If securely deploying 10,000 wireless access points across 1700locations in five months to create what is said to be the world’slargest enterprise Wi-Fi network sounds like a challenge,Victoria’s Department of Education (DET) in Australia took it allin its stride – with the help of a little penguin.
With 540,000 students, 42,000 teachers, more than 200,000computers, and 40,000 notebooks spread across the 1700 sites, thedepartment last year allocated A$6.5 million (US$4.8 million) toimplement a wireless network aimed at easing connectivity, but atfirst its technology options were limited.
During a presentation at this year’s wireless summit in Sydneytoday, the department’s head of ICT security, Loris Meadows spokeof how the Wireless Networks in Schools (WINS) project required acustom proxy and security services appliance dubbed “EduPass” to beengineered due to the WAN’s complexity.
“At the heart of the systems is EduPass. We had an aging fleetof proxy servers and needed to roll out 1700 of them so we saw agood opportunity to add proxy to radius,” Meadows said. “We lookedat best of breed open source solutions like Smoothwall, Freeraduis,and Openssl; we have our own kernel based on Red Hat Linux and dida lot of development.”
After a tender process, Cisco was chosen as the access pointvendor in a deal that nearly fell through, Meadows said, becausethe “networking giant” was reluctant to accept the DET’s advice andchanges.
“We had a real battle and eventually got Cisco to change itsdefault factory settings,” Meadows said. “The access points shippedfrom the factory with 802.1x authentication and 1024-bitencryption, and it cannot be set back to default.”
Meadows said there was a significant level of “lengthydiscussions” with Cisco to get it to disable the reset button,which was a requirement to avoid the settings being undone by 350school technicians.
“This was a world-first to get Cisco to change IOS [and] thedeal would have been almost off if they hadn’t,” she said.
DET also delivered another lesson during the development ofEduPass when the vender proffered its own management appliance todo the job.
“Cisco was going to be the central management box, but itcouldn’t do NAT traversal and we NAT up to six times, so the devicecould not cope,” Meadows said. “It was two hours programming on ourpart” against A$30,000 worth of appliances from the vendor.
With the EduPass design and development done, 1700 Linux andAMD-based “black boxes” are now running in nearly every school inVictoria. Neither Microsoft nor Intel were impressed “but ithappened”, Meadows said, adding this is almost certainly thelargest unified enterprise wireless network in the world.
So far, DET has had about five similar education departments”knocking on our door” to get access to EduPass, but its sourcecode will not be released in the short term because of securityconcerns.
“We are aware that the modules used in EduPass are open sourcealready, and so is Red Hat Linux, but we have erred on the side ofcaution,” Meadows said, adding her team has “thought long and hard”about it. “There are big security companies that build on Linux anddon’t release the code [and] we give credit to Openssh, Freeraduis,Squid, and Linux which are all open to scrutiny. The bits that areproprietary concern how all servers are randomly set to checkupdates and a lot of advanced proxy features.”
Even without releasing EduPass’s code, DET is being a good opensource citizen by remaining in “close touch” with and contributing”issues” back to the Freeraduis and Openssh projects. Whitepaperson how EduPass works will also be released.
“We went to great lengths to harden the operating system [and]even the local school techs can’t get inside the box,” Meadows toldComputerworld. “We even put a banner on the management interfacereminding staff it is a criminal offense to hack into computers orto escalate privileges.”
Meadows’ team began to appreciate the flexibility of open sourcewhen digital certificates needed to be added to Windows’registry.
“Microsoft was unable to help so we did a lot of ‘googling’ and[the result] is certainly being [made public],” she said.
After completing the 11-month project and with the network fullyfunctional since July last year, Meadows said DET has experienced aminimum 20 percent saving against cabling and 50 percent due toopen source software.
DET may be betting its business on Linux, but don’t expectstudents to be using the operating system solely for educationpurposes.
“I like to think this will lead to more open source adoption,but at central office there is quite some resistance,” Meadowssaid. “Although we are very much a Microsoft shop, I’m slowlywitnessing more open source applications included on the desktopand becoming part of the SOE. There’s no question [open source]will be used in future.”
Meadows cited school technicians unskilled in Linux as a barrierto desktop adoption.
“In head office we’re all Microsoft, but have snuck a few Linuxservers in,” she said.