Infrastructure/Connectivity

Without a secure, reliable, state-of-the-art network in place, it is virtually impossible to deploy the applications that schools want to offer and to meet national, state and district mandates.  Guilford County Schools has built a wide area network of more than 110 school and central office sites.  Approximately 24,000 computers and more than 99% of all classrooms have access to the Internet, email and other software applications using the network.  It is the goal of Technology Services to provide a powerful and secure infrastructure for all classrooms that will enable high-speed
access for current and future applications.

This section includes information related to the infrastructure and connectivity installed in the district.

Current Network Environment
     Current Network Design
     Desktop Management
     Remote Control Software
     Deployment and Patch Management
     Inventory Management
     Anti-Spam Software
Metro E – Higher Bandwidth Network
Network Access and Email Accounts
Servers
Wireless Hot Spots
Network Improvements
Disaster Recovery Plan
Voice Communication Systems
Network Policies

Current Network Environment

Current Network Design

The current cloud-based network was built using industry-standard equipment and software.  All connections to schools originally used Frame-Relay T1-type communication lines provided by BellSouth.  Sites today are communicating through a new fiber-based Metro Ethernet solution providing speeds up to 100 mbps.  All sites use Cisco switches and routers. 

A central network operation center (NOC) was established at the Technology Center.  All network traffic from schools return to the NOC for access to centralized services and the Internet.  Data lines connect the NOC to our Internet Service Provider (ISP).

Application servers, email servers, DNS servers, deployment servers (Altiris Management, McAfee AntiVirus), appliances (such as filtering devices), the VPN concentrator and the backup storage system are all housed at this site.  Servers such as web servers that are accessible to the public are located within an area called the de-militarized zone (DMZ).  Web-based access to email is routed through the DMZ and available remotely.  Also in the DMZ are applications servers that are provided by outside vendors (NovaNET, SuccesMaker, Expedition). 

Other technology strategies employed by Guilford County Schools include:

• Use of Active Directory as the single authentication source
• Use of standard TCP/IP protocol
• Use of domain naming services (DNS), dynamic host control protocol (DHCP) and network address translation (NAT)
• A de-militarized zone (DMZ) for all public access devices
• Cisco’s Checkpoint firewalls
• Orion and What’s Up wide area network and server monitoring tools
• Centralized iPrism appliances that filter access to undesirable sites on the Internet
• An Intranet with critical devices and custom applications available only within the Guilford County network to users with proper authentications
• A Virtual Private Network (VPN) that allows secure access to the network including internal Intranet applications from remote sites
• Email servers protected by McAfee’s Groupshield AntiVirus
• Email filtered by IHateSpam
• Desktops protected by McAfee’s VirusScan antivirus software
• Desktops “locked down” using Microsoft’s Policy Manager

Sites have been cabled with category 5e, category 6 and fiber backbone cabling.  All schools have centralized wiring closets with backbone switches.  Most schools use Cisco switched 10/100 mbps equipment in all closets.

More than 400 classes in Guilford County are held in mobile units.  Many of these classrooms were originally connected to the wide area network using wireless technology.  While a wireless solution is more cost effective than installing fiber optic cable, it provides slow access for some educational applications.  Traditional wired connections are now being used for new mobile installations and many of the original wireless solutions are being replaced. 

-top-

Desktop Management

Standardized software is provided for all computers in the district.  In addition to curriculum-based software for the particular grade/area, Microsoft Office Pro is used at all levels.  All computers are connected to the wide area network and have access to the Internet and email.  The district currently uses Internet Explorer 6.x with various drivers and plug-ins.  Updated directories of virus protection files are automatically deployed using McAffee’s VirusScan to all desktops nightly or on demand in case of an outbreak. 

All desktops are “locked down” using Microsoft’s policy manager and require a user to log in to the network.  Access varies according to the user identification and group.  All teachers have a specific user identification and authentication.  They are allowed to download from the Internet and save data to their home directory; however they are not allowed to load software or map drives.  They must complete a help desk request ticket for a technician to install new software.  Students use general user accounts.  They access installed software with no download capabilities and may save only to a diskette or zip disk.

-top-

Remote Control Software

With the number of computers growing and multiple applications increasing in complexity, Guilford County purchased remote control management software to assist with the technical support of individual desktops.  NetSupport Manager enables a technician to browse, diagnose and resolve technical issues using the network.  Common problems can be addressed quickly without the need for staff to physically visit a school site.  Another module, NetSupport Schools is available in all computer labs.  It enables teachers to access and manage student desktops.

-top-

Deployment and Patch Management Software

The district uses McAfee’s VirusScan antivirus software on all desktops.  This product is integrated with McAfee’s ePolicy Orchestrator to provide centralized management.  From a single console, policies are created that permit or force actions to all desktops.  ePolicy deploys the latest virus updates to all desktops nightly or on demand in case of an outbreak.  If an update is not yet available for a new virus, the response feature enables the district to take actions like port blocking or file blocking.   The management system can also trace the IP address of endpoints sending malicious code.

