Networking and Security

Whether offering Internet access to patrons or providing an online catalogue, steps must be taken to implement effective network security to protect your resources. With a proper technology plan in place, you should have already addressed many of the issues surrounding network security. Our purpose here is to provide insight for the particular issues regarding network security, including:

  • Understanding networking concepts
  • Identifying vulnerabilities on your network
  • Creating security policies and selecting and configuring a firewall

We also focus on wide area networking and network management. For more information about LANs and the basics of networking, you should refer to our Further Resources section.

Introduction to Network Security

Managing security means understanding the risks and deciding how much risk is acceptable. Different levels of security are appropriate for different organizations. No network is 100 percent secure, so don’t aim for that level of protection. If you try to stay up­-to­-date on every new threat and every virus, you’ll soon be a quivering ball of anxiety and stress. Look for the major vulnerabilities that you can address with your existing resources.

We all know the numerous advantages of computer networks and the Internet. Connecting your network to the Internet provides access to an enormous amount of information and allows you to share information on an incredible scale. However, the communal nature of the Internet, which creates so many benefits, also offers malicious users easy access to numerous targets. The Internet is only as secure as the networks it connects, so we all have a responsibility to ensure the safety of our networks.

Why Is Network Security Important?

  • The good neighbor policy. Your mistakes can be someone else’s headaches. If your network is insecure and someone takes control of one of your computers, they can use that machine to launch denial of service attacks on innocent third parties. They can also flood the Web with spam.
  • Patron privacy. Obviously, patron records are of paramount importance. Trust between the library and its clients can be irreparably harmed if these records are compromised.
  • Money and time. Tracking down a virus or a worm and eliminating it from your network is frustrating and time-­consuming. You often have to rebuild your machines from the ground up, re­installing the operating system and software and restoring data from backup tapes. Lax security can lead to weeks of wasted time spent patching your network and fixing the wreckage.

Key Actions

  • Create a network diagram. One of the most useful exercises for understanding your library’s security situation is creating a network diagram. A network diagram consists of symbols representing your hardware (PCs, servers, switches, routers, printers, etc.) and the connections between them. The diagram should also include some information about the model and configuration of each piece of hardware (e.g., name, IP address, function, etc.). For network connections, list the speed and protocol of each link. For some examples, take a look at Rate My Network Diagram. While you can map a small network with pencil and paper, it’s hard to extend and update your diagram using this technique. Most network administrators employ software to help them map their networks. We’ve listed some free and low-cost options under Further Resources.
  • Understand your situation. A network diagram goes hand-­in-­hand with an assessment and evaluation of everything that happens on your network. Who uses your network? What types of hardware and software do they use? What kind of Internet connection does your library have? Do you host your own Web site, your own e­mail server, your own OPAC? Do you allow patrons to connect to your network with their own computers and peripheral devices? Is your staff network separated from the public network? What types of security policies, procedures and equipment do you already have in place?
  • Review your technology plan. Review this document, if available, to determine the network services you’re currently providing and the plans for your network’s future.
  • Train your IT staff or hire a consultant. You must make sure that either your IT staff receive appropriate training when it comes to network security or look for outside IT support that can offer the necessary knowledge to secure your network.
  • Remember the 80/20 rule. Focus on protecting the high-­impact, high­-risk areas of your network. For more information, see Identifying Vulnerabilities and Risks on Your Network.

Network Concepts You Should Know

Even if you plan to get security advice from an outside consultant or volunteer, understanding some basic concepts will help you evaluate your advisors and cut down on the number of calls you have to make. Basic networking topics such as TCP/IP addressing, network hardware, cabling and connectivity troubleshooting are well­ covered elsewhere, so look at our Further Resources. We also have information on our site about Bandwidth Management, Internet Access and ISPs and Wide Area Networks.

Further Resources

We included a few additional resources, which can further clarify any questions you have regarding the fundamentals of network security.

Identifying Vulnerabilities and Risks on Your Network

A vulnerability is a weak spot in your network that might be exploited by a security threat. Risks are the potential consequences and impacts of unaddressed vulnerabilities. In other words, failing to do Windows Updates on your Web server is vulnerability. Some of the risks associated with that vulnerability include loss of data, hours or days of site downtime and the staff time needed to rebuild a server after it’s been compromised.

Before you start searching around for weak spots in your network, we suggest you first review our Where and How to Find Vulnerabilities tool.

Key Actions

  • Understand common attacks. Attacks on and within your network come in many different varieties. Many times the attackers do not even know who they are attacking, but there are instances of networks or organizations that are specifically targeted. Learning the different methods used to compromise computers and networks will give you the necessary perspective to proceed.
  • Inventory your vulnerabilities. Establish a full list of potential vulnerabilities. Take special care to identify anything unknown about your network. For example, a library new to network security might think they have a “firewall” while they might just have a router provided by their ISP. For more on this topic, read 10 Steps to Creating Your Own IT Security Audit.
  • Use vulnerability scanning tools. Many tools exist to check the existing security state of your network. These tools check for open ports, unpatched software and other weaknesses. Some of these programs focus on a specific machine, while others can scan your entire network. Microsoft offers one such tool, the Microsoft Baseline Security Analyzer. This tool checks for updates and common configuration errors for Microsoft products. Nmap is another popular, free scanning program. For more about Nmap and other vulnerability scanning tools, see Further Resources.
  • Assess the risks. The various vulnerabilities on your network represent potential costs — time, money and assets — to your library. These costs, along with the chance someone will exploit these vulnerabilities, help determine the level of risk involved. Risk assessment is a combination of both quantifying (the cost of the threat) and qualifying (the odds of the attack). Each library will have to determine its own tolerance for risk depending on the situation. Some examples are provided here.
    • Patron information: Having your patron data compromised is unacceptable for any library. You would need to design your network and implement security to minimize this risk. While you can almost never remove risk completely, you can reduce risk to very low levels.
    • Slow Internet connection: A library shares an Internet connection between public networks and staff networks. Since the cost of adding another Internet connection, increasing the speed of the current connection or purchasing complex network monitoring equipment might be too prohibitive, the library has a higher tolerance for a periodically slow Internet connection. Another library hosts its own Web site, online catalogue and email server, which require a more stable Internet connection, so a much lower tolerance for this risk exists.

Stories from the Field

The issue we have is that we have the public accessing the Internet on a network that needs to be secured due to the nature of some of the county businesses. We don't know that we've had any security breaches, but the potential is there. So the manager of our county IS Department has requested that our public computers be moved off of the county network. So we are in the process of moving to a cable modem system. Both our wireless and our public computers will be operating directly through Comcast.

Claire Stafford
Madelyn Helling Library, CA

I can see a lot of reasons for having an Active Directory, but the chief one is authentication, and our staff is really very reluctant to do things like change passwords. For instance, our integrated library system, we would be able to have each clerk log on with a personal password. And then, when that person left our employment, you could get rid of the password. It would be a lot more secure.

Bob Bjornson
Jefferson-Madison Regional Library, VA

Further Resources

To learn more about network security vulnerability threats, check out the Further Resources section.

Creating Security Policies

Security policies provide the road map for how to protect your network. These guidelines include the acceptable use of technical resources, the security requirements and why a particular policy exists. Without the clear guidelines from a security policy, your library runs the risk of inconsistent implementation of security. The process of creating a security policy provides a unique opportunity to understand the details of your organization’s network.

Why Create Security Policies?

  • Linking network security to your library’s mission. Closing every security loophole and blocking every vector of attack would likely render your network unusable for patrons. Finding the right balance between accessibility and security requires a conversation about the library’s mission and audience.
  • Consistent implementation. A security policy minimizes the risks created by an inconsistent application of security principles.
  • Buy wisely. A security policy can guide your technology purchases.
  • React and recover. A security policy will outline the steps needed to respond to a breach in security or critical system failure.

Key Actions

  • Assemble the appropriate team. Security policies impact every aspect of an organization. Network security involves rather technical subject matter. However, policy­-makers, budgeting, end-­users and technical experts all must be included. By involving the appropriate cross-­section of the organization, the proper security team increases the transparency and understanding of the decision­-making process.
  • Incorporate the overall mission and goals of the library. The security policy must abide by existing policies, rules and regulations, as well as promote the overall mission. Any existing computer use policies should be included.
  • Utilize a policy template. Find an existing security policy for your library, or search for a library with similar needs and ask to see a copy of their security policy. There are also many security policy templates available online.

