Big Time Protection on a Small Town Budget: Securing Säffle’s IT Infrastructure

Running an IT department in a municipality comes with its own unique challenges. Let’s face it: Any IT job is tough. But with a municipality, you must oversee different organizations with often very different needs.

Säffle Municipality was founded in 1971 and comprises the towns of Värmlandsbro, Långserud, Svanskog, Nysäter, and the city of Säffle itself. Located in west-central Sweden, it is home to heavy industry, logging companies, and pulp-and-paper mills. It was also the site of Volvo’s last Swedish bus manufacturing facility, which closed in 2013.

I have lived in west-central area of Sweden all my life and have worked for the Municipality for just over 11 years, so I have a personal stake in keeping everyone here happy. Säffle Municipality is home to some 15,500 people, with 9,000 of our citizens living in the capital city, and 1,800 of us working for the municipal administration in some capacity.

Ten IT Experts Serving 15,000 Citizens

As part of Säffle’s IT department, our team of 10 is responsible for the Municipality’s information and telephony systems. Roughly half of us handle administrative tasks, which leaves four or five team members to work on the technical side, managing our network and our servers from day to day.

Our team oversees the IT infrastructure that powers the Municipality’s administrative and financial offices and many of our essential services, including snow removal, the fire department, pre-school and early-childhood care, elementary and high school, elder care, and social and mental health services. The only municipal branch we don’t handle is the police department.

Our network is the backbone of the community and our servers host the confidential information of thousands of our citizens—everything from their water tax bills to their academic and medical records. An outage or a data breach would be catastrophic. We also have to ensure that we have enough bandwidth and storage to handle the amount of data that travels across our network and resides on our servers.

The Olympics Crashed Our Network

A few months after I started here, the town got Olympic fever. That was the summer of 2008. Sweden sent 134 athletes to Beijing to compete in 19 sports. We won some silver and bronze medals, but no golds like we did at the previous Games in Athens.

Everyone started streaming the competitions at work, and our municipal network slowed to a crawl. We had a 30 Mbps connection at the time, and we were trying to send payroll data to the bank, but there wasn’t enough bandwidth to transmit the salary data.

Under normal circumstances, we had enough capacity, but we needed a way to quickly and easily configure our network to prevent such exceptional congestion from recurring. We already had a solution in place, but it was cumbersome and slow to react.

If we attempted to block one or a range of IP addresses, it could take up to five hours for the change to propagate across our network, and another five to reverse it if we made a configuration error. This degree of lag made it impossible to react to a sudden spike in traffic like the Olympics. It also made it difficult to test and implement long-term network traffic management and website access policies.

I started looking at our options. Because our infrastructure ran mostly on Cisco hardware, I wondered whether the company offered the software we needed to resolve our configuration issues. As it turned out, Cisco IronPort (now Cisco WSA) had exactly the web gateway management features we needed.

I set up a proof of concept that bypassed our existing network traffic management application and was able to get our infrastructure back up to speed. WSA was fast, easy to use, and the learning curve was practically non-existent.

That was the start of our transition to Cisco network management products.

Managing Web Security in Minutes—Not Hours

After the positive outcome of our WSA trial, we started to explore Cisco’s full portfolio of network management solutions. This was the next logical step in our evolving network management strategy.

WSA is fast, flexible, and granular. It allows us to block specific types of online content while at the same time whitelisting sites that are necessary for our work. We can also prioritize traffic according to particular applications, and limit access to certain websites at different times.

I can also set up limited internet access for systems that need to be kept offline for security reasons. For example, some of our machines need to be isolated from the outside world but must periodically “phone home” to verify software credentials and check for updates. In this specific case, I can block all other incoming and outgoing traffic, and only allow access to the IP addresses of the upgrade and authentication servers.

It takes a few clicks to set up new rules, and we can test everything in a matter of minutes. When we do encounter a new issue, we can evaluate the situation and respond immediately. 

Responding to Students Going Mobile

Our next big challenge was dealing with an explosion in wireless access that resulted from the increasing use of mobile devices in Säffle’s classrooms. Over the course of three or four years, the Municipality’s schools implemented a one-device-per-student policy for grades four and above, and a one-to-five device ratio for students in grades one to three. Our teachers also started using smartboards and IPTV and/or screen mirroring to a smart TV during their lessons.

All of these new educational tools put a tremendous strain on our wireless network and heightened the need for security. To further complicate the situation, our students started using Chromebooks, which are powered by web-based applications and cannot be protected using standard antivirus software but are still vulnerable to online threats.

To face these challenges, we added more Cisco tools to our network management toolkit. We started using Cisco FirePower IPS (Intrusion Protection System) and Cognitive Threat Analytics (CTA) to monitor network traffic and visibility in real time, and to block threats as they come in. We incorporated Application Visibility Control (AVC) deep-packet inspection to monitor traffic on our wireless access points and replaced our Cisco 4404 wireless LAN controller with a pair of Cisco 5508s which also is upgraded to a pair of Cisco 5520s as of last year.

Off to a Fast Start

Cisco CTA turned out to be one of our most effective tools. Within 30 minutes of integrating it with Cisco WSA and AMP (Advanced Malware Protection), we detected a cryptolocker on a server belonging to a third-party alarm company working for the Municipality.

It took me about two minutes to track down the port. I then alerted the contractor, and they restored the infected server from an image, but that backup had also been compromised. I closed the port and called them up again, and had them restore from an older archive that wasn’t corrupted.

When you compare the speed of the discovery and resolution of this issue to the five hours it took to confirm a blocked IP address with our previous network management tool, the difference is staggering. The impacts of not catching this could have been huge. When it comes to security, accuracy and speed are both a requirement. 

We are now looking at consolidating all of these network management functionalities and further automating them with Cisco DNA Center. However, we must first replace the few remaining HP switches that reside on our network and which date back to before my arrival here. 

Staying Ahead of the Game

Our team is staying ahead of the game by travelling to Cisco training events here in Sweden and elsewhere in Europe. We also stay up to date by enrolling in Cisco webinars and other online training activities.

Over my 11 years working at the municipality, Cisco has automated many of my IT management tasks and has consolidated network configuration, monitoring, and security tools in a single pane of glass interface that provides high visibility and easy control to our 10-person team.

During this time, I have been amazed at Cisco’s smooth transition to new technologies and the integration of their older hardware into their new frameworks. Thanks to the company’s commitment to ongoing innovation, I know that I can prevent security breaches and protect the data of our citizens, teachers, firefighters, and everyone else in our municipality. 

Säffle Municipality has entrusted our team with managing and protecting our community’s IT infrastructure. Thanks to Cisco, we are close to always one step ahead of any potential threat.