Altiris Deployment Solution and Altiris Patch Management were purchased to enable mass distribution of software applications, upgrades, drivers and patches.  The software allows mass deployment of an OS and base applications or configuration of school-specific software.  Tasks can be initiated immediately or scheduled for after hours.  In addition, the Patch Management module links directly to Microsoft for patch notifications and scans connected desktops to report missing security updates.    

-top-

Inventory Management Software

Technology Services also purchased Altiris Inventory Management.  The system collects detailed configuration data about all Windows computers attached to the network.  When changes are made at the desktop level, they are automatically reported to the central database.  The software enables us to more easily and accurately answer budget and planning questions such as:

• how many computers need additional memory
• which machines are affected by a manufacturer’s recall
• which schools have the necessary equipment to use a new software package with specific requirements

-top-

Anti-Spam Software

Guilford County purchased IHateSpam Filtering Software for our email system.  This is a software package that is designed to detect unsolicited email advertisements, known as SPAM.  Those messages are moved automatically into a new Quarantine folder and periodically deleted if not moved.  Statistics show that six of every ten email messages are SPAM messages and are being blocked by the software.

-top-

Metro E – Higher Bandwidth Network

Through 2004-05, all wide area network connections to school sites used T1 communication lines (1.5 mbps speed).  Network statistics indicated that the system continually operated at 80% or higher during regular working hours.  When there was increased traffic or faulty equipment, the system was especially prone to slow downs and timeouts.

Recognizing that we were at the verge of “outgrowing” our current network, a contract was approved in February 2005 to implement a high speed network with BellSouth called Metro Ethernet (Metro E).  The new technology is a fiber-based solution that would be installed at all sites over a two-year timeframe.

All middle and high schools circuits are configured at 50 mbps and can handle burst speeds up to 100 mbps.  Implementation in the elementary schools will continue through 2006.  Each of these lines will be configured at 10 mbps with the bursting feature.  

-top-       

Network Access and Email Accounts

Network access and email is established for all employees of Guilford County Schools.  User accounts are automatically created for new employees at the time an employee is added to the Human Resource Management System. 

The user’s legal name, as stored in the Human Resource Management System, is used to create network access and email accounts.  Individual users access the domain with their unique user identification.  Each user has a password and a level of authority assigned. User identifications and level of access are correlated to the HRMS system employment assignment and stored in the Active Directory.  Intranet applications require users to be working on the Guilford County network (or have VPN access). 

Employees must be familiar with and adhere to the Acceptable Use Policy (AUP).  The AUP is included in the Personnel Handbook that each employee signs and receives annually.

Employees are routinely reminded that email is not private.  The use of email as a means of communication is subject to all laws and policies that address the issues associated with the confidentiality of student and employee records. 

The following statement is included in all delivered email.
“This email is for the sole use of the individual for whom it is intended.  If you are neither the intended recipient, nor agent responsible for delivering this email to the intended recipient, any disclosure, retransmission, copying, or taking action in reliance on this information is strictly prohibited.  If you have received this email in error, please notify the person transmitting the information immediately.  All email correspondence to and from this email address may be subject to NC Public Records Law which may result in monitoring and disclosure to third parties, including law enforcement.”

-top-

Servers

Guilford County Schools operates more than 400 servers.  The network architecture is Microsoft-based using Active Directory.  All centralized systems are located at either the main Eugene Street central administration building or at the Technology Center.  As budget allows, these systems have been replicated and secondary paths created.

Email accounts are divided alphabetically and distributed to eight individual email servers housed at the Technology Center.  Application servers, DNS servers, email servers, deployment servers, appliances such as filtering devices, the VPN concentrator and the backup storage system are all housed at the central site.  Servers such as web servers that are accessible to the public are located within the DMZ. 

The backup and recovery procedures for district servers are documented annually for the external audit of the general financial statements.  In addition, the data on servers identified as mission critical is also replicated to the centralized storage system for quicker recovery. 

School sites have a domain controller, an Altiris Management Server and typically two application servers.  Thirty-three servers are used exclusively for SIMS with Novell 5.1 or higher operating system.  Backups for school application servers are the responsibility of the media specialist (or school contact) and SIMS Operators of that school.   Individual servers use Veritas Backup Exec software.

-top-

Wireless Hot Spots

The growth of Wi-Fi networks has been extremely rapid in recent years.  Users want to extend the same functions of the wired network to a wireless one.  The push to wireless access brings new challenges.  We need to meet the demands for “anytime, anywhere” network access without compromising security.

Guilford County is working with a Cisco partner to plan “wireless hot spots” in all of the middle and high schools.  The “hot spots” would provide wireless access in the common areas of the school such as the media center and the administrative offices.  The “hot spot” would be available to valid network users with laptops or visitors needing temporary access to the Internet.

As we segment our school networks into VLANs, we created a “Guest Network”.  When a wireless laptop (or rogue computer plugged into an active Ethernet port) accesses the network, user authentication is required.  If the device does not meet standards and have appropriate user identifications, that device will be isolated to the “Guest Network” and have only limited privileges.  A student or visitor’s laptop will have temporary access only to the Internet and no other network resources.