Further Resources

For additional resources on the topic of creating security policies, check out the Further Resources section.

Selecting and Configuring a Firewall

The Internet is a dangerous place filled with a constant barrage of automated scans that scour the Internet for vulnerable targets. Once identified, these targets receive a variety of attacks. Many of the attackers have no idea who owns the target, and the ultimate goal depends on both the attacker and the type of target. Selecting an appropriate firewall helps protect your network from the Internet and the Internet from your network.

Why Do You Need a Firewall?

  • Guaranteed network resources protection from the malicious activity on the Internet
  • Ensured safe and secure access to your internal resources to external users
  • Maximized performance of your network resources

Important Considerations when Selecting a Firewall

  • Network firewalls vs. desktop firewalls – Many desktop firewalls exist to protect individual computers (e.g., ZoneAlarm); however, for overall network security you need to consider a network firewall device. This article is dedicated to network firewalls. For information about the desktop variety, see the Home PC Firewall Guide
  • Software/hardware – With software firewalls, like Microsoft ISA Server or Smoothwall, you install the program on top of an existing Windows or Linux server, which then becomes your dedicated firewall. Hardware firewalls, manufactured by Linksys, Cisco, Netgear, Watchguard, SonicWall and many others are devices with their own operating systems and specific hardware. In other words, with a hardware device, the manufacturer designs both the hardware and the software and sells them as a unit. With a software firewall, you provide your own hardware.
  • Extremes – With so many firewall devices on the market, you must ensure that your firewall fits your requirements. Purchasing a high-­end firewall with features your library will never utilize results in a waste of resources. At the same time, you do not want to purchase a firewall that will not support your security policy.
  • Size of network – Does the firewall device have enough processing power to handle the number of connections for your network?
  • Network topology – How many networks do you have that need some unique level of protection or isolation? Suppose the firewall you’re evaluating has three Ethernet ports. Is that enough? Let’s say you need one subnetwork for the staff machines, one for the public access machines, one for your wireless access point and one for your servers. In this case you need a firewall with four Ethernet ports, as well as a port for your Internet connection. Or you could use a second firewall or a managed switch to provide the network separation you’re looking for.
  • DMZ ­­ – Do you need a DMZ for your Internet­-facing servers? A DMZ (short for demilitarized zone) is a small subnetwork for hosted Internet services, such as Web servers and e­mail servers. The firewall protects the servers in the DMZ and checks traffic to and from those servers, but it also isolates them from the rest of your local area network as much as possible. Your Web server can handle requests from random computers on the Internet because you’ve presumably hardened and secured that server. On the other hand, your average staff machine shouldn’t be exposed to the Internet in that way. Also, if something goes wrong and the Web server is compromised, the damage will be partially contained. There are several ways to set up a DMZ, and your DMZ architecture may affect the type of firewall(s) you decide to buy. Wikipedia describes two common approaches to setting up a DMZ.
  • VPN – A VPN (Virtual Private Network) encrypts data between dispersed locations when that data is sent over the Internet or another public network. Libraries often set up VPNs so that staff who work from home can securely access files and programs on the library’s network. Also, in many libraries the main branch and outlying branches use VPNs to transfer circulation records and sensitive patron information. If you’ve purchased high­-speed, dedicated data lines from your service provider, you may not need VPNs for branch­-to­-branch communication. However, dedicated lines are expensive, so a lot of libraries use VPNs instead. Some firewalls can handle VPN encryption and decryption, but you can also buy separate, standalone devices to handle this function. VPNs can be tricky to configure and maintain, so you should talk to an expert. See the following story from Cindy Murdock for one library’s experience securing their data over the Internet.
  • Content filtering – Does your security policy require some form of content filtering? Some firewall companies offer this feature. Your firewall will download a blacklist of banned sites on a regular basis or filter sites by keyword or both. However, this feature may cost extra.
  • Level of control – Do you want to block all traffic for certain applications or do you need to implement more granular filtering so certain computers or users have more capability than others? For example, you might block ssh traffic (ssh stands for secure shell, a remote logon utility) for most of your network, but allow it for systems administrators who need to access remote servers. Does the firewall you’re evaluating give you the degree of control you’re looking for?
  • Bandwidth management – Do you need to control bandwidth usage? Do you need to limit bandwidth per user or per computer? Do you need hourly or daily limits? Some firewalls have these capabilities, and you can also buy separate, standalone devices to handle these tasks. For more information, read Bandwidth Management.
  • Technical expertise – Do you have the in-­house expertise to properly configure and manage the firewall, or will you need external technology support? Often your service provider will configure and maintain your firewall for a price.
  • Budget – With firewalls ranging in price from $50 to $10,000, the budget represents the biggest consideration for most public libraries. While your library may want all of the features, you need to determine the most important based on your requirements and resources.

Types of Firewalls

For a quick review of the most typical firewalls for different­-sized library networks, take a look at the Firewalls at a Glance tool.

Common Configuring Issues

Most security experts agree that having a poorly configured firewall is worse than not having a firewall. At least you know your network is not secure without a firewall, while you have the misconception of security with a properly configured firewall. There are a few important steps to take when configuring your firewall.

  • Username/password – As with all computer devices, you need to modify the default password for your firewall device. Some firewalls also allow you to modify the default administrator username.
  • Remote administration – Most firewalls use a Web ­based graphical user interface for configuration and allow for remote administration from outside your network. Disable this feature unless absolutely necessary.
  • Port forwarding – For certain applications to work properly, such as a Web server or FTP server, you need to configure appropriate port forwarding.
  • DHCP server – Most firewall devices act as a router and include a DHCP server. Installing a firewall on a network with an existing DHCP server will cause conflicts unless the firewall’s DHCP server is disabled.
  • Logging – In order to troubleshoot firewall issues or potential attacks, you want to make sure to enable logging and understand how to view the logs. Make sure you understand this functionality on your firewall.
  • Policies – As discussed previously, you want to have solid security policies in place and make sure that your firewall is configured to enforce those policies.

Whether offering Internet access to patrons or providing an online catalogue, steps must be taken to implement effective network security to protect your resources. With a proper technology plan in place, you should have already addressed many of the issues surrounding network security. Our purpose here is to provide insight for the particular issues regarding network security.

Stories from the Field

We had some issues [with our Wide Area Network], because we’re encrypting all of our traffic for security reasons on the intranet side, the staff side. We found that it was really slow at the farthest library from the system headquarters. I had to use a hardware solution to get the encryption to speed up. Now that we’ve got that done, I should be able to get the other branches done pretty quickly. We wanted to encrypt our traffic so that patron information is protected when it’s being passed over the Internet. We’re circulating over the Internet. We don’t have our own private network.

We’re using a special router built on OpenBSD [a Unix-like operating system] and a VIA C7 chipset that has hardware encryption capabilities.  The speed difference is enormous. When we first noticed this problem, I did some benchmarks. Apache, the Web server that we’re using, handles about 4,000 transactions per second unencrypted. With the encryption in place, it can only handle 70­-80 transactions per second. So we had to offload the encryption onto this hardware solution [the OpenBSD router mentioned above] to speed it up. Before, when you would circulate a book from the most remote library, it would take 20-­30 seconds to finish the transaction, whereas now with the fast hardware encryption, it’s barely noticeable. It’s like using a regular Web page.

Cindy Murdock
Meadville Public Library, PA

We have one central firewall now that we allow multiple libraries to use, so all of their web traffic comes here and then out.  When the kids want to play in the library and someone asks me to open a port, I’ll try to determine what port number it is, and then I go out on the Internet and look and see if there are any vulnerabilities to that port.  Is there a known Trojan horse or virus that’s coming in on that port?  If there is, then we don’t allow the port; if I don’t find anything, then we will allow it, but we might only allow it for a few machines.

Jean Montgomery
Upper Peninsula Region of Library Cooperation, MI 

Further Resources

Interested in finding out more about firewalls? Check out our Further Resources section.

Introduction to Broadband and Wide Area Networks

Networking is the connecting of computers to share data (e.g., files and databases) or functionality (e.g., printers, scanners, Internet connections, etc).

