In a previous 2005 report the Government quango Becta showed that schools could effect considerable savings by making use of Free Open Source software such as Open Office. In their study they simply looked at 'like for like' software replacement using existing networks and computers.

Since this study we have seen the emergence of the new breed of ultra-portable Linux-based computers aimed squarely at the education sector and the inexorable build of Web 2 services such as Google Apps.

This week the Elonex One, a Linux-based laptop costing less than £100, was launched at the Education Show in Birmingham causing much excitement amongst the visitors and a very serious discussion about how best to support this new breed of Linux laptops in schools.

So much has changed so quickly that a model of Open Source school computing is emerging which could save the UK taxpayer billions of pounds and provide enormous opportunities for the home-grown technology sector based around Open Source software.

The problem

The Government does not produce figures for the total cost of ICT in schools. Our research shows however that when staffing and power use are included a typical secondary school will spend between £100,000 - £200,000 per year on ICT.

Scale this figure for the whole UK and it approximates to over £½ billion per year.

Contrary to common perception, however, only a small fraction of the cost of ICT in schools is spent on computers and software - 60% of the cost is on technical support and 20% on electricity.

Quite simply, school networks have become too complex for the purpose they serve.

The answer is to simplify the school ICT infrastructure and lower services by outsourcing more services.

Outsourcing

Outsourced services based on free Open Source software such as e-mail, content filtering and remote backup are entirely appropriate to an education sector:

• Content filtering using Dan's Guardian is very powerful and scalable.
• E-mail using Open Source software is sophisticated, highly available and secure. Easy management of webmail and accounts using GOsa.
• Rsync for secure, remote back-ups.

Examples of where such services already exist are a bi-lingual webmail system accessible to all schools in Carmarthenshire County and the fully managed web content filtering infrastructure available to all schools within the Yorkshire and Humberside region.

In both cases the use of free, Open Source technologies has driven exceptional value compared to similar systems deployed using proprietary software.

Simplifying On-Site Infrastructure

Much of the complexity and management burden to schools comes the sheer number of computers needing maintenance - typically 100-500 desktop PCs and approximately eight network servers (file-authentication server, MIS database server, e-mail server, Intranet server, VLE server, thin-client server, web content filtering servers and a firewall).

But what ICT services do students really require from their school?

• Access to suitable software for teaching and learning
• E-mail
• Safe access to the Internet
• A home folder for personal file storage
• Access to shared resources (e.g. Intranet, VLEs, Public Folders, Databases)

How does the emerging model for Open Source in ICT meet these essential needs?

• The new low-cost Linux sub-notebooks have a very large range of Free Open Source applications already installed and many more available for free download, certainly enough for 95% of all educational needs. Many more applications are available on line through Web 2.0 technologies.
• E-mail and safe Internet access will be outsourced.
• Home folders and shared resources can be provided by one computer. By using Internet protocols and abandoning the venerable Windows SMP/CIFS protocols all of these services can be provided by one Open Source database/web server.

If schools moved their ICT to this model the spiral of ever increasing cost and complexity would be broken.

Becta, having twice warned schools against upgrading to Vista or Office 2007, has effectively signalled a halt to what has been an unbroken series of expensive and increasingly ineffective upgrades. It seems 2008 is the year when schools should take stock and rethink their strategic approach to ICT.

The rewards for change are very substantial. Schools would reduce their costs by 4/5ths producing not only an enormous saving to the taxpayer but making it possible to adapt to new developments in ICT and focus more resources on teaching. New opportunities would be created for the domestic technology industry and there would be far less dependence on dominant multinational suppliers.

Reality check

If you're connecting a couple of networks together, or connecting a network to the Internet, most people would instantly reach for a Cisco router (or, if you were really radical, maybe go for something from Juniper Networks). It's what you do, right?

Wrong!

Have you ever taken a router apart? I know I have. If you were expecting to see real cutting edge hardware for your money in that nice black plastic box you've yet to find it right? Hmmm, wonder what all my money's going on . . .

I know. It must be the operating system that goes with it. After all, it's really complicated connecting a network to the Internet and running all those weird routing protocols isn't it? And as for packet filtering, boy I can see why they have to charge me loads extra to add that to my box. And if I change protocols, like from ISDN to ADSL or Frame Relay, it's obvious that I should need to buy all those special new modules and updates to my software. . . isn't it?

No it isn't!

