WebJunction

Almost all public libraries now provide their patrons with services of high-speed Internet access, word processing, spreadsheet and other programs, library online catalogs and subscribed database searches.  With the fast advancement of digitizing technology, online services for the public have been rapidly expanding in public libraries. When libraries set up their Local Area Networks 10-15 years ago, most put both staff and public computers on the same network to make operations more efficient and the systems easier to manage. 

As more and more virus and spyware are being created, and hackers and intruders become more skillful, the library network that mixed both staff computers and public computers become increasingly vulnerable.  Many libraries started to work on separating the two groups of computers.  This article uses Fort Collins Public Library (FCPL) as an example to illustrate how the separation/split can be done effectively by using VLANs or Virtual Local Area Networks.

Fort Collins Public Library Network Environment before the Split:

FCPL has two libraries and three locations.  There are around 200 networked-devices.  About 100 of them serve the public and the other 100 are for the staff computers.  The project of splitting network was implemented from December 2004 to January 2005.  The following shows the computer network access needs of FCPL.  The needs of other public libraries may vary, the following list, however, reflects a public library computers access needs in general.

Staff and Administrators access needs: 

• Internet access -- All the staff members need to have Internet access to perform their daily research duties.
• Intranet and file sharing - Some documents need to be shared among staff members, therefore, a LAN with fileserver(s) are needed.
• Integrated Library System (ILS) - Staff need to access the library System (in our case, III's Millennium system) to perform cataloging, circulation, acquisition, and statistics/reporting duties.
• Library Web sites
• Email System
• Domain Controller authentications.
• Database server.  The FCPL has a SQL database server with computer software/hardware auditing and reporting tool for both the staff and public computers, a database for helpdesk (staff use only) a print charging system (public use only).
• System Administrators need to access all the staff and the public computers and servers from a central location.

Public access needs:

• Internet Access
• Library Systems for catalog and database search
• Library Web sites
• Domain Controller for network authentication
• Pay-for-Print system
• Access by auditing and reporting tool
• Proxy Server for Internet Filtering

The access needs are diagramed and presented in Figure 1 which reflects our original configuration of staff and public computers in the same network:

It is obvious that there is no border between the staff and the public computers.  Both the public and staff logon to the same Domain and access the same servers.  Even though access rights are configured in a manner appropriate to each user group, security is still an issue.  A patron, with some computer skill, could use the opportunity to hack staff files and computers. As well, viruses and spyware that infect a public computer may also infect staff computers.

Goal and Objectives:

To enhance network security, a project of splitting the networks between the staff and public computes was proposed.  FCPL System Administrators researched and found an easy and effective way to do the separation and to meet the following objectives:

1. Staff and Public computers on different networks
2. Staff computers are still able to access public computers for administrative purposes, but public computers cannot communicate with staff computers
3. Both Staff and Public computers are able to access the Internet through the same Internet Router (Cost effectiveness considerations)
4. Both Staff and Public computers are able to access ILS and the Library Web Sites
5. Both Staff computers and Public computers are able to access server applications that are used by both
6. Staff computers are able to print on the printers that are for public use

The dilemma is that the staff and public computers need to be separated, but it is not an absolutely total separation.  Both groups of computers need to access the same resources.  In addition, the system administrator needs to have a one-point management - to access both staff and public computers at one place.

Fort Collins Public Library's Solutions:

Since FCPL is a municipal institution, the library IT staff and the City IT staff worked collaboratively on this project.  The techniques used included:

VLAN Design:  First, we decided to use VLAN to separate staff and public computers, which means we would not change physical network connections, but to split the two parts by configuring switch ports and controlled by ACLs (Access Control List).  Luckily, our newly installed switches support inter-VLAN routing, Layer 2/3 services.  We have configured 4 VLANs, Public VLAN, Staff VLAN, Shared VLAN and Management VLAN.

Resource Sharing (Shared VLAN):  Because the shared resources are the ILS (III Millennium database) and Library Web Sites, we put both servers in shared VLAN.  Although our Internet filtering server currently is for public use only, we decided to put in the Shared VLAN to make it possible for staff use in the future as a layer of protection against known spyware sites.  Both the staff and the public computers can access resources in shared VLAN, however, they are still not access freely, but have to go through a ACL to check if the communication is permitted.  See Figure 2.

