Technology Services - Infrastructure / Connectivity

Infrastructure/Connectivity

Without a secure, reliable, state-of-the-art network in place, it is virtually impossible to deploy the applications that schools want and to meet national, state and district mandates. Guilford County Schools has built a wide area network of more than 120 school and central office sites. Approximately 28,000 computers and more than 99% of all classroom space has access to the Internet, email and other software applications using the network. It is the goal of Technology Services to provide a powerful and secure infrastructure for all classrooms that will enable high-speed
access for current and future applications.

This section includes information related to the infrastructure and connectivity installed in the district.

Current Network Environment

Current Network Design

Desktop Management

Remote Control Software

Deployment and Patch Management

Inventory Management

Anti-Spam Software

Metro Ethernet - High Bandwidth Network

Network Access and Email Accounts

Wireless

Network Improvements

Disaster Recovery Plan

Voice Communication Systems

Network Policies

Technology Design Specification

Current Network Design

The current cloud-based network was built using industry-standard equipment and software. Sites today are communicating in district through fiber-based Metro Ethernet solution providing bandwidth speeds up to 1 gb. This solution is provided in partnership with our area providers (AT&T, Northstate Communications, & Embarq. Internet access for the district is currently provided via 250 mb circuit provided by AT&T. Thanks to the North Carolina Research and Education Network (NCREN), GCS is also provided with a 100 mb circuit for DPI/other state institution directed traffic.

A central network operation center (NOC) has been established. All network traffic from schools return to the NOC for access to centralized services and the Internet.

Application servers, email servers, DNS servers, deployment servers (Altiris Management, McAfee AntiVirus), appliances (such as filtering devices) and the backup storage system are all housed in the NOC. Servers such as web servers that are accessible to the public are located within an area called the de-militarized zone (DMZ). Web-based access to email is routed through the DMZ and available remotely. Also in the DMZ are applications servers that are provided by outside vendors.

Other technology strategies employed by Guilford County Schools include:

Use of Active Directory as the single authentication source
Use of standard TCP/IP protocol
Use of domain naming services (DNS), dynamic host control protocol (DHCP) and network address translation (NAT)
A de-militarized zone (DMZ) for all public access devices
Cisco firewalls
Orion and What’s Up wide area network and server monitoring tools
Centralized 8e6 R3000 appliances that filter and log access to undesirable sites on the Internet
An Intranet with critical devices and custom applications available only within the Guilford County network to users with proper authentications
A Virtual Private Network (VPN) that allows secure access to the network including internal Intranet applications from remote sites
Email servers protected by McAfee’s Groupshield AntiVirus
Email filtered by IHateSpam
Desktops protected by McAfee’s VirusScan antivirus software
Desktops “locked down” using Microsoft’s Policy Manager

Sites have been cabled with category 5e, category 6 and fiber backbone cabling. All schools have centralized wiring closets with backbone switches. Most schools use Cisco switched 10/100 mbps equipment in all closets.

More than 400 classes in Guilford County are held in mobile units. Many of these classrooms were originally connected to the wide area network using wireless technology. While a wireless solution is more cost effective than installing fiber optic cable, it provides slow access for some educational applications. Traditional wired connections are now being used for new mobile installations and, as budget provides, replace many of the original wireless solutions.

Desktop Management

Standardized software is provided for all computers in the district. In addition to curriculum-based software for the particular grade/area, Microsoft Office Pro is used at all levels. All computers are connected to the wide area network and have access to the Internet and email. The district currently uses Internet Explorer 6.x with various drivers and plug-ins. Updated directories of virus protection files are automatically deployed using McAffee’s VirusScan to all desktops nightly or on demand in case of an outbreak.

All desktops are “locked down” using Microsoft’s policy manager and require a user to log in to the network. Access varies according to the user identification and group. All teachers have a specific user identification and authentication. They are allowed to download from the Internet and save data to their home directory; however they are not allowed to load software or map drives. They must complete a help desk request ticket for a technician to install new software. Students have access to installed software but have no download capabilities and may save only to a removable device.

Remote Control Software

With the number of computers growing and multiple applications increasing in complexity, Guilford County purchased remote control management software to assist with the technical support of individual desktops. NetSupport Manager enables a technician to browse, diagnose and resolve technical issues using the network. Common problems can be addressed quickly without the need for staff to physically visit a school site. Another module, NetSupport Schools is available in all computer labs. It enables teachers to access and manage student desktops.

Deployment and Patch Management Software

The district uses McAfee’s VirusScan antivirus software on all desktops. This product is integrated with McAfee’s ePolicy Orchestrator to provide centralized management. From a single console, policies are created that permit or force actions to all desktops. ePolicy deploys the latest virus updates to all desktops nightly or on demand in case of an outbreak. If an update is not yet available for a new virus, the response feature enables the district to take actions like port blocking or file blocking. The management system can also trace the IP address of endpoints sending malicious code.

