A library system in California found help in speeding internet access, while increasing security, reports Greg Masters.
A trip to the library these days involves a lot more than thumbing through file cards to find a book. The 134-year-old Dewey Decimal System, though still widely used, has seen its authority wane as library visitors plop themselves down in front of computers not only to find the books they need, but to perform their research via web searches, play computer games, download video and catch up on email.
A few years ago, one library system in California noticed that its internet connectivity and access was slowing because patrons increasingly began to access video and other applications demanding greater bandwidth. To maintain its performance and secure the network during peak internet traffic, the IT staff at the Riverside County Library System (RCLS) realized it needed to overcome new security threats and challenges, including the need to meet Federal Communications Commission (FCC) requirements for filtering child-inappropriate content and allowing for efficient downloading of streaming video, audio and other files.
“Our goals were to optimize our throughput with better connectivity and access to the internet,” says Luther Brady (left), automation manager for RCLS. “It is our purpose as a public library to give full and free access to the internet without restricting patron access. Additionally, we needed to protect children by default and empower our adult patrons by choice to block dangerous sites, including pornography.”
RCLS is one of the largest public libraries in California. Its 35 branches serve 26 cities and 1.6 million residents. Between 7 a.m. and 9 p.m., nearly 800 computer workstations are ready for use throughout its system. RCLS currently provides free wireless internet access in about half of its branches, and more are being equipped to provide wireless access every year. A client/server library automation system permits circulation, indexing, acquisition and public access functions. A fiber and bonded copper-based WAN centralizes email, public and staff training, as well as web-based applications, such as Facebook, Twitter, Delicious and Flickr.
The main office for RCLS is in Riverside, Calif., a town of 300,000-plus residents about 60 miles southeast of Los Angeles. The library branches are located throughout the region from Los Angeles and Orange County on the west, Arizona on the east and San Bernardino and San Diego Counties on the north and south. The IT staff at RCLS consists of 10 individuals, including six technicians, two application specialists and two support people.
To meet their goals, Brady's team needed to put together a distributed network to cover all branches in the county system and prevent ongoing threats, including harmful botnets perpetrated via DNS and denial-of-service attacks, trojans and viruses – all without restricting patron access.
Performance is critical, he says, because at public libraries with hundreds of workstations, there can be massive traffic volumes at peak times, such as when the doors first open or when school lets out. “With downturns in the economy and the increase in unemployment, library use increases as it is the university of the common people,” Brady says.
He and his team consulted with other county departments and also reviewed what sister county public and large city public libraries were doing. Brady's team realized they were all facing the same issues and were struggling to meet both bandwidth and security needs. Several vendors were asked to present and demonstrate technology to the in-house staff.
“We started to look at various filters, such as Blue Coat, and a number of open source filters,” he says. Some were software and some appliances. The team had implemented a small SonicWALL 170 for its first branch library wireless implementations. That was when they learned about the SonicWALL NSA E5500 and then the NSA E7500. At the same time, the team examined systems from Fortinet and Barracuda, as well as solutions from Cisco and Nortel.”
His team then tried upgrading its internet connection from 100 MB to 1 GB throughput using a fully populated Cisco 7200, but they could not implement a configuration in the 7200 that would not bog down with the network address translation (NAT) required by the significantly increased traffic.
“We simply needed a solution that was at least a quantum in performance above what we had,” he says. “During our search, we learned about SonicWALL's ‘unrestricted deep packet inspection' and determined to complete a trial. The result of the trial was our purchase, full implementation and satisfaction.”
The cost was comparable to alternatives, says Brady, and the staff requirements were the same as previously required for the Cisco 7200 – namely it needed little training for the existing resources to satisfactorily operate the SonicWALL solution. Assistance, when needed from the vendor, has been at the best industry standards, Brady says.
There are two key components that have to come together to make the E7500 what it is today, says Patrick Sweeney (left), SonicWALL's vice president, product management for all of the company's business units. “The first is a 16-way multicore architecture and [the second is] the Reassembly Free Deep Packet Inspection Engine (RFDPI).”