A network can be as small as a local area network (LAN), where two computers share information using a hub or switch, or as big as a wide area network (WAN), where many libraries in different locations share an Internet connection or automated library system.

The way machines are connected has changed over the years, but at the building level, the most common technologies right now are Ethernet and 802.11b (i.e., wireless or Wi­Fi), or a combination of the two. Between buildings, at the WAN level, organizations use a wide variety of equipment and protocols (e.g., Frame Relay, T-­1, Ethernet, Asynchronous Transfer Mode (ATM) and various fiber protocols).

Monitoring the Performance of Your Network

In one sense, you already have an army of network monitors in your library. Every time something goes wrong, you probably get a few spontaneous alerts from patrons and colleagues. However, if you want preventive information and in­-depth analysis of what’s happening on your network, you need network monitoring software.

Why Should You Monitor the Traffic on Your Network?

  • You can get information about the health of your network. If a server stops responding, or your ILS crashes or a segment of your network goes offline, the network monitor will send you a message so you can respond right away. But these tools go beyond reactive alerts about things that are already broken. They can also provide warnings about network slowdowns, overloaded servers and other signs of trouble so you can address problems before they affect staff and patrons.
  • Better understanding of long­-term trends. Network monitoring tools also create graphs and reports about network performance over time. How fast is the demand for bandwidth growing in your library? If your library’s average daily Internet use has grown 1 Mbps (megabits per second) over the past six months, you can get a rough sense of how much you’ll need three years from now and budget accordingly. You can also plan better for the replacement of servers, switches and routers, because network monitors keep statistics related to performance of these devices.
  • Improved ability to check on your ISP. Life would be much easier if we could just trust our ISPs. You’re paying for a 1.5 ­Mbps T­-1 connection, and that’s what you’re getting, right? No need to worry about measurements and monitoring. Just let the ISP tell you whether they’re doing a good job and when it’s time to upgrade. If you’re a little less trusting, a network monitor can keep track of uptime and other metrics on your Internet connection, so you’ll know when your ISP is failing to maintain its promised level of service.

Key Actions

  • Get permission. Be sure you contact your network administrator before you install any network monitoring software or equipment. If mis-configured, a monitoring tool could flood the network with unnecessary traffic.
  • Ensure compatibility. Check to see that the network monitoring tool you’re interested in can communicate with your existing equipment. There are different network management protocols (e.g., Simple Network Management Protocol, or SNMP, and Cisco’s Netflow), and your routers, switches and servers might not recognize the protocol used by your monitoring tool.
  • Create network diagrams. Most network monitoring software can automatically create a diagram of your local area network and/or your wide area network. Even if you decide not to use a monitoring tool, it’s a good idea to create a network diagram using software such as Microsoft Visio or Gliffy, or drawing it out by hand.

Network Performance Metrics

Bandwidth, throughput and speed are three terms that most people use interchangeably when discussing networks. However, speed isn’t really accurate in this context (though it is used all the time anyway), and there is a small distinction between bandwidth and throughput, as discussed in the following section. Latency and jitter are two connected concepts that increase in importance as more people conduct real-­time voice and video interactions across the Internet. Uptime is another important metric that’s a little easier to understand.

For a more detailed look at metric terms and definitions, download and review our Network Performance Metrics Overview tool.

Network Monitors and Other Utilities

To measure network performance metrics, you need network monitoring software.

  • Ping, traceroute and speedtest sites are quick, easy-­to-use troubleshooting tools, but they don’t provide in-­depth information or analysis. For example, a speedtest site doesn’t take into account the fact that you’re sharing bandwidth with colleagues and patrons. If the speedtest indicates that you’re on a 200-­Kbps connection, even though you’re paying your ISP for a 1.54­ Mbps T-­1 line, the slowdown is probably due to other library patrons.
  • Also, even when you’re the only person on the local network, your Internet connection carries a lot of administrative overhead (i.e., bits passed back and forth between computers to set up and tear down a connection). Therefore, you might see a reported throughput of 1.2 Mbps instead of the full 1.54 Mbps you were expecting.
  • This is normal, but if you want a fuller picture of what’s happening on the network, install one of the network monitoring programs mentioned next. Also, be sure to ask your network administrator before you install any monitoring software.
  • Ping and traceroute: If you want a quick snapshot of the latency on your network, use ping, a command-­line tool built into all Windows PCs (and most other machines as well). When you ping a remote IP address, you’ll see four replies, and each one includes the “time” (measured in milliseconds) it took for your ping request to reach the remote computer and then return to your PC. In other words, you’re looking at the latency on the network between your computer and the remote computer. To be more specific, you’ve measured the round­-trip latency. If you want the one­-way latency, cut the ping time in half. Traceroute (or Tracert on Windows machines) is a similar tool that provides information about latency. Also, both tools are commonly used for basic connectivity troubleshooting.
  • Speedtest.net: Speedtest is a free site that measures latency, upstream throughput and downstream throughput with a single click. Furthermore, you can measure these between your location and several hundred servers around the world. In other words, latency between your library and the nearest city will usually be much lower than the latency between your library and London. Throughput will also vary widely, depending on the server you try to access. Speakeasy also has a speed test, as do several other sites.
  • Network monitoring software: The ping utility and the online speed tests have a serious drawback. You’ll only get a quick, unrepresentative view of your network’s performance, unless you plan to spend all day at the command prompt sending ping messages out to various computers. Network monitoring software gathers information about your network at regular intervals and grabs your attention only when there’s a problem or an event that you want to know about. For example, if your main file server is almost out of hard drive space, the server sends a message to the network monitoring tool, which, in turn, sends you an email or finds another way to alert you of the problem.
    • On your networking equipment (routers, switches, firewalls, etc.), you might set alerts related to throughput, latency and dropped data packets.
    • You definitely want reports from your border router about the total amount of Internet traffic you’re sending and receiving on a daily, monthly and yearly basis. Look at both the average load and the peak load, and you’ll have a better sense of how quickly demand is increasing. If your average daily load is consistently above 60 percent and your peak load is consistently above 80 percent (for an hour or two per day), you’ve probably noticed some slowing already and heard about it from your end users. If you’re approaching those numbers, you should start planning for an upgrade. Or you should invest in bandwidth management technology.
    • Also, most network monitoring tools include graphing and charting components, which let you see the long-­term trends in your library. How fast are the hard drives filling up on your file servers? What’s the average daily throughput on your Internet connection compared to this time last year? Understanding the rate of change lets you budget accurately, and it gives you early warning so you have the right equipment on hand when it’s needed.
    • Popular open­-source or free monitoring tools include OpenNMS, Nagios, Cacti, Spiceworks, MRTG and PRTG (in rough order from most complicated to least complicated). Also, there are several dozen commercial vendors in this field, and you can find a product comparison chart at Wikipedia.

Stories from the Field

It’s pretty obvious, I think, when you’re really running out of space or out of bandwidth, and we are right now for sure. But we also have a tool called PRTG that monitors bandwidth and the network connections. You need to do that, especially if you’re using your network like we are, where we’re doing security cameras, Voice over IP, data and HVAC controls. We’re doing a lot of stuff over the network connection. So it’s critical that it work properly.

Jim Haprian
Medina County Library, OH

Further Resources

For more information about network performance monitoring and metrics, check out the Further Resources section.

Internet Access and ISPs

Reading a contract from the phone company or a bill from an Internet service provider (ISP) can cause experienced techies to shake their heads in confusion and frustration. Even by the standards of the technology sector, telecommunications professionals use a lot of acronyms and jargon. Moreover, the technology, terminology, services and prices all change frequently. Our intent is to introduce a few concepts that stay relatively stable and consistent. We’ll also be suggesting some criteria that you can use the next time you’re shopping for high-speed data lines.

The focus here is mainly on Internet access; however, in practice, you should plan your voice, video and data needs simultaneously. More and more, the same companies provide all three services and transmit them over the same wires. Phone calls, movies and Web pages can all be translated into digital form and transmitted over the same circuits. Similarly, we discuss wide area networking in the next topic, but in practice, you’ll often get these WAN links from the same company that provides your Internet connection. Wide area networking refers to the connectivity between branches in a multibranch library system.

