satisfied.”

What Client’s Say

“We are now able to identify bandwidth abusers and effectively limit an individual’s monopolization of our internet resources. The Packet Logic allows us to postpone any need for increased bandwidth”
Anthony Mathison, Network Administrator, Judiciary of Trinidad and Tobago, Judiciary Of Trinidad And Tobago
Download Case Study

Key Partner

Metropolitan Networks supplier procera

Increased visibility brings increased security to Sixth Form College

Peter Symonds College, Winchester

petersymonds

Peter Symonds College is one of the largest sixth form colleges in the country with about 2,800 full-time 16-19 year old students on the main campus and an adult education site about a mile away which accommodates some 3,000 part time students, most of whom are on very short courses for an hour or two a week. About 100 of the full-time students are boarders. The College is connected to the Internet via a 10Mb (recently upgraded from 2Mb) link to the JANET network.

At Peter Symonds College in Winchester, a very limited Internet connection was being compromised by a variety of traffic including peer2peer file-sharing traffic. This slowed the use of the Internet for study during the college day and also after hours for evening classes. Metropolitan Networks implemented a PacketLogic to block this traffic at the application layer, stopping the unwanted traffic immediately. Metropolitan Networks were then able to optimise the available internet bandwidth to different groups of users at different times of the day.

Issue:

The 2 mbps internet connection at Peter Symonds College was running at 99% capacity almost constantly. P2P file sharing traffic had become prolific, and was using up what was already a limited resource. Part of the difficulty of controlling P2P lies in the application’s ability to switch ports. Any time a P2P port was blocked, they would simply use another one, avoiding firewall security measures in the process.
The challenge at Peter Symonds College was a complex one. How do you make such a limited internet connection available to every classroom, office, and boarding house all of the time?

Solution:

The first part of the solution was to block unwanted traffic. As PacketLogic is able to view traffic at the application layer, it was able to eliminate ALL forms of P2P traffic immediately, regardless of which ports they were utilising. With P2P activity put to a halt, and bandwidth usage levels substantially reduced, Charles’s IT Support team went on to optimise the rest of the college’s internet traffic, using PacketLogic’s powerful traffic management tools. IT Director Charles Parish explains:

“The appliance allows us to view, in real time, the types of traffic flowing through it, e.g. web browsing, email, Real Player or file-sharing. We can see what traffic, and what kind of traffic is coming from or to a particular computer by drilling down into our subnets and looking at an individual station. Or we can begin by looking at individual services and drill down from there to see where they are coming from and going to.
“We can view statistics which the appliance has gathered over several hours, days or weeks to see patterns of  usage. If we see that these may be a problem we can set up rules to block certain types of traffic or restrict it at certain times of the day. We can even set up rules to apportion bandwidth at certain times if other conditions are met. These offer a measured and proportional response allowing us to be as flexible as possible.”

Result:

By taking advantage of PacketLogic’s advanced functions, Peter Symonds College was able to win back its internet bandwidth. After categorising the college’s computers into groups such as: computer labs, admin, wireless, and boarders, advanced rule-sets were applied to each group, specifying what was, and what was not acceptable usage of the college’s internet, as well as deciding the appropriate amount of bandwidth allocated to each group.
Some rules governed usage during college time and others for out of college hours. Other rules even allowed bandwidth to be borrowed from another group if it wasn’t being fully utilised. The combined application of these specific rules has led to full optimisation of network trafficflow, the availability of internet services to all users, as well as adding further protective measures to aid in network security.

Summary:

“We have found the PacketLogic box to be an excellent tool to limit abuse of our Conditions of Use and to allow competing users of our bandwidth to receive an appropriate share. It also helps us prevent unwanted activity such as illegal file sharing in the college. The interface is easy to use and the support from Metropolitan Networks has been excellent; we have just extended our maintenance contract for a further year.”

What Client’s Say

“The support we have received from Metropolitan Networks has been excellent and we have
just extended our maintenance contract for a further year.”
Charles Parish, IT Director, Peter Symonds College
Download Case Study

Key Partner

From congested to clean – how to rescue a compromised network

The Chartered Institute of Environmental Health

The Chartered Institute of Environmental HealthMetropolitan Networks identified and resolved problems that were overwhelming the network at the Chartered Institute of Environmental Health. The viruses and attacks that were propagating on the network had reached a point where they were almost impossible to contain.

The Chartered Institute of Environmental Health (CIEH) is an independent professional body and registered charity representing those who work in environmental health and related disciplines. Their primary function is the promotion of knowledge and understanding of environmental health issues.

A drain on the network

Despite having two Cisco Pix firewalls and antivirus protection on both the server and each of the 120 desktop computers, The CIEH found its network was plagued with viruses, its two 2 mbps WAN connections were heavily overloaded, and work was grinding to a halt. Sean explains: “A large proportion of the ICT departments resources were being consumed by this problem. It was leaving us with little time or money to implement any of the new projects we had planned to undertake.”

The Institute has had a long relationship with the technicians at Metropolitan Networks and valued their security expertise, so when it was recommended they trial a PacketLogic from Netintact, never before seen in the UK, the CIEH had enough faith in Metropolitan Networks to give it a try.

Insight

“The PacketLogic was a godsend. It was like a blind man being given his sight. We could see instantly all traffic on our network. We could inspect our network to see which machines were using up our bandwidth, and which applications they were using to do it. It also allowed us to identify irregularities in our bandwidth usage and so see where viruses had propagated.”

The PacketLogic not only allowed the CIEH to inspect how their bandwidth was being used, and identify problems, but also offered a solution to those problems. As an application layer firewall it was able to block non-essential bandwidth consuming applications such as instant messaging and file sharing. It was able to divide and assign bandwidth for different activities and reserve a premium for the most mission critical.
An important part of preventing future attacks was identifying where the original attacks had come from in the first place. It was found user intervention on AV software,public webmail accounts which bypass AV scanning from the email server, and 3rd party devices such as USB memory sticks all had their part to play in introducing and propagating viruses.

Again the CIEH looked to Metropolitan Networks to remedy this problem, which was quite a straight forward and inexpensive one:

  1. Place a small Fortigate on the network edge to offer AV protection, for all company e-mail, http, SMTP, imap, pop, and ftp traffic.
  2. Educate staff on the importance of using local AV software, and keeping it up to date.
  3. Use the PacketLogic to block potentially.
    compromising applications such as file sharing.

An outstanding success

The initial small Fortigate was so impressive that the CIEH quickly decided to replace their two Cisco Pix firewalls with two Fortigate 300 Unified Threat Management solutions to offer not just firewall and anti-virus protection, but also intrusion detection/ prevention, anti-spam, anti-spyware, and IPSec VPN usage.
These days the CIEH benefit from a secure, robust network. The daily problems Sean faced are a thing of the past.
“I would be first to admit our network was unmanaged. We were overwhelmed with problems and didn’t know whereto start. The PacketLogic enabled us to identify and eradicate the problems on our network, and the Fortigate gives us the protection from future attacks.
“It isn’t everyday you get a satisfying answer to such a complex problem, We feel indebted to Metropolitan Networks for the way they were able to secure, protect and give us the tools to manage our network. Their experience, expertise, and wisdom have made my life a lot easier.”

What Client’s Say

“To say we are pleased with the result may be a bit of an understatement. Metropolitan Networks has
put us back in control of our network and rescued us from a potential crisis.”
Sean Mohammed, IT Manager, Chartered Institute of Environmental Health
Download Case Study

Key Partner