While the two components are powerful when taken by themselves, a combination of the two yields tremendous performance in the form of one of the fastest unified threat management (UTM) appliances on the market, Sweeney says
The E7500 accepts network connections on all network ports, regardless of the protocol, and after performing regular stateful packet analysis, passes it to the RFDPI engine on one of the 16 cores that are specifically optimized for content inspection. These cores have powerful capabilities specific to networking with which they apply all layers of deep packet inspection: intrusion prevention, anti-virus and anti-spyware. Additionally, this engine allows real-time application classification, which enables the administrator to create policies at an application, rather than a network, layer.
SonicWALL UTM TZ devices in the remote sites and the SonicWALL NSA E7500 in the central office service these VPSs to bring secure staff communications into the library network over the public DSL and cable internet connections, says Brady. The new fiber network is and will be backed up by public DSL and cable and new FIOS and U-Verse internet connections allowing for fail-over connectivity in case the primary fiber connection for one or more libraries goes down. In addition, users' laptops go directly to the internet through the SonicWALL devices without coming back to the hub. This separates secured from unsecured traffic. “It works like a charm,” says Brady.
The deployment of the SonicWALL tool reaches across the network and touches each of the 35 libraries in the county system. At the point of implementation, Brady and his team were looking to build the infrastructure to support a switch from T1-frame to fiber. They are now in the midst of fiber implementation, and the NSA 7500 is taking it in stride as predicted.
Until a fiber infrastructure is fully implemented, many of the library's sites need more bandwidth than the system's Frame T1s can provide. The IT staff augmented the T1 Frame network by adding DSL and public cable internet connections. About half of the library sites implemented site-to-site virtual private networks (VPNs) over these public internet connections back to the central office.
“We do not doubt that we will be able to successfully complete our fiber implementation and significantly increase the bandwidth to the remote libraries as demand increases for at least five years without having to upgrade the NSA device,” says Brady. “Once the fiber is fully deployed, we add voice over IP (VoIP) to link our local phone systems and for staff and public VoIP apps.”
All updates are developed by an in-house team and are pushed out automatically to customers who have the necessary security services licensed on their devices, says SonicWALL's Sweeney. These appliances periodically poll the company's servers for updates that occur on a daily basis or more often if there is a zero-day outbreak that requires an immediate signature push. If the appliance cannot reach the update server for some reason, it continues to operate without interruption and uses the latest signature database that it could obtain, he says.
Signatures can also be updated manually in closed environments where internet use is completely restricted. As well, updates can be obtained from behind proxy servers. This implementation sits well with the administrators at the library who are continuously up against budget concerns.
“Academic customers usually have budgets that are much more restrained, and while they share concern about performance and security with their corporate counterparts, they are also restrained on personnel who can actively manage a firewall,” says Sweeney. “These constraints result in a requirement for a network security that, while being powerful and fully featured, has to be easy to use and maintain.
As well, he says, academic customers have the added problem of students who have grown up around technology getting persistent when it comes to circumventing content filtering. Too, students are more likely to be consumers of bandwidth-intensive applications, such as streaming video, P2P applications and social networking sites.
“The challenge for IT administrators in academic environments is how to, with limited budgets and time, provide an acceptable level of network performance for the entire institution while complying with the necessary laws,” Sweeney says. “This means throttling down streaming video, preventing P2P and prioritizing critical applications – all without requiring a dedicated firewall management team.”
As part of complying with federal content-filtering requirements, academic IT administrators have to deal with SSL proxies, which can be used to completely circumvent content filtering. Sonic-WALL is currently in early field trials for transparent SSL inspection technology that will allow the same level of deep packet inspection and content filtering to be applied within SSL streams as is done on other non-encrypted traffic. This will plug the last remaining hole for schools and will reduce the amount of time spent by IT administrators trying to keep up with blocking SSL proxies, says Sweeney.
The result of all this technology? Riverside is one of the only library systems in the state that has not experienced any major threat – even with open access, says Brady.
“With all the stories we read regarding intrusions elsewhere in the industry and even in our own county systems, we are confident that simply being aware and current on technology is the best defense,” he says. “We have been fortunate to have had the financial resources and the luck to discover and implement solutions that work before we needed them. We have not been successfully attacked yet and we feel that with the SonicWALL E7500 and remote TZ units, we are prepared for all current and for most future threats.”