If securely deploying 10,000 wireless access points across 1700 locations in five months to create what is said to be the world's largest enterprise Wi-Fi network sounds like a challenge, Victoria's Department of Education (DET) in Australia took it all in its stride - with the help of a little penguin.
With 540,000 students, 42,000 teachers, more than 200,000 computers, and 40,000 notebooks spread across the 1700 sites, the department last year allocated A$6.5 million (US$4.8 million) to implement a wireless network aimed at easing connectivity, but at first its technology options were limited.
During a presentation at this year's wireless summit in Sydney, the department's head of ICT security, Loris Meadows spoke of how the Wireless Networks in Schools (WINS) project required a custom proxy and security services appliance dubbed "EduPass" to be engineered due to the WAN's complexity.
"At the heart of the systems is EduPass. We had an ageing fleet of proxy servers and needed to roll out 1700 of them so we saw a good opportunity to add proxy to RADIUS," Meadows said. "We looked at best-of-breed open source solutions like Smoothwall, Freeradius, and OpenSSL; we have our own kernel based on Red Hat Linux and did a lot of development."
Trouble over Cisco's factory settings
After a tender process, Cisco was chosen as the access point vendor in a deal that nearly fell through, Meadows said, because the "networking giant" was reluctant to accept the DET's advice and changes.
"We had a real battle and eventually got Cisco to change its default factory settings," Meadows said. "The access points shipped from the factory with 802.1x authentication and 1024-bit encryption, and it cannot be set back to default."
Meadows said there was a significant level of "lengthy discussions" with Cisco to get it to disable the reset button, which was a requirement to avoid the settings being undone by 350 school technicians.
"This was a world-first to get Cisco to change IOS [and] the deal would have been almost off if they hadn't," she said.
NAT traversal was another problem
DET also delivered another lesson during the development of EduPass when the vender proffered its own management appliance to do the job.
"Cisco was going to be the central management box, but it couldn't do NAT traversal and we NAT up to six times, so the device could not cope," Meadows said. "It was two hours programming on our part" against A$30,000 worth of appliances from the vendor.
With the EduPass design and development done, 1700 Linux and AMD-based "black boxes" are now running in nearly every school in Victoria. Neither Microsoft nor Intel were impressed "but it happened", Meadows said, adding this is almost certainly the largest unified enterprise wireless network in the world.
DET keeps its source code - for security
So far, DET has had about five similar education departments "knocking on our door" to get access to EduPass, but its source code will not be released in the short term because of security concerns.
"We are aware that the modules used in EduPass are open source already, and so is Red Hat Linux, but we have erred on the side of caution," Meadows said, adding her team has "thought long and hard" about it. "There are big security companies that build on Linux and don't release the code [and] we give credit to Openssh, Freeradius, Squid, and Linux which are all open to scrutiny. The bits that are proprietary concern how all servers are randomly set to check updates and a lot of advanced proxy features."
Even without releasing EduPass's code, DET is being a good open source citizen by remaining in "close touch" with and contributing "issues" back to the Freeradius and OpenSSH projects. Whitepapers on how EduPass works will also be released.
"We went to great lengths to harden the operating system [and] even the local school techs can't get inside the box," Meadows told Computerworld. "We even put a banner on the management interface reminding staff it is a criminal offense to hack into computers or to escalate privileges."
Meadows' team began to appreciate the flexibility of open source when digital certificates needed to be added to Windows' registry.
"Microsoft was unable to help so we did a lot of 'googling' and [the result] is certainly being [made public]," she said.
Wireless cuts the costs
After completing the 11-month project and with the network fully functional since July last year, Meadows said DET has experienced a minimum 20 percent saving against cabling and 50 percent due to open source software.
DET may be betting its business on Linux, but don't expect students to be using the operating system solely for education purposes.
"I like to think this will lead to more open source adoption, but at central office there is quite some resistance," Meadows said. "Although we are very much a Microsoft shop, I'm slowly witnessing more open source applications included on the desktop and becoming part of the SOE. There's no question [open source] will be used in future."
Meadows cited school technicians unskilled in Linux as a barrier to desktop adoption.
"In head office we're all Microsoft, but have snuck a few Linux servers in," she said.