Altiris Deployment Solution and Altiris Patch Management were purchased to enable mass distribution of software applications, upgrades, drivers and patches. The software allows mass deployment of an OS and base applications or configuration of school-specific software. Tasks can be initiated immediately or scheduled for after hours. In addition, the Patch Management module links directly to Microsoft for patch notifications and scans connected desktops to report missing security updates.

Inventory Management Software

Technology Services also purchased Altiris Inventory Management. The system collects detailed configuration data about all Windows computers attached to the network. When changes are made at the desktop level, they are automatically reported to the central database. The software enables us to more easily and accurately answer budget and planning questions such as:

how many computers need additional memory
which machines are affected by a manufacturer’s recall
which schools have the necessary equipment to use a new software package with specific requirements

Anti-Spam Software

Guilford County purchased IHateSpam Filtering Software for our email system. This is a software package that is designed to detect unsolicited email advertisements, known as SPAM. Those messages are moved automatically into a new Quarantine folder and periodically deleted if not moved. Statistics show that six of every ten email messages are SPAM messages and are being blocked by the software.

MetroEthernet – High Bandwidth Network

Prior to 2005, all wide area network connections to school sites used T1 communication lines (1.5 mbps speed). Network statistics indicated that the system continually operated at 80% or higher during regular working hours. When there was increased traffic or faulty equipment, the system was especially prone to slow downs and timeouts.

Recognizing that we were at the verge of “outgrowing” our current network, a contract was approved in February 2005 to implement a high speed network with local area Telcos called Metro Ethernet (Metro E). The new technology is a fiber-based solution that was installed at all sites over a two-year timeframe.

High schools are getting further bandwidth upgrades to provide each with 100mb dedicated with burst capability to 1 gb. Middle Schools are configured with a 50 mb dedicated and Elementary Schools a 10 mb dedicated MetroE circuit (both of which have burst capability to 100mb). Non-traditional school sites, such as Middle Colleges, are provided with what the hosting site (ie host college or university) allows.

Network Access and Email Accounts

Network access and email is established for all employees of Guilford County Schools. User accounts are automatically created for new employees at the time an employee is added to the Human Resource Management System.

The user’s legal name, as stored in the Human Resource Management System, is used to create network access and email accounts. Individual users access the domain with their unique user identification. Each user has a password and a level of authority assigned. User identifications and level of access are correlated to the HRMS system employment assignment and stored in the Active Directory. Intranet applications require users to be working on the Guilford County network (or have VPN access).

Employees must be familiar with and adhere to the Acceptable Use Policy (AUP). The AUP is included in the Personnel Handbook that each employee signs and receives annually.

Employees are routinely reminded that email is not private. The use of email as a means of communication is subject to all laws and policies that address the issues associated with the confidentiality of student and employee records.

The following statement is included in all delivered email.
“This email is for the sole use of the individual for whom it is intended. If you are neither the intended recipient, nor agent responsible for delivering this email to the intended recipient, any disclosure, retransmission, copying, or taking action in reliance on this information is strictly prohibited. If you have received this email in error, please notify the person transmitting the information immediately. All email correspondence to and from this email address may be subject to NC Public Records Law which may result in monitoring and disclosure to third parties, including law enforcement.”

Servers

Guilford County Schools operates more than 400 servers. The network architecture is Microsoft-based using Active Directory. As budget allows, these systems have been replicated and secondary paths created.

Email accounts are divided alphabetically and distributed to eight individual email servers. Additional servers include application servers, DNS servers, deployment servers, appliances such as filtering devices, the VPN concentrator and the backup storage system. Servers that are accessible to the public, such as web servers, are located within the DMZ.

The backup and recovery procedures for district servers are documented annually for the external audit of the general financial statements. In addition, the data on servers identified as mission critical is also replicated to the centralized storage system for quicker recovery.

School sites typically have a domain controller, an Altiris Management Server and an application server. Thirty-three servers are used exclusively for SIMS with Novell 5.1 or higher operating system. Backups for school application servers are the responsibility of the media specialist (or school contact) and SIMS Operators of that school. Individual servers use Veritas Backup Exec software.

Wireless

The growth of Wi-Fi networks has been extremely rapid in recent years. Users want to extend the same functions of the wired network to a wireless one. The push to wireless access brings new challenges. We need to meet the demands for “anytime, anywhere” network access without compromising security nesessary to protect all users.

Technology Services is working to provide “wireless hot spots” in all of the middle and high schools. The “hot spots” would provide wireless access in the common areas of the school such as the media center and the administrative offices. The “hot spot” would be available to valid network users with laptops or visitors needing temporary access to the Internet.

As we segment our school networks into VLANs, we created a “Guest Network”. When a wireless laptop (or rogue computer plugged into an active Ethernet port) accesses the network, user authentication is required. If the device does not meet standards and have appropriate user identifications, that device will be isolated to the “Guest Network” and have only limited privileges. A student or visitor’s laptop will have temporary access only to the Internet and no other network resources.