In the U.S., the major providers of Internet access are phone companies, cable companies and government entities. Minor players include satellite Internet providers and small ISPs who rent equipment and services from larger companies.

Why Should You Plan Carefully when Shopping for Internet Access?

  • Software and storage space are moving into the cloud. “The cloud” is just another way of referring to the Internet and the massive amounts of computing power it contains. Almost all of the software and services that run on local servers and PCs are now available online in one form or another. You can write documents online, edit photos, create databases, use accounting software and project management software and on and on. And more and more of us are using the Internet as our primary or secondary storage location for files, photos, videos, etc. Think of sites like Flickr, Box.net, YouTube, Mozy and thousands more. All this creates a constantly increasing demand for bandwidth.
  • Video and audio. The quality of online video is improving, and the file sizes are increasing. A few years ago, short, grainy YouTube videos were a novelty. Soon we’ll be downloading three­-hour­-long, high­-definition movies from Amazon or Netflix. As patrons get used to this quality at home and at work, they’ll ask for it in the library as well.
  • Spending wisely. Internet connections and wide area network links are a huge expense. A single T-1 line (1.5 Mbps) usually costs more than $1000 per month, and many mid­-sized libraries are transitioning to multiple T-­1s, T-­3s and other high­-capacity lines. Make sure you’re getting the best deal, buying what you actually need and getting your money’s worth. Also, you may have more leverage than you think, even if there’s only a single ISP in your town. Libraries are a high-­profile, high-­volume customer, but you can’t get better service if you don’t know what you need and you don’t know what to ask for.
  • Service to patrons and staff. Your Internet connection has a huge impact on staff and patrons. Staff can’t do their jobs without the Internet, and many patrons rely on the library for access to health information, financial institutions, schools, friends, relatives, etc.

Key Actions

  • Don’t do it all yourself. Shopping for broadband and assessing different Internet access plans is complicated and time­-consuming. Paying the monthly bill is even more painful. Look for ways to share the work, share best practices and share costs.
  • Investigate local partnerships. If you issue a Request for Proposals (RFP) for Internet access in concert with your local school district, a nearby community college or your city government, you can easily save thousands or tens of thousands of dollars. With increased size comes increased leverage and negotiating power. Furthermore, in a cooperative arrangement, the burden of understanding the different technologies and managing them are distributed across the group. You can turn to your partners for advice and share the cost of hiring network administrators.
  • Explore regional library cooperatives. In a regional library co-op (RLC), multiple libraries and library systems in the same area pool their resources to pay for the acquisition, support and maintenance of Internet access, wide area networks, a shared ILS, server, desktop machines, software and other equipment and services as needed. In a lot of states, RLCs already exist. If there isn’t an RLC you can join, the logistical and political hurdles to building one from the ground up are significant but not insurmountable. Regional Library Cooperatives and the Future of Broadband from ALA’s Office of Information Technology Policy (OITP) has some advice and a discussion of the benefits.
  • Is there a statewide network? If your state administers a statewide high­-speed network for schools, colleges and libraries, you’re probably aware of it already. These networks often provide amazing discounts on high­-speed lines, as well as help with e-rate applications, advice about technology and other services.
  • Consider a hosted solution. You can pay an outside company to host your Web site or your OPAC or both on servers that they own and manage. Managing your own Web server or ILS server is complicated and expensive. You have to maintain the hardware and the software. You have to back up your data on a regular basis and test those backups to make sure they work. You may have to pay extra for a more reliable, higher-­bandwidth, business­-quality Internet connection. You’ll have security concerns and considerations that you wouldn’t otherwise have. Some libraries look at all these factors and they decide to outsource to a specialist. You can buy high­-quality Web hosting for a few hundred dollars a year. For an excellent overview of Web hosting options, check out A Few Good Web Hosting Solutions at Idealware. Your ILS vendor might be able to host your OPAC on one of their servers (for a fee, of course). If you go this route, you still need to pay attention to the concerns mentioned (security, reliability, etc.), but you don’t need the same degree of expertise.
  • Find a consultant. WAN networking is a complex, advanced topic, requiring years of study and practice to fully understand. You’ll be more comfortable with your choices in the long run if you get good advice up front.
    • Look to the city and county IT departments, as well as the network administrators for your local schools, colleges and universities.
    • Also, the other library systems in your area might have expertise in this area, or they might know of a reputable consultant. Regional library consortia and state libraries are also potential resources.
    • If you're looking for consultants who specialize in working with social benefit organizations, check out TechFinder. The Independent Computer Consultants Association (ICCA) and the National Association of Computer Consultant Businesses (NACCB) also provide searchable databases with member contact information.
  • Ask questions at WebJunction or TechSoup. If you need advice about particular ISP’s or general networking topics, post a question in TechSoup’s Networks forum or WebJunction’s Networking Forum.

How Much Bandwidth Do You Need?

The following are a few tips on how to assess your current bandwidth usage and plan for your future needs.

  • Know your end­ users. Think carefully about the applications and Web sites your staff and clients use today. What sorts of functionality do you think they’ll be asking for in three years or five years? This information has an impact on the amount of bandwidth you’ll need.
  • Look at your technology plan. If you have a tech plan or a strategic plan, it probably has useful information about upcoming changes that will impact your bandwidth requirements. Are you planning to hire more staff? Are you rolling out new bandwidth ­intensive technologies? Do you plan to implement public access computers? These strategic changes will determine greatly the type of connection you need.
  • Monitor your network traffic. How fast is demand for bandwidth growing in your organization? How much bandwidth did you use six months ago and how much are you using today? Bandwidth Management Techniques — Tips and Actions can help you track this information. If you’re hosting a Web site or other online services, Web analytics software can also help you forecast future bandwidth needs in your organization. For more information, see A Few Good Web Analytics Tools at Idealware.

Before You Select a Telecom Provider

Before you go looking for a Telecom provider, we recommend that you take a minute or so to download our Ten Factors to Consider When Shopping for a Telecom Provider tool.

Stories from the Field

Q: This is the first time I’ve heard of an ISP who is providing the technical service but donating part of it and also donating the Internet connection, because that’s a pretty big chunk of dough, right?

It is very big, and they’ve been doing it for ten years. [More than] ten years. Maybe closer to 15. We started out in a partnership. They used our electrical closet for their routers and the T1 line that was coming in, and it’s just kind of grown from there. One hundred percent of the cost of the Internet they pick up and give us great bandwidth service. They don’t have their equipment here anymore. They’ve moved up to DS3, but they still provide the service to the library. And our wireless service as well. So it’s been a big boon for the library.

Bridgett Johnson
Lewiston Public Library, MT

Traditionally, over the years, the library had always had its own Internet provider. So I started looking at how much we were spending. I think that the more you get together with other people, the more you increase your bargaining power. So we went in together with our main county IT, and we said, ‘How about we join together and try to go out to bid and see what we can get?’ And surprisingly we saved a lot of money because we put our resources together and our bargaining power then became bigger. Everybody was trying to get our business and so they offered us bandwidth that nobody had ever heard of. They were able to come up with certain combinations for us just so they could get our business. You will be amazed at what they can do when you show them the money and they see that they are about to lose a customer — especially one that is going to be a long-­term customer. They come up with all kinds of combinations and all kinds of things. We ended up with a 45-­Mbps pipe that was split between the two of us. We were paying $3,000 a month for 6-Mbps, and now I’m paying $3,000 a month for 22 Mbps. That’s how you save money. You just have to find other people and just try to leverage your bargaining power, and people will come running.

Monique Sendze
Johnson County Library, KS

We combined the Bill and Melinda Gates program grant with the city capital improvement project, so we went from 11 to 30 computers, and the bandwidth was sufficient but it was starting to choke a bit because of the new usage. And then we expanded to 38 PCs, and it really started to slow down considerably. And IT at the time, told us, ‘Well, you could have up to 50 computers on this network and it shouldn’t slow down, [but] that was not the case. So, because we got the e-­rate funding, we decided to upgrade the bandwidth to as far as we could put it at the time. We went from 1.5 Mbps to 6 Mbps and it’s a huge difference — a huge difference — because we have wireless Internet access and we have 38 public access computers. With all of them working at the same time, it was grinding to a halt. Now, with everything set up it’s really, really fast, which is nice.