Let's get real. The simple truth is, it really isn't rocket science, and you can actually do everything one of those exclusive, very expensive proprietary boxes does on an old 486. And you can do it do it better and faster.

Here's what you do. Take a commodity PC or low-end server, install Debian GNU/Linux or your favourite Open Source OS, and then slot in a Sangoma Technologies WAN card. Bingo! Instant router! Not only that, but you've now got a router that can grow, shrink, do anything you want, and handle anything that is thrown at it. More than this, you have just saved your business a great deal of money.

We think Sangoma cards are terrific. And that's why we're their UK reseller.

Getting off the treadmill

Let's take one of our clients as an example. They're a very rapidly growing business, naturally with a busy Internet connection. They'd done the Cisco thing and bought themselves a 1603 for the best part of a couple of thousand pounds, but within 6 very short months found themselves bumping up against its capacity. Guess what, they were told they should throw it away and buy themselves a mid-range 3600 series. This was going to set them back another £4-5 K just to get started (not a lot really - when the time comes for them to have their own E3 line they'll be asked a cool £6K just for the adapter module alone!). Then there was the additional training their staff needed, the management toolset the reseller felt they really should have, plus the extra . . . With Ciscos, it can very rapidly get very, very expensive.

That's when the realisation fully set in with our clients. They were on the proprietary suppliers' upgrade treadmill - they would have to do the same thing again, and again, and again, and again.

So we didn't let them do this.

We got them a nice little 1U server from Dell and slotted in one of our Sangoma WAN cards - all for less money than they originally spent on that 'entry level' Cisco. Even with their growth rate it lasted over 2 years! When they did finally reach the limit and had to upgrade, we simply swapped the Sangoma card out and put it into another, bigger, box (this time from DNUK . . .). And, since the old 1U server was commodity hardware, we used it for something else!

What they've got is a system that knocks spots off any Cisco equivalent and at a fraction of the cost. They love it, the FD in particular.

Open Source, simply better software

Kicking out the Ciscos means more than just up-front savings too. Updating your Linux box doesn't have to cost you anything. But updating your Cisco IOS most certainly will! And, if you want anything extra, other than bog-standard routing, with the proprietary suppliers you're going to have to pay for that as an extra too!

That's why our clients don't go that way. Once your Sangoma card equipped PC has Linux (or perhaps FreeBSD?) on it you can do anything you want. Packet filtering – no problem, just add IPtables. Cost of packet filtering - nothing! Proxying – no problem, just add Squid. Cost of proxying - nothing! Now just try doing that with a Cisco. They'll be laughing all the way to your bank! No wonder they power the Internet. I could on all that money!

But, they say, 'dedicated hardware' - it's bound to outperform a plain vanilla Intel/Linux box isn't it? Actually, NO. We've seen it in practice, and figures from Sangoma prove it. The figures show the Sangoma card outperforms the Cisco under ALL measures (with small packet sizes, by over 50%!) right up until saturation of the line, when the Cisco eventually achieves parity!

By the way. There's another thing our clients like about doing routing this way. You stick a Cisco into your network and you've got another box, another set of cables, another hop on the way out, and yet another operating system to learn all about (and have you looked at IOS?).

Why would anyone want all this complexity, hassle and cost? Stick one of these WAN cards in your Linux box and you simplify the whole thing. It's faster, it's cheaper, and it's a whole lot simpler to set up and administer. Have a look at Sangoma's home page. It may not be as funny as routergod.com but, if you ever do need a good laugh, there's always Slashdot.

So there you have it. A couple of day's work and you have a router that's as powerful as anything on the market. And, believe me, it really is as easy as that. You've now got a more reliable, simpler and faster solution. You've eliminated another box in your server room, and replaced it with something far easier to administer. You've reduced your exposure to, and dependency on, proprietary technologies and the constant hardware/software upgrade treadmill they force you on. Even more than this, you've saved the business a great deal of money on hardware, support staff time, software licences and 'extra' modules.

How we can help you

• Consulting: we specialise in deploying Open Source alternatives to ISA. Deployment
• Training: we can train your staff to it themselves. Training
• Support: we're happy to offer support and advice for businesses keen to replace ISA themselves. Support

The Sirius Way - 8 Steps for Success

• Ensure the deployment strategy matches business strategy.
  - Never deploy technology for technology's sake.
• Get the business on board.
  - Achieve full buy-in and commitment, by targeting clear business benefits.
• Plan the 'when'.
  - The when is crucial.
  - Know business cycles, windows, and people availability.
  - Ensure contingency is built-in, right from the start.
• Be ready for the unexpected.
  - Have a clear, agreed, documented backout plan.
• Never rely on enthusiastic amateurs.
  - Have access to proven, high quality, on demand, professional support.
• Document the deployment.
  - Continually learn and improve.
  - Six months down the line, you'll know what you did!
• Measure the results.
  - And publish them so they are open, visible, and seen by the business.
• Celebrate success.
  - With your IT team and with the business.