RttT Elementary Wireless Schedule

Network Improvements

Managing the network infrastructure is becoming an increasingly complex task. The utilization of the network in education provides exceptional opportunities for users but it also increases the associated risks. Technology Services must continually find new solutions that improve bandwidth, provide additional features and protect against new vulnerabilities. The following are network improvements that Technology Services is implementing:

In all middle and high schools, implement intrusion prevention systems (IPS) that use multiple behavior detection technologies to stop known and unknown virus attacks and further block these at the school site to keep them from propagating throughout the rest of the network
Install a frontline appliance/software at the gateway that will reduce malicious virus and spam traffic from reaching the email servers (where GroupShield and IHateSpam will provide second layer protection)
Subdivide school networks into workgroups called Virtual Local Area Networks (VLANs), applying different policies and securities and creating a “Guest Network” for Internet access only
Install wireless “hot spots” in middle and high schools
As budget allows, replace remaining older, slower, non-Cisco switches that do not have VLAN capabilities

The following are network improvements that Technology Services will investigate and possibly implement as budgets allow:

Move from software that scans and removes spyware to an enterprise solution that proactively blocks incoming activity
Investigate access control software that will detect devices that are not compliant with security policies as they attempt to access network resources
Continue development of redundancy for critical network devices and path
Conduct IT security audits to make sure that all users remain protected.

Disaster Recovery Plan

As a part of the annual external audit of the general financial statements for Guilford County, auditors review internal controls and operating efficiencies related to the major business applications used by the district. Critical data systems and applications have been identified and assessed. As budget allowed, those systems have been replicated and secondary paths created. In addition, a complete Disaster Recovery Plan was written.

SmartRing AT&T now provides a SmartRing fiber ring connection between critical sites. The connection enters each building along a different route creating an alternate path if service is disrupted. The smart ring also provides faster access and data transfers than the typical T1-type communication lines. This better enables duplicate equipment to synchronize real time.

Secondary iSeries 400 Guilford County’s centralized mainframe computer is used for most of our major business applications such as Payroll, Purchasing, Financial, Human Resource and Child Nutrition. A smaller duplicate computer was purchased and put into service. The primary computer continually replicates data and programs to the secondary unit. Should the main computer have a disruption of service, work could resume as user files are retrieved from the smaller secondary computer. Daily backups of both systems continue to be maintained and stored in offsite vaults.

Generators Generators and uninterrupted power systems have been purchased for critical sites. These systems have the capacity to provide power to each site for several hours.

Backup Storage System Technology Services recently installed a backup storage system at Eugene Street and at the Technology Center. The solution enables us to backup critical data from a variety of sources onto centrally managed storage. In case of lost data, recovery is much faster and more reliable than using media such as tapes. Documents from individual desktops, data from various application servers, the data warehouse, public folders, web sites and email are all copied to one of the storage devices. The building systems are then replicated to each other for added security. Routine backups of critical data continue to be maintained in offsite vaults.

Voice Communication Systems

Major telephone system replacements are included in the Capital Improvement Plan. With the installation of the Metro Ethernet solution, Guilford County Schools' network has the available bandwidth to implement Voice Over IP (VoIP) standard for voice communications. VoIP uses the data network and equipment for voice services rather than a traditional telephone system. VoIP has been implemented successfully in several school districts and universities, It offers many new features and can be very cost-effective. Along with offering a phone in each classroom/office, we are now able to unify email and voicemail into one media source. We have installed this system into new construction and renovation projects since its initial inception during the 2003 Bond Referendum. Currently it is installed at 27 sites.

Network Policies

Updates and additions to the network must follow strict standards to insure interoperability, reliability and maintainability of the networking infrastructure. The Technology Applications Review Committee (TARC) is charged with reviewing, approving and setting standards for all hardware, software and network access. These procedures and standards are outlined in the Technology Policies, Procedures and Standards Manual.

Examples of issues addressed in the manual include:

Minimum standards for networked computers
Relocation of equipment
Computer donations
Personally-owned software
Email accounts for non-employees
Password resets
Use of email
Approved software lists

To further ensure that uses of technology are consistent with the goals of the district, Board Policies EFE and EFE-P Acceptable Use of Electronic Transmission Capabilities (AUP) were modified.

The AUP states:
“Technology Services is responsible for establishing and users are required to follow all standards, policies, and procedures related to the use of technology in the Guilford County Schools.”

“The user is responsible for his or her actions and activities involving the network. Some examples of unacceptable users are: circumventing safety configurations, modifying setup policies, modifying settings on machines, attaching unauthorized devices…”

The complete Technology Policies, Procedures and Standards Manual can be downloaded by selecting the following link:

Technology Policies, Procedures and Standards Manual

Technology Design Specification

Construction and Renovation projects are constantly under design in the district. The Technology Design Specification has been created to provide architects and engineers with information regarding the district's technology needs and goals. The Technology Design Specification is a generic document to create a standard technology level for all projects, while maintaining up to date materials and methods, future proofing, and cost effectiveness. An individual specification is created for each project during the design process. This insures the most up to date technology and provides for the unique requirements and situations of each site.

Technology Design

Technology Design Specifications