Jeff Scott
Casa Grande Public Library, AZ

The city had gone through a process to upgrade their bandwidth at the same time we were looking at upgrading the library’s bandwidth, and the problem they ran into was that there are a lot of politics involved as far as who should get the contract. So instead of doing a bid, they’re like, ‘Oh, we should use a local company’ and then it should be just this person, and then it sort of all fell apart. Because of e-­rate, we’re forced to pick a vendor on that list, which we don’t have any control over. We just have to pick one of the three or four people that can provide that in the area, so we ended up picking Qwest. It led us to get around that little problem by saying, ‘Oh, we can’t do anything about it. We have e-­rate. We have to follow the guidelines.’ We were able to pick a company and upgrade our bandwidth, and the city is still struggling with theirs, so it’s kind of funny.

Jeff Scott
Casa Grande Public Library, AZ

I mean, the bottom line for me is you could never put enough money and resources into the backbone, because often it’s not the machines on the front that are causing you the problem. It is that you don’t have enough bandwidth to do what your customers want to be able to do on those machines.

Helene Blowers
Columbus Library, OH

We are experiencing some bandwidth issues. We’ve got kids in after school playing games. And what we discovered is that our ISP has a list of game sites, and when they see those coming through as traffic, they clamp down the bandwidth. So when we’ve got kids in here playing the games, our bandwidth actually gets smaller because it’s shared by the whole community. And I sort of found that out by accident. I had read about it somewhere and called the ISP and asked, and he said, ‘Yeah, that’s it.’ Because we thought it was sort of odd that even if we only had one kid playing, it seemed to really slow it down. So we’re sort of negotiating on that.

Darla Wegener
Lincoln Public Library, CA

E­-rate is a pain. It’s time­-consuming but for libraries like us, it’s what allows us to do what we do and that’s the biggest motivator right there. We would not be offering the high­-speed DSL and the higher-­speed bandwidth that we have and the wireless network that we have here in this library if it wasn’t for the reimbursements from e­-rate. Our budget simply wouldn’t allow us to do that, and that’s been the case all through the years. E­-rate was what allowed us to go from dial-­up to Frame Relay because we knew that we were going to get back 80 percent of what we spent, and we tried to do it right from the very beginning as far as kind of following the rules and just plodding along with it, and it’s served us well. I honestly don’t know what we would do if they discontinue it.

Sherry Millington
Suwannee River System, FL

A number of years ago, when we replaced our network with DSL, we went from Frame Relay to DSL, we had to replace some equipment and we bought Cisco PIX boxes. We really didn’t feel that we wanted to delve into setting up virtual private networks (VPNs) for our library automation system. So we hired someone to set it up and show us how they did it. I called around to some of the other libraries in the area in Florida. We have a pretty good network. I think that I’m pretty well networked with most of the people around, and I got opinions from them. And then I would contact the person and see how I felt about them and how we meshed as far as time and money and so on, and we’ve been fortunate so far.

Sherry Millington
Suwannee River System, FL

Wide Area Networks (Internetworking Your Library Branches)

Wide area networking refers to the interconnection of geographically dispersed offices separated by public rights-­of­-way. The Internet is actually a huge wide area network (WAN), and if your branches are all online, they’re technically already part of the same WAN. However, the Internet lacks the reliability, security and bandwidth that companies need for certain sensitive data and critical applications. In a library context, circulation records, cataloging records and financial records shouldn’t be sent over the public Internet unless they’re encrypted. Moreover, since they’re critical to the work your staff does, you don’t want your colleagues twiddling their thumbs while a batch of cataloging records fights its way upstream against all the YouTube videos and file downloads. So most multibranch library systems eventually create a private WAN. These WANs often do carry Internet traffic for staff and patrons at the branches, but you can control that traffic, keep it separate from staff data and assign it a lower priority than your cataloging and circulation records.

Why Is Your Wide Area Network Important?

  • Better service. The faster you can transfer circulation and cataloging records between branches, the better your service to patrons. If a patron sees a book in the catalog that seems to be available and places a hold on it, she’ll be disappointed to find out an hour later that the book was actually checked out.
  • Improved staff productivity. Obviously, the more time staff has to wait for cataloging records and other files, the less productive they’ll be.
  • IT savings. One of the biggest drains on your IT budget and your tech support staff is the need to drive back and forth between the main library and the branch libraries. Once you add up the gas, the maintenance of the cars and the time your staff spends on the road, you’re often looking at thousands of dollars a week to troubleshoot routine software problems. Therefore, IT departments are doing as much work as they can over the library’s WAN, and they rely on high­-bandwidth, low-­latency connections. For example, IT staff often use remote desktop software to troubleshoot computers at the branches. Where the bandwidth is sufficient, IT departments are using enterprise software such as Norton Ghost and Active Directory to send software updates and disk images over the WAN. If the operating system on a remote PC gets corrupted, they can reimage the entire computer from the main branch.
  • Centralization and consolidation savings. We usually talk about WANs when we’re discussing the transfer of data back and forth between colleagues at remote locations or between software applications working on their behalf. However, WANs can also carry phone calls and ordinary Internet traffic. It depends a lot on local variables, but in many areas, it’s cheaper to send all your traffic (voice, Internet, cataloging records, etc.) over a single line headed towards the main branch. The routers at the main branch then separate the traffic streams and send them all to their appropriate destination. Obviously, the central location will need a higher-­bandwidth Internet connection to handle the traffic coming from the branches, and you may need to upgrade the WAN connection at each branch location. However, the alternative often turns out to be more expensive. When each branch has multiple lines (one for phone service, one for Internet traffic and one for catalog records), the costs add up quickly.
  • Managing and prioritizing traffic. You have much more control over the data on your WAN than you have over standard Internet traffic. You can give high priority to circulation and cataloging records, voice traffic and other staff communication. It’s also easier to monitor and troubleshoot a private WAN.

Key Actions

  • Establish partnerships. Refer back to Internet Access and ISPs for information on ways to join (or create) local, regional and statewide cooperative networks. These cooperative purchasing and administrative agreements can save you thousands each month. We also discuss ways to find consultants and advisors.
  • Choose one provider. If possible, choose a single service provider for your entire WAN. This might be impossible, depending on the network coverage in your area, but whenever service providers have to exchange traffic, delays get introduced and it’s harder to guarantee levels of service.
  • Think about the kinds of traffic your WAN will carry. As we mentioned previously, if the links going out to the branches are wide enough, they can also carry Internet traffic and voice traffic. In other words, instead of purchasing a high-­speed Internet connection for each branch, you buy a really big pipe at your central location, and that pipe handles all the Internet traffic for your entire library system. Of course, all the branch traffic has to go across the WAN before it gets to the Internet, but as long as those WAN connections are wide enough and fast enough, they won’t add a significant delay. Also, you’ll have to buy a larger Internet connection at the main branch, but that’s often cheaper than maintaining a separate connection for each branch. Of course, this creates a single point of failure for your whole system, so you should have a backup Internet connection at the main branch.
  • Talk to staff, patrons and IT. Think carefully about the applications you’re using now and the ones you’ll be introducing over the next few years. Ask staff what kinds of data they transfer between branches and whether they’re satisfied with the perceived speed of these transactions. If you’re considering the implementation of the remote administrative programs mentioned previously (e.g., Norton Ghost or Microsoft’s System Center Configuration Manager), talk to the vendors and your IT staff to see how much bandwidth you’ll need between branches.
  • Use a centralized phone system. If you don’t already have a centralized phone system, you can decrease your overall costs and increase your service and functionality by centralizing, but there’s a whole lot of planning and expertise and up-­front costs that go into that sort of a switch, so you’ll need to talk to an expert.

Shared Lines vs. Leased Lines

  • A shared line or “best effort” connection refers to a data link between two locations over shared circuits and shared equipment. In other words, the service providers who create the connection will do their best to forward your traffic to its final destination, but they won’t make any guarantees regarding how long it will take to get there and how much bandwidth gets allocated to your data. Most residential Internet service plans fall into this category.
  • With a leased line, on the other hand, the network service providers manage the connection between the sender and the receiver to ensure a certain level of service in terms of latency and bandwidth. Leased lines are sometimes referred to as private lines, dedicated lines or point-­to­-point lines. Also, service providers often refer to the underlying network protocol. In other words, T-­1 lines, Frame Relay circuits and Ethernet connections are all leased lines, though they vary quite a bit in terms of their cost, availability and performance.

