The events of September 11th, 2001 forced the Massachusetts Port Authority, which operates Boston's Logan Airport and other properties, to re-examine its security practices on a number of levels. While the attacks didn't directly result in Massport revamping its internal network, they did speed that process up.
The result is a modernised infrastructure that provides more capacity, higher reliability and better security to some 1000 end users, according to Jeffrey Jordan, senior project manager for Massport's IT department.
"We had all sorts of money available under the security blanket" after 9/11, Jordan said. But adding sophisticated security systems, such as video intrusion detectors, biometrics and voice recording, demanded huge amounts of bandwidth not available on the old network, he said.
The most drastic change to the infrastructure is that Massport has shifted from a network of solo core switches at its main sites, and single links in between sites, to a highly redundant set-up that includes two Enterasys switch routers at each of three main sites, which are linked in a mesh consisting of Gigabit Ethernet connections aggregated to form 8Gbit/s connections. Half duplex microwave links running at 10Mbit/s and fractional T1 links to outlying sites have been replaced by full duplex 155Mbit/s microwave connections (microwave is used because the sites are separated by water) and in some cases fibres. Massport has also been consolidating its servers at three main sites, which are supported by storage-area networks.
The $3.2 million project started in 2003 and is largely complete, in terms of the 100-plus core and edge switches being in place. Massport and Digital Support, its primary partner on the project, are now looking to fully exploit those switches by using per-port security technology that enables the organisation to crack down on unauthorised uses of the network, such as instant messaging and hosting personal Web sites.
In fact, it was this role-based security technology that swayed Massport to go with Enterasys over Cisco, despite objections from upper management focused on Cisco's much healthier financial status (Massport also was already a user of switches from Cabletron, part of which later turned into Enterasys).
"Cisco wasn't happy, but it didn't have the security technology we were looking for at the time," Jordan said.
Now that Massport has the security technology, it is satisfied. But implementing it hasn't been a snap, said Gordon Powell, Digital Support's director of technical services for New England. Desktops had to be upgraded to newer versions of Windows, for one thing (Digital Support previously led a migration to Microsoft Exchange at Massport). Work also needs to be done on the front end so that policies really are in tune with the applications that end users are running, such as those that might go out one port and come back on another, he said. Massport's network supports roughly 3000 ports.
"We have some cookie cutter policies, but we need to sniff packets and then modify those policies," he said. "Each department does some things differently."
Jordan said Massport now also needs to make clear to end users and helpdesk staff that hardened network security is being implemented, and that they are going to have to live with new rules.
"It's going to have to be a different mindset for end users and the helpdesk is going to have to be aware of what people have access to or not," he said.
Looking ahead, Massport is considering other technologies, such as VoIP, but for availability reasons it isn't convinced it wants to run it on the same network as everything else. Jordan and Powell are also keeping an eye on network usage, which is at about 20 percent on the backbone but is already pushing the limits on the access portion of the network.
"It's hard to stay ahead with bandwidth, but the switches are modular, so bandwidth can be added," Jordan said.
Powell said Massport is also taking advantage of QoS capabilities in its switches to ensure that key applications always have a clear path. The biggest bottleneck on the network now, he said, are the servers, which struggle to keep up with the speediest links in the network.