Infrastructure review synthesis: Post 4, Networks

This post is the fourth in a series of ten posts that have been created to identify the best practice found in FE colleges by the Jisc infrastructure review service. An introduction to the infrastructure review synthesis project is provided in the first post in the series.


Having robust connectivity in place is now vital, especially as the majority of colleges have increased the number of remotely hosted or SaaS applications that they use. This is an important concern as the majority of colleges have moved to SaaS provision of email and calendaring services, and also provide other line of business application software through ‘cloud-hosted’ means. The increased use of SaaS means that the internet connection is one of the most serious ‘single points of failure’ in a college’s IT infrastructure.

In colleges with multiple sites, the inter-site links are well specified to enable equity of IT service delivery over all sites.

The colleges that have a truly resilient WAN (wide area network) link are well protected from service outages, should the secondary link be routed in a fully route-separate way. This means that the secondary connection shares no duct or active equipment with the primary connection.

In the best examples of resilience colleges will configure BGP (border gateway protocol) to ensure that services gracefully failover from one internet connection to another, with no interruption to service. In the majority of colleges that have a primary Janet connection the connection has sufficient bandwidth to meet their needs. In a minority of colleges that have lower bandwidth 100Mbit/sec connections they are starting to find that this is insufficient at peak times, upgrades to 1Gbit/sec connections have been recommended to these colleges. Such upgrades are not currently fully funded. Note that in order to have a fully resilient internet connection IT teams implement high availability pairs of firewalls or UTM (unified threat management) appliances to prevent these appliances from becoming a single point of failure.

The most advanced colleges have a fully modernised WAN, LAN (local area network), WLAN (wireless local area network) and telephony system. These colleges have a robust renewal or review pending of elements of LAN, WLAN, or other elements such as a telephony system. In the best cases core network switches, WLAN controllers and wireless access points are under manufacturer support and are receiving regular security patches. This addresses key cyber-security concerns and means that organisations can meet the requirements of security certifications such as Cyber Essentials. The most effective teams maintain LAN, WAN and WLAN diagrams and other documentation in order to reduce the time taken to troubleshoot issues and to plan improvements. In the best examples network monitoring and alerting is proactively used to improve service delivery by monitoring traffic flows and to monitor up / down data on specific hardware or links. This means that IT teams can detect problems before they impact service delivery and allows teams to fix problems before they are informed that a concern exists by a user.

In the most secure networks comprehensive use is made of VLAN structures to appropriately segregate types of network traffic, this improves security and limits the damage that specific threats such as malware or bad actors may cause. In the most resilient networks, the core is structured as a resilient ring, allowing a break in the ring to be mitigated by alternate routes to all distribution points. In addition, distribution switches are multi-homed so that they connect back to two or more core switches that provide connectivity to the rest of the network. Most modern networks operate with at least 10Gbit/sec on the core and 1Gbit/sec to all endpoints.

In terms of wireless networks (Wi-Fi) modern networks use the 802.11ac standard or newer to provide high density, high bandwidth service delivery. Wireless Access Points (WAP’s) are located in accordance with the construction of the building in order to eliminate dead spots, and to provide a high level of service delivery. The IT may have optimised the placement of access points using a Wi-Fi design tool such as Ekahau. Wireless networks perform best when the number of network names (SSIDs) are as low as possible, in the best examples the IT team use a RADIUS technology such as eduroam to enable users to be dropped into different VLANs based on group membership rather than having to advertise multiple SSIDs. BYOD (bring your own devices) support can be robustly provided through the use of wireless profiles, such as those made possible by eduroam and similar systems. Alternatively, a captive portal can be used to force users to authenticate using their organisational account. Without such systems in place it is not possible to provide accountability through resolving all web traffic to an individual user. Guest access is highly controlled, either through issuing a specific account to users as guest users sign into the building or through the use of a system such as eduroam for authorised visitors. All wireless networks are encrypted to prevent a ‘man in the middle’ type attack from being used to access college data. Effective facilities are in place to enable wireless devices to present using available large format screens or projectors.

Access to services from offsite is provided through a secure method that mitigates against personal data being exfiltrated. For example the college may provide a VPN (virtual private network), perhaps using a technology such as Microsoft Direct Access, or will provide a VDI (virtual desktop infrastructure) that enables staff and possibly students to securely access a desktop that is hosted internally on the college’s systems.

The most digitally mature colleges have useful web filtering, monitoring, reporting, and altering services that meet the specific best practice expectations of Ofsted around good safeguarding practice, especially in the context of the Prevent Duty. In these cases, all web traffic generated from all endpoints, inclusive of managed devices, shared devices such as iPads and BYOD devices is attributable to the individual user account to provide full accountability. All traffic is filtered, monitored, reported on and proactive alerting is in place for all safeguarding related concerns.

Telephony is based on modern VoIP (voice over internet protocol) technology that enables calls to be routed over the internet rather than via antiquated (and soon to the withdrawn) services such as ISDN30. In the best examples full unified communications systems are deployed that make use of the concept of ‘presence’ (call the person and not the desk), in order to leverage technologies such as softphones or divert to mobile.

How Jisc can help:

Colleges may wish to make use of the Jisc telecommunications purchasing framework to procure telephony services.

Leave a Reply

Your email address will not be published. Required fields are marked *