Network Security
VPN delivers the goods
Solution ensures seamless failover in the event of Internet access outages or lost connections.
Dan Chesler, network administrator for AIT, had four requirements for security of the company’s wide area network connections.
Network downtime can be
devastating for any business, but for AIT
Worldwide Logistics, it can be catastrophic.
As a global transportation and logistics
provider specializing in heavyweight and
perishable shipments, AIT’s network is just
as important as the railways, highways,
airways and maritime lanes it uses to ship
goods. A single day’s worth of network
downtime can easily equate to $2 million in
lost revenues and thousands of lost
shipments.
Headquartered in Itasca,
Ill., AIT has 34 offices nationwide, 330
global service centers and more than 800
employees. Additionally, the company employs
a large network of independent contractors
that rely on AIT’s network to access
critical supply chain management and
accounting applications 24/7.
With a growing business
on the line, AIT decided to reevaluate its
frame relay and network redundancy service
provider. Network interruptions and costs
had been on the rise and AIT realized that
it could not expand its business without a
higher level of performance and reliability.
"We had to take an honest
look at our operations. We were overpaying
for low performance and inadequate customer
service and realized our service provider
was not holding up its end of the bargain,"
says Dan Chesler, network administrator for
AIT.
As it started evaluating
network security vendors, AIT had four
objectives: reduce costs, improve redundancy
in its wide area network, centrally manage
network security and eliminate single points
of failure.
"It’s a tall order for a
single solution. There aren’t many products
available that could meet all four
objectives," says Chesler.
AIT decided to implement
Stonesoft’s StoneGate solution primarily
because of its patented Multi-Link
technology, which ensures seamless virtual
private network (VPN) failover in the event
of Internet access outages or lost
connections between firewalls and outside
networks. The solution provided a full-scale
stable firewall with deep-packet inspection
capabilities. The StoneGate solution also
can aggregate multiple high-speed Internet
services without routing and provide
site-to-site VPN across those multiple
links.
Initially, AIT
implemented the solution at one of its
busiest offices in Minneapolis. The company
implemented three firewalls, two of which
were clustered at the company’s
headquarters. The implementation was
complete within two months, and AIT decided
to roll the implementation out across a
majority of its network stations, including
corporate offices, remote locations,
customer sites and independent contractor
sites. In total, AIT implemented 43
appliances at 41 different sites over a
nine-month period.
Change in infrastructure
After the appliances were
installed, Stonesoft worked with AIT’s
network administrators to create standard
security policies at its corporate
headquarters in Itasca that could be easily
pushed to each appliance across their
network–all from a single central command
center. The implementation, however,
required a substantial change in AIT’s
infrastructure and, to some extent, a leap
of faith from AIT’s IT team.
Previously, AIT used a
traditional frame relay circuit that was
costly, but provided AIT a high level of
security. The company was fearful of losing
quality of service (QoS), performance and
security by routing traffic over a public
infrastructure.
AIT also had envisioned
going with a central DSL provider to serve
all of its stations. Their provider of
choice, however, could not support many of
the company’s stations, requiring AIT to
provide one-off providers for cable, DSL or
T-1 service.
Over the course of the
StoneGate implementation, AIT learned that
most service providers place a higher
priority on repairing T-1 circuits than DSL
circuits. As a result, the company opted to
use more T-1 lines than originally
anticipated.
Stonesoft played a
technical consulting role in helping AIT
solve many fundamental network challenges.
Stonesoft’s R&D team recreated many of AIT’s
unique network challenges in its labs and
designed specific solutions that met their
needs.
One example is the
company’s rollout of a voice-over-IP (VoIP)
system. AIT implemented the StoneGate
solution and its VoIP system concurrently.
To ensure network performance and QoS,
Stonesoft worked with AIT to route and load
balance VoIP traffic through StoneGate
appliances.
Chesler acknowledges the
challenges with the StoneGate implementation
while championing Stonesoft’s approach:
"That’s okay, though. Perfect
implementations don’t exist. What we don’t
have, thankfully, is a vendor with a ‘take
it or leave it’ attitude. Stonesoft’s team
worked with us to find workarounds and
solutions to issues that are specific to our
industry and our market niches."
According to Chesler, "If
you go back and look at our four objectives,
we’ve met each one of them. We’ve reduced
our network spend, achieved redundancy,
centralized network security and eliminated
most of the single points of failure."