-top-

Network Improvements

Managing the network infrastructure is becoming an increasingly complex task. The utilization of the network in education provides exceptional opportunities for users but it also increases the associated risks.  Technology Services must continually find new solutions that improve bandwidth, provide additional features and protect against new vulnerabilities.  The following are network improvements that Technology Services is implementing:

• In all middle and high schools, implement intrusion prevention systems (IPS) that use multiple behavior detection technologies to stop known and unknown virus attacks and further block these at the school site to keep them from propagating throughout the rest of the network
• Install a frontline appliance/software at the gateway that will reduce malicious virus and spam traffic from reaching the email servers (where GroupShield and IHateSpam will provide second layer protection)
• Subdivide school networks into workgroups called Virtual Local Area Networks (VLANs), applying different policies and securities and creating a “Guest Network” for Internet access only
• Install wireless “hot spots” in middle and high schools
• Replace remaining non-Cisco switches that do not have VLAN capabilities

 
The following are network improvements that Technology Services will investigate and possibly implement as budgets allow:

• Move from software that scans and removes spyware to an enterprise solution that proactively blocks incoming activity
• Investigate access control software that will detect devices that are not compliant with security policies as they attempt to access network resources
• Continue development of redundancy for critical network devices and path

-top-

Disaster Recovery Plan

As a part of the annual external audit of the general financial statements for Guilford County, auditors review internal controls and operating efficiencies related to the major business applications used by the district.  Critical data systems and applications have been identified and assessed.  All of those systems are now located at either the main Eugene Street central administration building or at the Technology Center on Prescott Street.  As budget allowed, those systems have been replicated and secondary paths created.  In addition, a complete Disaster Recovery Plan was written.

SmartRing  BellSouth now provides a fiber ring connection between Eugene Street and the Technology Center.  The connection enters each building along a different route creating an alternate path if service is disrupted.  The smart ring also provides faster access and data transfers than the typical T1-type communication lines.  This better enables duplicate equipment to synchronize real time.

Secondary iSeries 400 Guilford County’s centralized mainframe computer is located at Eugene Street and is used for most of our major business applications such as Payroll, Purchasing, Financial, Human Resource and Child Nutrition.  A smaller duplicate computer was installed at the Technology Center on Prescott Street.  The primary computer continually replicates data and programs to the secondary unit.  Should the main computer have a disruption of service, work could resume as user files are retrieved from the smaller computer located at the Technology Center.  Daily backups of both systems continue to be maintained and stored in offsite vaults.
 
Generators  Generators and uninterrupted power systems have been purchased for the main Eugene Street site and the Technology Center.  These systems have the capacity to provide power to each site for several hours.

Backup Storage System Technology Services recently installed a backup storage system at Eugene Street and at the Technology Center.  The solution enables us to backup critical data from a variety of sources onto centrally managed storage.  In case of lost data, recovery is much faster and more reliable than using media such as tapes.  Documents from individual desktops, data from various application servers, the data warehouse, public folders, web sites and email are all copied to one of the storage devices.  The building systems are then replicated to each other for added security.  Routine backups of critical data continue to be maintained in offsite vaults.

-top-

Voice Communication Systems

Major telephone system replacements are included in the Capital Improvement Plan.  For the projects in the 2000 Bond Referendum, Guilford County standardized on the Nortel Option 11C.  The Option 11C is a reliable Private Branch Exchange (PBX) system with many available features and the capability to easily handle a campus environment. The configuration included voice mail for all teachers, telephones in every classroom and wireless access for administrators.

With the installation of the new Metro Ethernet solution, Guilford County Schools’ network has available bandwidth to now implement the newer Voice Over IP (VOIP) standard for voice communications.  VOIP uses the data network and equipment for voice services rather than a traditional telephone solution.  VOIP has being implemented successfully in several school districts and universities.  It offers many new features and can be very cost-effective.  We are installing this system in the 2003 bond/renovation projects.

-top- 

Network Policies

Updates and additions to the network must follow strict standards to insure interoperability, reliability and maintainability of the networking infrastructure. The Technology Applications Review Committee (TARC) is charged with reviewing, approving and setting standards for all hardware, software and network access.  These procedures and standards are outlined in the Technology Policies, Procedures and Standards Manual.

Examples of issues addressed in the manual include:

• Minimum standards for networked computers
• Relocation of equipment
• Computer donations
• Personally-owned software
• Email accounts for non-employees
• Password resets
• Use of email
• Approved software lists

To further ensure that uses of technology are consistent with the goals of the district, Board Policies EFE and EFE-P Acceptable Use of Electronic Transmission Capabilities (AUP) were modified. 

The AUP states:
“Technology Services is responsible for establishing and users are required to follow all standards, policies, and procedures related to the use of technology in the Guilford County Schools.” 

“The user is responsible for his or her actions and activities involving the network.  Some examples of unacceptable users are: circumventing safety configurations, modifying setup policies, modifying settings on machines, attaching unauthorized devices…” 

The complete Technology Policies, Procedures and Standards Manual can be downloaded by selecting the following link:

Technology Policies, Procedures and Standards Manual

-top-