Other WAN Considerations

  • WAN topology: This refers to the layout and interconnection of the end units (or nodes) in a network. Most library systems use a hub­-and­-spoke topology for their wide area networks. In other words, the branches all link to the central library, but they don’t link directly to one another. They can still communicate, but all that data goes through the networking equipment at the main branch first. Some businesses use a mesh topology where every branch office is connected to every other branch office, but this type of WAN is usually more expensive and more complicated to administer, and there’s not much need for it in the library environment.
  • WAN management: If you have skilled network administrators on staff, you might be able to handle the configuration of routers, switches, firewalls and other devices. However, each WAN protocol has its own equipment, its own set of concepts, its own terminology and its own rules, so it’s often easier and cheaper in the long run to pay your service provider and let them manage your WAN.
  • WAN protocols: There are dozens if not hundreds of networking protocols that play a role in wide area networking, but you can usually ignore the details of how each one is implemented. Also, you often use several of these protocols in combination over the same wide area link. Furthermore, the best protocol in a given situation depends mostly on the local ISPs and the extent to which they’ve invested in the necessary circuits, equipment and expertise.
    • Ethernet, SONET/SDH, FTTx, ATM and MPLS have good reputations with regard to bandwidth, reliability and the ability to handle time­-sensitive traffic, but they’re expensive and they’re not available in a lot of places.
    • Frame Relay has been around for a long time; therefore, it’s sometimes the only available option, but it wasn’t designed to handle real-time voice and video traffic.
    • ISDN has also been around for quite awhile, but it’s being replaced by faster, cheaper protocols. Setup, configuration and management of an ISDN connection can also be very complicated.
    • T­-1 lines (and variations such as T-­3 lines) are a standard, widely available option, and they can carry both voice and data.
  • VPNs: Increasingly libraries are building their WANs across the public Internet. In other words, they don’t buy expensive point-­to­-point connections, but instead they purchase a standard high-­speed Internet connection at each branch. They then use VPN (Virtual Private Network) devices to encrypt their sensitive cataloging and circulation records. In effect, they’re creating a private, encrypted tunnel within the wide-open, chaotic Internet. Although this option is cheaper than leasing point-­to-­point connections in some areas, you may have less control over the performance and prioritization of your traffic. Also, you might find that there’s a high learning curve associated with configuring and maintaining VPN devices.
  • Reliability and Service Level Agreements (SLAs): Most leased lines include assurances with regard to “uptime” and other metrics. In other words, your ISP might guarantee that 99.9 percent of the time your connection will work and they promise to refund some of your money if they fail to meet that target. Also, they often make promises with regard to throughput, latency, dropped packets and other measures. These promises are usually captured in a Service Level Agreement (SLA). Bear in mind that your ISP only makes these promises with regard to service between your building and the edge of the ISP’s network (where it connects to the Internet backbone). Beyond that they have no control. Also, if you have several connections from the same provider, your ISP may make assurances about average, across-­the-­board metrics. For instance, if they promise a monthly average of 99.8 percent uptime across ten high-speed connections, that leaves them a lot of leeway. Your main Internet connection could be down for roughly 14 hours a month and they’d still be within the terms of the SLA. Pay close attention to this type of detail. An example of an SLA can be found at Speakeasy.net.

Stories from the Field

The other technology that we’ve implemented here at one of our branch libraries, and are starting to phase it in here at central library, is Voice over IP telephones, and that provides us [with] a cost savings. We are able to put the telephones on the same network as our data — as our computer network — so that is saving us an infrastructure cost. And from what I have been told, the Voice over IP technology could cut down on the costs of long­-distance phone calls also. It’s sharing the same bandwidth as the computer network, so you need to make sure you have sufficient bandwidth for everything that you’re doing there. You do not want everything to go down when somebody starts a streaming video broadcast on one of their computers.

Thomas Edelblute
Anaheim Public Library, CA

Our branches are on the same wide area network and different subnets, but we’re going away from that model. We are going to put individual connections in different libraries because the more you send traffic through a central location, the slower things get. Right now, the smaller libraries have 256-Kbps connections, and the first of July they’re going to go to T­1s. And then we are going to put in a fiber connection with two T-­1s here at the main branch.

Our ISP actually owns our routers, so they do all the router maintenance for us. And we go through Merit, which is an ISP for nonprofits in Michigan. They are really easy to work with, and we have never had a problem. This will be our tenth year with them. Actually, the cost of bandwidth went down for us when we went from the 256-­Kbps lines to the T-­1s this year. It will actually cost less for them to have the T-­1 than it was to have the 256. As a consortium, we buy Internet access, and our libraries can buy into that if they want to. But we don’t have all 20 of the libraries that we support doing that.

We have five libraries that don’t come back through the main branch — they have their own firewalls. And we have about ten that actually come through our firewall first before they go out to the Internet.

Jean Montgomery
Upper Peninsula Region of Library Cooperation, MI

Bandwidth Management

Every afternoon after 3 P.M., it takes 40 seconds to pull up Google or CNN. Your staff has to wait until the next morning to send cataloging records to a remote branch. Video or audio downloads are out of the question. Your first response might be, “Buy more bandwidth!” and that’s not a bad idea at all, but you might not have enough money to buy more bandwidth. Moreover, some libraries are finding that patrons will fill up everything they’re given. Double your bandwidth, and a month later it’s slow again after 3 P.M. Patrons can use file­-sharing applications, such as BearShare, LimeWire and UTorrent, to download several large files simultaneously. Online games, streaming video and streaming audio can also take up large amounts of bandwidth.

There are a few related approaches to managing and controlling bandwidth.

  • You can slow down the greedy, bandwidth-­hungry programs and/or the patrons who use them.
  • You can prioritize the important, high-priority traffic on your network (e.g., catalog records or phone calls).
  • Finally, you can optimize the traffic on your network to increase efficiency and avoid redundant transmissions.

We’ll explore all three approaches.

Why Should You Manage Your Bandwidth?

  • Bandwidth equals $$$$$. Bandwidth costs thousands of dollars a month, and anything you can do to lower your bandwidth consumption will save you money in the long run.
  • Improved Internet experience. Bandwidth management can make the difference between a network that’s perceived as sluggish and unresponsive and one that seems fast and reliable. For delay-sensitive applications, such as Voice over IP, bandwidth management might make the difference between a device that works and one that’s unusable.
  • Fairness through compromise. Someone accessing a low-­bandwidth, text­-based site shouldn’t have to put up with a slow connection because someone else is downloading 5-GB movies onto their laptop. Going to the opposite extreme and blocking all video traffic or all file­-sharing traffic is also unfair because it penalizes the moderate, occasional downloader as much as it hurts the patron downloading 50 albums every afternoon. Students often use BitTorrent or streaming video to access lectures and other files related to their classes. In other words, it’s not always the particular protocol or application that’s a problem; it’s the few folks who use more than their share. Bandwidth management strikes a compromise. You can limit bandwidth usage on a per-­user basis, a per­-protocol basis or both. No single user or type of traffic can hog everything, but they won’t be completely blocked either.
  • Improved traffic prioritization. Although it’s hard to give one stream of patron traffic priority over another based on your own judgments regarding the appropriateness of the content, libraries often have valid reasons for giving some bandwidth preferential treatment. Certain voice and video applications simply won’t function if they don’t have reliable bandwidth and low latency. Also, you may decide that traffic from staff machines should have priority over patron traffic since your library depends on the effective, reliable transmission of catalog records and other files.
  • Opportunities for remote and rural libraries. Unfortunately, some parts of the country still don’t have access to high­-speed data lines, or the prices are prohibitive. In these cases, bandwidth management can make a big difference. Even if you don’t have money to spend on a high­-end commercial device, you can put some open­-source software on a desktop computer with two network cards and use that as your Web caching server or your traffic­-shaping server.

Bandwidth Management Techniques

Our Bandwidth Management Techniques — Tips and Actions tool covers four bandwidth management techniques and suggestions, hardware solutions and software solutions. As with most tools, the specialized hardware devices are usually more powerful and more expensive. If you choose a software solution, you’ll need to install it somewhere. Depending on how much work you expect the software to do, you might make do with running it alongside other programs on an existing server, or you might be able to run it on an old desktop PC.