Substantial savings
It took less than six
months for the company to achieve a full
return on its investment. Most of its
stations were paying an average of $1,500 a
month for a 256-KVCS frame line. Today, most
stations have two lines that are roughly $99
each per month–$1,300 a month savings per
station. At the headquarters in Itasca,
which is the hub for the Frame Relay, the
port primary domain controller (PDC) and
asynchronous transfer mode (ATM) circuit
cost savings is about $33,000 a month.
The visibility and ease
of use of the centralized control provided
by the StoneGate solution have also had an
impact on AIT’s network operations. The
company now has the level of granular
control needed to support its expanding
shipping and logistics business. Today,
AIT’s growing network of independent
contractors has access to all of the
critical applications needed to ensure
accurate ordering, delivery, tracking and
accounting.
The next step for AIT was
to roll out the StoneGate SSL VPN to its IT
department and select contractors who needed
anytime access to the network for
maintenance or troubleshooting. Since the
SSL VPN does not require a pre-installed VPN
client on each machine, the AIT team can
access the company network from anywhere,
regardless of computing device. Using the
SSL VPN portal, AIT is able to set a policy
allowing secure access to desktops, which
contains all the applications and
connections IT and contractors need to do
their jobs.
Since implementing the
solutions, AIT has continued to increase the
number of independent contractors on its
network. On average, independent contractors
say they are saving $1,200 each month, while
enjoying faster network speeds and
resiliency.
While the StoneGate
solution’s failover and load-balancing
capabilities were tested rigorously in
implementation, the ultimate test came when
AIT’s Boston office underwent a complete
network overhaul. To improve Internet access
and performance, the office migrated from a
cable line and DSL modem to two T-1 lines
from different vendors. During this time,
AIT relied solely on Stonesoft’s Multi-Link
technology to ensure network access to
employees and independent contractors.
Most recently, the
company encountered another major network
failure when switching local and long
distance carriers in its Minneapolis office.
Once again, the StoneGate solution was able
to handle all traffic and ensure
connectivity while the primary circuit was
being repaired.
"Sometimes, we don’t even
know there’s an issue with our network until
the ISP calls our help desk to alert us,"
says Chesler. "Knowing there’s been zero
interruption in our business is a great
feeling."
Chesler’s goal is to
virtualize much of the company’s network
security functions while continuing to add
services like VoIP to more of its offices
and service centers. He expects the
StoneGate solutions to provide the improved
security and visibility AIT needs, without
purchasing more physical hardware.
For more information
(click here)
Assess apps in use
by Christie Asmussen
Documenting all
applications in a business can be a daunting
task in isolation. It requires IT to work
with the end-user community to uncover all
applications and define how they are used.
Step 1. IT should identify
significant operations that could affect
application performance and document each
application’s performance characteristics.
Step 2. Compile a complete list of applications
running across the network and evaluate
their performance. This provides a baseline
to compare changes and enhancements as
applications are modified or moved within or
out of the IT environment.
Step 3. When all applications have been identified,
usage patterns discussed and the overall
application performance captured, an
informational meeting with business leaders,
application owners and other stakeholders
should be conducted to discuss definitions
for each business criticality classification
to allow the team to properly classify all
applications used.
Step 4. Operational costs associated with
maintaining levels of business criticality
assigned to each application can be
determined. Generally, the higher the
criticality level, the higher the support
cost. Redundant infrastructure is required
for the most critical applications to meet
applicable service-level agreements (SLAs).
Companies use various
business criticality classifications. For
example:
- Critical:
Financial impact occurs immediately.
- Mandatory:
Financial impact experienced within
hours.
- Strategic:
Financial impact seen within days.
- Tactical:
Financial impact seen within weeks.
Step 5. Profile the applications to identify how
they are currently performing and what
optimization opportunities exist, including
what infrastructure should be in place to
achieve required levels of performance.
These optimization opportunities should then
be justified according to service
expectations and business criticality.
Step 6. An impact analysis can be conducted to model
scenarios that illustrate how performance
optimization recommendations can be
achieved. Expectations of application growth
scenarios can be introduced into the
profiling exercise to uncover the best
scenario for each application. All
applications and their business criticality
classifications can be used to build the
business continuity plan.
Step 7. Build a high-level architecture diagram of
the entire IT environment.
Step 8. A detailed application design should also be
created to ensure the architecture
recommendation for each application is
documented in detail and can be communicated
clearly.
Step 9. Based on the business criticality
assessment, ensure the investment in each
application is appropriate to the business
requirement.
Optimizing the
performance of applications based on their
criticality to the business is a formula to
maximize technology investments.
Christie Asmussen is senior solutions architect for
BT Americas, New York.
For more information
(click here)