Technologies

Squid
Squid is a caching proxy server. Most companies require some or all of their users to have web access, but do not wish to attach modems to every single users machine. Users web browsers are pointed at the proxy server, which downloads web pages on their behalf and serves them to their browser. A caching proxy server will save a copy of all web sites it has downloaded so that next time a user looks it up, only files that have changed need to be downloaded again. Caching will, over time, save a company a huge amount of bandwidth as most users view the same sites, and certain sites are viewed again and again. Squid is:

• a full-featured Web proxy cache
• designed to run on Unix systems
• free, open-source software
• the result of many contributions by unpaid (and paid) volunteers

Squid supports...

• proxying and caching of HTTP, FTP, and other URL's
• proxying for SSL
• cache hierarchies
• ICP, HTCP, CARP, Cache Digests
• transparent caching
• WCCP (Squid v2.3 and above)
• extensive access controls
• HTTP server acceleration
• SNMP
• caching of DNS lookups

Iptables

Iptables does stateful packet filtering. Packet filtering is the process of inspecting incoming and outgoing network traffic to see whether it is allowed according to some security ruleset. Statefull packet filtering is an enhancement whereby packets can be accepted or denied depending on recent history (this helps protect against certain kinds of attack). The intention of this is to define which services (e.g. email, web access) are allowed to pass the packet filtering machine, and which services (e.g. network logins, access to files on the network, etc.) are denyed. Packet filtering is perhaps the most important function of any product purporting to be a Firewall. Iptables runs under the Linux operating system.
The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewalling subsystem.It delivers you the functionality of packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and packet mangling.

SpamAssassin

SpamAssassin SpamAssassin(tm) is a mail filter to identify spam. Using its rule base, it uses a wide range of heuristic tests on mail headers and body text to identify "spam", also known as unsolicited commercial email.

The spam-identification tactics used include:

• header analysis: spammers use a number of tricks to mask their identities, fool you into thinking they've sent a valid mail, or fool you into thinking you must have subscribed at some stage. SpamAssassin tries to spot these.
• text analysis: again, spam mails often have a characteristic style (to put it politely), and some characteristic disclaimers and CYA text.

SpamAssassin can spot these, too.

• blacklists: SpamAssassin supports many useful existing blacklists, such as mail-abuse.org, ordb.org or others.
• Razor: Vipul's Razor is a collaborative spam-tracking database, which works by taking a signature of spam messages. Since spam typically operates by sending an identical message to hundreds of people, Razor short-circuits this by allowing the first person to receive a spam to add it to the database -- at which point everyone else will automatically block it. Once identified, the mail can then be optionally tagged as spam for later filtering using the user's own mail user-agent application.

SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. It accomplishes filtering without this knowledge, as much as possible. The distribution provides a command line tool to perform filtering, along with Mail::SpamAssassin, a set of perl modules which allow SpamAssassin to be used in a wide range of products.

SpamAssassin lives at spamassassin.org or in CPAN, and is distributed under Perl's Artistic license. ('SpamAssassin' is a trademark of Network Associates, Inc.)

Features

• Wide-spectrum: SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.
• Free software: it is distributed under the same terms and conditions as Perl itself.
• Easy to extend: Rules, weights and user-visible text are stored in text configuration files as much as possible, which the user (or sysadmin) can edit to modify or add new rules.
• Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API. As a result, it's not limited to the traditional local-delivery-to-spool case; using the Mail::SpamAssassin classes, it can be used in a wide variety of setups. This means that SpamAssassin support is available for a variety of mail systems -- traditional procmail, a Mail::Audit plugin, qmail, MIMEDefang, Postfix, and many others.

Snort

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture.

Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.

Webmin

Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on.

Links to Key Projects

All of the key Open Source technologies that enable you to replace ISA are linked to below:

Squid
Squid Documentation
Netfilter
Netfilter Documentation
netfilter_log_analyzer
SpamAssassin
SpamAssassin Documentation
Webmin
Webmin Documentation
Snort
Snort documentation