Bear in mind:

  • These four bandwidth management techniques come in a variety of combinations and packages.
  • You might find them all in a single hardware device or a single piece of software.
  • On the other hand, you might decide to buy one device that specializes in packet shaping and another that focuses on optimization.

Bandwidth management tools usually reside on the edge of your network and filter all the traffic leaving and entering your network. However, you can also shape the traffic on a particular server or a particular segment of your network. Choosing the right bandwidth management strategy depends on the type of traffic your network typically carries. Therefore, it helps to monitor your bandwidth and pay attention to patterns (e.g., which protocols are taking up the most space).

Even after you’ve looked at the traffic patterns on your network, you should take your graphs to a network administrator or a networking consultant.

Stories from the Field

Right now, we have a packet shaper from Symphonics, but we’re gonna have to do away with that, because at the time we purchased it, we were expecting that we’d have 3-Mbps of connectivity. Now because [of] our access to the municipal fiber, we’re up to a 100-Mbps connection, and it’s not able to handle that much traffic. So we’re gonna have to do away with that. But we did recently upgrade all of our locations to SonicWALL appliances and that does have some bandwidth management built into it. I don’t think it’s as good as the Symphonics box, but it has some capability. Basically, a traffic shaper is just a traffic cop and you tell it what’s most important in terms of traffic. Is it the library catalog traffic that’s going out to the branches? Is it the people sitting at home trying to connect to your OPAC server or your Web site? Is it the staff browsing the Internet? And you give it a set of priorities and rules, and it just says, ‘Okay, well, there’s too much video­-streaming bandwidth being used. You need to wait, and I’m gonna let this library catalog traffic go through.’ And then, once library catalog traffic goes through and there’s a little bandwidth freed up, then the Internet computer users can start seeing their streaming traffic again. But we’ve kind of put [a] priority on the actual business of operating the region as the number one priority for who gets the bandwidth.

When I look at our package shaper, the number one source of traffic is HTTP traffic. But HTTP traffic has been used for so many different things. For instance, you can stream video over HTTP. So it’s hard to determine exactly where that’s all going, but that’s the number one use of bandwidth. When you start going beyond just looking at the protocol information, you almost start getting to the point where you’re doing content filtering or content prioritization. And the device we have does not do that. It’s my understanding that there are devices that can go beyond just the protocol level and actually look inside the packet and see, ‘Well, it says it’s HTTP but I can tell that it’s really video traffic, so they can throttle it back.’

Jay Roos
Great River Regional Library, MN

The only problem with bandwidth is you put it in and it’s going to get filled up, especially if they’re doing YouTube and some of the higher-­bandwidth types of things. Now there are some devices that will throttle bandwidth for you. We’re part of the CleveNet Consortium. They handle all of our network connectivity for us. I know they’re working with Cisco to get an appliance that will do some bandwidth throttling and do a little throttling with our wireless networks, because honestly, one of the biggest hogs is the public wireless network — people coming in with their own laptops. Because they have LimeWire and BearShare and all the file sharing and BitTorrent types of things on their laptops, and they’re able to do that over HTTP, because it doesn’t use some other weird port. So there’s no good way to stop that. Some of the stuff you don’t want to stop. I mean, you don’t really want to block YouTube. We don’t really want to block a whole lot of anything generally. But how do you throttle that bandwidth and keep those people from completely killing all your bandwidth? So I know they’re working on some appliances that are going to help with that.

Jim Haprian
Medina County Library District, OH

One thing I notice is that the more bandwidth you give, the more it’s going to be used. I have a lot of my remote sites that are running two, three T1s and they’re still maxed out. A year ago, they were on just a T1 connection and they were fine. But guess what? It started running slow and I said okay, I’ll bump it up. So I took them up to three T1s and they’re still slow today because I give more bandwidth, and the more bandwidth you give, the more it is being used because I’m not doing any bandwidth shaping, [which is] something now that I’m looking at getting into. I know that with the budget shrinking, it’s going to be hard for me to go and say okay, a couple of years ago I was at 6 Mbps and today I have a 23-Mbps pipe, and I want actually more money to upgrade it. They’re probably going to look at me and say no way, with budgets shrinking. So what I’m trying to do now is I’m looking really closely at my bandwidth and the kinds of traffic, and I’m going to try to start doing bandwidth prioritization and things like that so that I can give more bandwidth to things that we consider core library services.

Monique Sendze
Johnson County Library, KS

One of the things that we looked at — we just went to 6 Mbps here at the main library, and they have this MetroNet, I think it’s called MetroNet or something BellSouth has, and it’s supposed to be like 10 Mbps for each branch and then it’s burstable to 100 Mbps based on your usage. That way, if all of a sudden you have a lot of usage, it can go up if it needs to, but it won’t unless it has to. We have experienced some bandwidth issues at some of our branches, and when you’ve got a T-1 at each one, you would think you’d be okay, but I'm telling you, with the downloads and the bandwidth it eats up, you have to go back and think, ‘Well, do I need to manage this?’ Should you buy the device to manage the bandwidth to say I’m only going to give 5 percent here and 5 percent there? Or do we increase the bandwidth, which is going to cost the library system more?

Delbert Terry
Bossier Parish Libraries, LA

Further Resources

Looking for more information about bandwidth management for your library? If so, check out the Further Resources section.

Further Resources

Basic Networking Resources

  • Novices to the network world should check out the educational animated movie at the Warriors of the Net site. The Computer Networking section of WebJunction has many resources dedicated to understanding computer networks in libraries.

  • Along with TCP/IP, Ethernet is the dominant technology in wired local area networks (LANs). Lantronix has a good Ethernet Tutorial, though the third part of it includes too many sales pitches. This tutorial has some information about the different types of cables commonly used in local area networks, but for more in-depth information, see Ethernet Cable Identification and this FAQ on CAT-5, CAT-6 and other cabling standards.

  • If you’re interested in TCP/IP, the Learn Networking site has an introduction, and they also have a tutorial about subnetting. You can calculate subnets by hand, but a lot of administrators just use a calculator. Microsoft also has some information about IP addressing. If you need to do some basic connection troubleshooting, TCP/IP Troubleshooting at the Microsoft site will teach you to use some basic tools such as ping and ipconfig.

  • For definitions of basic networking equipment, see Network Gear at About.com or search for individual terms (e.g., switch, router, firewall) at Webopedia and Wikipedia.

  • For more information about wireless networking, see Recipes for a 5-Star Library.

  • The FCC’s article, What is Broadband? defines broadband and discusses its importance and the different types. Our article on Internet Access and ISPs also has information on this subject.

Basic Security Information

    The SANS Institute creates an annual list of the Top 20 Security Risks. While this list may go beyond the scope of the small to medium-sized library, it represents the most accurate compilation of malicious activity on the Internet. Microsoft’s Security Guide for Small Business provides an excellent overview of establishing a secure network.

Network Diagramming Software

    Microsoft Visio is often used for network diagrams, and libraries can buy it at a discount from TechSoup. Gliffy is an easy-to-use online program with a free and a paid version. Dia and Networknotepad are two free, open-source diagramming programs. Also, most network monitoring programs can automatically create a map of your local area network and/or your wide area network.

Identifying Vulnerabilities and Risks in Your Network

Creating Security Policies

Selecting a Firewall

Search Security’s Firewall Architecture Tutorial tells you how to choose firewalls and where to place them on your network. Windows Networking also has an article on Choosing a Firewall. It’s a few years old now but still has relevant advice. A Guide to Unified Threat Management has advice on researching and testing these devices. A Unified Threat Management (UTM) system is a hardware appliance that has firewall capabilities as well other security features (e.g. spam filtering, antivirus filtering, and intrusion detection functionality). Network World’s Firewall Buyer’s Guide is a good resource for comparing specifications, but since it relies on manufacturers to submit information, there are currently no Cisco products listed.

Network Performance Metrics

Connectivity Troubleshooting from WebJunction and How to Troubleshoot TCP/IP in Windows XP both explain ping, traceroute and other basic troubleshooting tools. A Survey of Network Monitoring Tools from WebJunction and ABC: An Introduction to Network Monitoring from CIO.com both explain the different functions performed by this type of tool. Stanford Linear Accelerator Center has an exhaustive list of free and commercial solutions.