Resource Separation:  To separate the staff and the public networks, we created a Staff VLAN and a Public VLAN.  Meanwhile, because the staff and the public computers are separated by VLANs, we also need to separate them to two domains.  The process involves the following steps:

• Make an accurate switch port vs. computer list, so the network engineer knows which port should be configured as Staff VLAN and which should be configured as Public VLAN
• Configure each switch port to each of the four VLANs: Public, Staff, Share or Management.  Create Access Control List for each VLAN
• Prepare at least two new servers needed for the new Public Domain and application software need to be installed on the new servers
• Visit individual computers.  Reconfiguration is necessary in all public computers, because they need to join a new domain.

Separate or Share Client/Server Applications:  As mentioned above, FCPL has a SQL server that handles three applications - one was for staff use only (helpdesk ticket system), another was for Public use only (Pay-for-Print system), but the third one (the auditing tool) was for both staff and public.  We left this SQL database server in the Staff VLAN and moved Pay-for-Print system to the Public VLAN.  The tricky one was the third application.  It is agent-based software and needs to communicate with both Staff VLAN and Public VLAN.  Although software can be installed in both Staff and Public VLANs, it would double the software cost.  What we did was to keep the auditing software on the same server, but opened just the port number needed to communicate from the server to the public VLAN.  So the server can continue to perform software hardware auditing and reporting functions to both Staff and Public VLANs and there are no security issues, because only a single port from that server (the port number is greater than 1024) is opened.  See Figure 2.

Configuration for Management Needs:  For both management and security purposes, we did the following configurations:  First, we put all switches on Management VLAN.  Second, we configured in such a way that the Staff VLAN is able to access resources in the Public VLAN, but the Public VLAN cannot do the reverse.  Third, we configured "reply traffic" only from the Public VLAN to the Staff VLAN.  For example, when you "ping" a device from the Staff VLAN to the Public VLAN, the device will reply to your "ping".  The configuration enabled us to achieve our goals of higher security but still easy management.

Printer Share:  We open the port needed for printing and use IP printing from staff VLAN to connect to the printer in public VLAN directly instead of through a print server.

The above are only several simple examples of the 4 VLAN access relationships.  The actual conditions are much complicated.  However, every incident can be allowed or disallowed by the ACLs.

See Figure 2 for Resource/Device separation and sharing after network split.

Figure 2. Resource/Device Separation and Sharing after Network Split

The Pros and Cons of VLAN in Libraries

Advantages:

1. The security is enhanced - This is our primary objective.  Traffic between VLANs are controlled and "firewalled" by ACLs, and limited unsecured or not necessary traffic, such as multicast and broadcast between VLANs.
2. There is no need to separate staff and public computers by changing switches and routers physically.
3. Configuration can be flexible - Administrators can allow or disallow any protocol though any port from one VLAN to another, and specified communication traffic from one device to another by modifying control list, therefore meeting the objectives of resource sharing and separation.  For temporary or special needs the administrator can just re-configure the ports, therefore meeting the objective of easy management.

Disadvantages:

1. Since VLANs separate staff computers and public computers, therefore, separate domains (which means separate domain controllers) to perform network authentications are needed and separate servers for the same application may also be required.  That can result in some additional costs for both software and hardware.
2. Although system administrators, in the staff VLAN, can still access/manage public computers and servers, there are still some inconveniences, i.e. administrators need to double logon to different domains; and to manually input computer names and IPs to WINS or DNS servers in staff VLAN initially and when there is a change.  Also, if the administrator is working on a public computer, there is no way to access any files in the Staff VLAN.  Another inconvenience is that librarians cannot use, for instance, the reference desk computers in staff VLAN to remotely wake up (turn on) all the public computers.  Instead, the librarian has to turn on one of the public computers first and then wake up the rest from it, because waking up (turning on) The other computers requires a broadcast and we cannot open it from different VLAN for security considerations.
3. Some IT staff time and skills are needed for the process.  Develop ACLs is a complicated and time-consuming job and profound network knowledge is needed.  Also, in a domain environment, it is necessary to reconfigure all the public computers since these computers are moved to a separated Domain.  Also, configuring switch ports is necessary.

Added security always means some inconveniences to the users.  Many times, the users can not appreciate the efforts that the administrators make to maximize the security, because the users usually do not see any benefits from their angle, instead they only see the inconveniences.  So communications to all library staff and managers and the user education are also very important in this change.

The FCPL's network split project was a success.  After the network split, the city's intranet and email system were made accessible to the staff VLAN.  We could not have done so if we had not separated our networks, because of risks from the public computers on the same network.

Article by Lingzhen Zhao, Fort Collins Public Library, with acknowledgements to Quentin Antrim, Fort Collins City IT, and Carson Block, Fort Collins Public Library Technology Coordinator.