Networked Information Systems

The world of the 21st century will be characterised by one thing more than any other: the pervasiveness of its information flows. Most smaller (and some very large!) organisations have a networking infrastructure firmly stuck in the 1990s with a simple dumb connection linking each computer with the internet. This is:

1. Inefficient because all network traffic is treated equally when some is much more important than others. If you run a VoIP telephone system then quality of service for VoIP traffic over all others is paramount unless you wish call quality to suffer. You may be paying data download surcharges due to staff downloading movies and music or running p2p applications - even on an unlimited connection, maxing out your connection slows internet access for everyone else.
2. Unsafe because the users of your network may browse websites or content upon those websites which could land you in sticky legal trouble, or download viruses and spyware which infect your organisation's computers and cause the loss of valuable productivity and information. In particular, an unfirewalled company network is just asking for data theft.
3. Wasteful because staff may expend much of their daily effort on social networking sites or deleting spam rather than doing work which contributes to your business. We don't advocate cutting these sites off completely as this generates morale problems and incentivises attempts to break the system, but one can intelligently restrict access to sites such as facebook according to job role and time of day. We do however advocate the filtering out of as much spam as possible: we ourselves only read one or two spams a week despite an arrival rate of nearly twenty thousand per day!

Until even five years ago it was not cheap to install a filtering gateway, however thanks to recent advances one can create a reasonably capable network filter using an old PC which you would normally throw out.

We at ned Productions Ltd. tend to install one of two kinds of network filter depending on how old the available hardware is:

1. Untangle, a level 7 network filter (which means it can look inside the data being conveyed and modify it in-situ). This requires recent hardware.
2. pfSense, a level 3 network filter (which means it can filter only on what the data publicly declares about itself, and no ability to modify it in-situ is possible). This can run on most hardware made in the past decade.

Untangle

Untangle is a software platform which provides reasonably powerful filtering abilities by analysing traffic content in real-time. For example, you could configure Untangle to monitor all Instant Messaging conversations going in and out of your organisation and to rewrite certain parts according to a set of rules - this would be particularly useful in schools for example. As mentioned before, you can have Untangle prioritise certain kinds of traffic and penalise others e.g. web traffic is prioritised over bittorrent traffic (a system for downloading movies and music and other large content - it tends to be very heavy on a network connection).

Because Untangle actually looks inside each and every packet of information transferred, it cannot be fooled or cheated. Common methods of bypassing a filter such as changing what the data says its content is publicly do not work with Untangle. Untangle also understands proxy connections (a method of using a different computer to access illicit content for you in order to bypass filtering), so it is fairly hard to bypass.

Filtering Content

Untangle can filter out many kinds of content e.g. pornographic images. It won't catch all of them - for example, Google Image searches can occasionally show uncensored thumbnails, but the full size originals will not be viewable. It can also filter out web adverts such that you will almost never ever see another advert on a webpage again. One the biggest features of Untangle is inline virus and spyware filtering: Untangle literally finds and removes viruses and spyware as your users browse the internet as the content enters your organisation. This happens with an inperceptible delay: none of your users will likely ever notice. Meanwhile, your organisation need not worry about becoming infected from the internet ever again!

Not only can Untangle remove viruses and spyware from web pages and email, it can also remove almost all email spam via much the same methods. Again, this happens transparently: your users just suddenly find 98+% less spam in their email. Untangle automatically keeps itself up to date with the latest virus, spyware and spam definitions.

Another big advantage of a level 7 filter is the power of its logging facilities: not only can you record what sites a person visits, but you can record precisely what they do on those sites down to every letter they type. For certain kinds of organisation this detail of logging in invaluable though we strongly recommend that employees are made aware of its use.

Hardware Requirements

Because it performs deep packet inspection, Untangle needs fairly beefy and recent hardware. We can put together a low-power (less than 20W) and low-cost PC for you with the requisite specifications for less than €500 ex VAT depending on organisation size. Untangle also comes with optional even more powerful add-on components which require rental - full details are available here.

pfSense

pfSense is our choice for older PCs - we have installed quite a few of these on 1996 era hardware and they run surprisingly well. Many of pfSense's facilities are much like a vastly superior form of what comes with ADSL router modems: you get a stateful intrustion protection firewall which analyses network borne attacks such as worms attempting to infect your organisation's computers, a NAT server which allows all the computers in your network to share the ISP connection, DHCP server which automates the allocation of unique IP address to those computers and a caching DNS server which lets your computers translate website names into IP addresses on the internet.

However pfSense does much more: you can perform simplistic filtering based on destination and source of traffic as well as upon what the traffic says its content is, you can have multiple private networks share a single ISP connection without being able to access one another (this is very useful for office buildings with a single internet connection but housing multiple companies) and you can have your connection provide external access to in-house servers in a secure way (what is called a DMZ) which is useful for teleworking and linking up geographically distributed offices. One can even require all web access to first go through a login page - ideal for cafes and hotspots.

Lastly, pfSense can automatically switch over to alternative internet supplies (e.g. a 3g modem) which can help ensure that you don't lose business if your ISP connection suddenly fails.

Voice Over IP (or Radio Over IP)

We have experience with a wide variety of VoIP solutions. At the very simplest level one simply installs and configures a set of Siemens Gigaset IP telephones - we have found these to be the easiest for most smaller organisations as they provide both conventional and IP based telephony in one simple system. Using a quality VoIP provider, one can reduce international mobile call rates to just €0.06/minute and international landline rates to €0.0001/minute (at VoIP level it doesn't matter which country you originate from: Irish mobiles are little different to Israeli mobiles).

Moving further onwards a switchboard suitable for customer support can be implemented using the industry standard Asterisk VoIP platform which can easily implement call queues and keypad operated voice menus along with plenty more such as intelligent call trunking (i.e. selection of call provider based on number called e.g. all US calls are routed one way whereas all French calls are routed another).

Lastly, we even have some experience with routing Radio over IP through software: this merges a Radio interface with Asterisk which allows (for example) the radio networks on two geographically separate sites to be integrated e.g. a central security office could monitor the security radio networks of multiple sites, including transmission to a remote site. There is a slight lag in transmitting via this system due to the CPU processing time required by the filters, however considering that the custom hardware solutions for this task cost tens of thousands of euro we can offer a very significant cost saving.