Bandwidth Management

For advice from the library community, see this thread on Bandwidth Limiting (aka traffic shaping) at WebJunction.

The QoS article on the Gentoo Wiki server tells you how to build your own packet shaper using open-source software, but it also explains the concepts that underlie packet shaping and Quality of Service.

What Is Web Caching? on the WebJunction site offers a good introduction to this topic. For a more detailed explanation, check out the Caching Tutorial for Web Authors and Web Masters.

The Options for Network Optimization gives a quick overview of the various techniques used to speed up a WAN link or an Internet connection. WAN Optimization Appliances at the Network Computing site offers a review of four popular optimization tools.

Tools

Vulnerabilities and threats to your library’s technological infrastructure can be opposed through proper computer, communications and physical security.

Check out the following list of tools. They have been included to help create a library plan that addresses network security issues.

Wired for Success: A Tool for Understanding Your Wireless Network

A wireless network is similar to a wired network, but instead of using cables, it communicates using radio frequency signals. There are dozens of different flavors of wireless networking: Cell phones, satellites and radios all communicate wirelessly. For the purposes of this program, however, the term “wireless networking” refers to a technique for interconnecting computers wirelessly at the building level. This kind of wireless network is sometimes described as wi-fi, an 802.11 network or a “wireless local access network (LAN)” or “WLAN.” These networks have a radius of 300 feet under ideal circumstances.

At a minimum, there are three pieces to a wireless network:

  • First, there’s the wireless access point. The center of a wireless network acts like the hub, or switch, of your wired network, though it also has many of the features of a standard router. On one side, it connects to the Internet, usually through a standard Ethernet cable, and on the other side, it broadcasts a wireless signal
  • Also, there are “wireless devices.” These are the computers and gadgets that use the access point in order to hook into your network and your Internet connection. The first wireless device that comes to mind for most people is a laptop computer. However, there are hundreds of gadgets that can access wireless networks these days. Library patrons use cell phones, smartphones, personal digital assistants (PDAs), personal gaming devices (like Playstation) and more to connect themselves to wireless networks. Through the rest of this book, “laptop” will be used as shorthand for all of the wireless devices out there.
  • Each wireless device has a wireless network adapter — a specific piece of hardware that connects a computer to a WLAN. Wireless adapters come in all shapes and sizes. Some adapters are built into the computer. Others need to be purchased separately and then plugged into the Universal Serial Bus (USB) port or PC Card port.

A Basic Wireless Network

Wireless Options Comparison Chart

The following chart is an overview of some wireless options.

SOLUTION
WHY? COST
TIME AND LABOR
Access point
Basic wireless connectivity
$50 to $80
One to two hours
Wireless gateway
Increased control over your wireless network
$500 to $1500
Variable, depending on what features you want, but gateways are more difficult to configure than a regular access point
Hotspot provider
Ease of maintenance
$500 to $1000 startup cost and $50 per month
Depends on your package, but providers often perform all setup and troubleshooting for you and your patrons
A second Internet connection
Improved security
$25 to $50 per month
One to two hours
A firewall with separate VLANs
Improved security
$500 to $1500
Variable, but firewalls are complex devices, and you may need outside help to configure it properly

Note: Sorting through the variations of this approach can be confusing. You might want to talk to an experienced network consultant first.

Quick Checklist for Setting Your Wireless Access Policy

Use this “Quick Look” checklist to make sure you’re covering your bases when it comes to crafting a wireless policy for your library.

  • Check your existing Internet (Computer) Use Policy. Do you need to add anything to it relating to use of the wireless? You may decide that it covers your situation. However, do keep in mind the following possible additions:
    • Network Security: If you’re providing a fairly open network, consider a disclaimer about the possibility of radio signals (wireless) being intercepted. This is more specific to wireless than the equally useful disclaimers in your Internet policy about how the “library is not responsible for lost data due to network failure” and “beware of viruses” and “be careful about transmitting your personal information on an open network.”
    • Network Availability: WLANs can be flaky, and patron laptops can be even more so. Note that they may lose signal at random and the library takes no responsibility for lost data, etc.
    • Limitations on Use: Time limits, bandwidth limits, no FTP, no telnet, no streaming content. Do you offer printing? Web-based email only (no SMTP server)?
    • Personal Equipment Security: Warn patrons that the library is not responsible for stolen equipment, lost data due to their equipment failure, etc.
    • Filtering: Note if the wireless access is filtered, especially if the in-house is not, or is only partially filtered (filter by patron choice only, for instance). You may want to quote any law (CIPA) relating to this in brief.
    • Support: Will your library staff provide help with patron laptops? Can they provide help with determining if there is a signal present (i.e., if the APs are working)? If you don’t want staff touching patron laptops due to liability, say so.
  • Make sure your staff are kept in the loop about any wireless initiatives, in particular about what they’ll be expected to offer in the way of support for patrons. This sounds silly, but wireless initiatives can happen so quickly that staff may not have time to become aware of all the issues involved, especially what patrons will ask them.
  • Promote the Policy: How will you notify users of the policy? Do they have to sign off on it before they can use your system? Will you print it out and post it? Put it on your Web site? Use a captive portal or similar product to force users to agree to the policy?
  • Get Policy Approval: Any policy should be run by your board or advising committee, and preferably your university or city attorney, to be sure the language is appropriate both for liability and also in line with your existing policies.
Adapted with permission from: Wireless Networking: A How-To-Do-It Manual for Librarians by Louise Alcorn and Maryellen Mott Allen. New York: Neal-Schuman Publishers, 2006.

Where and How to Find Vulnerabilities

POSSIBLE VULNERABILITIESWHAT TO CONSIDER
Patrons can access the staff network
Use your networking equipment (e.g., router, switch, firewall) to create separate sub­-networks for patron computing and staff computing. Network administrators often use Virtual LANs (VLANs) and firewalls to accomplish this. This step is especially important if you have a wireless network for patrons. Some of those laptops will be riddled with viruses and malware. Also, while most patrons have no interest in hacking your network, there's no point in tempting them. For more information on wireless security, see Chapter One of Recipes for a 5-Star Library.
You don't have control of critical data
Where do you keep your patron data, circulation records, financial documents, staff documents and critical databases? Make sure you have a list of all the mission­-critical data collections in your library, where they're stored, how they're backed up and who has access to them.
You haven't secured your servers
Devices that connect directly to the Internet must be secured. Do you have servers (e.g., Web servers or e­mail servers) exposed to the Internet or your public network? Have the servers been "hardened" by removing all unnecessary applications, services and user accounts? You should not have a Web server that has additional services running beyond what it needs to complete its primary function. The exact steps for hardening a server depend on your configuration, but you should look for advice and see if there are any software tools that might help (e.g., the Microsoft Baseline Security Analyzer).
You aren't taking basic precautions
All PCs should have the latest operating system updates, the latest software patches and up ­to ­date virus definitions. As much as possible, try to automate these updates so they aren't forgotten. For more information, see Chapter Two of A Cookbook for Small and Rural Libraries.
You haven't paid attention to physical security
Who has the keys to your building? Are there locks on your server room? Who has keys to that room? Do you have any computers in far-off corners of the library where your staff has a hard time seeing them? If you check out laptops and other equipment to the public, have you thought about theft prevention?
You aren't backing up critical data on a regular basis
For more information on backup tools and strategies, see Backing Up Your Data at TechSoup.
You aren't testing your backups
We've heard a few horror stories about libraries who thought they had backups, only to find that the backup tapes were blank or unusable. For more information, see Worst Practices: Don't Test Your Backups at TechRepublic.
You're using weak passwords
For advice on choosing good passwords, read Strong Passwords and Password Security at Microsoft.com.
You have not addressed possible internal security threats
Many surveys show that internal security breaches are the most common type. Departing, bored and disgruntled employees are potential problems that we sometimes overlook. Design your network with limited and appropriate access. Create policies regarding the process for changing of passwords. When an employee leaves, delete or suspend their user accounts immediately.
Your staff doesn't understand the risks of social engineering
Social engineering is a technique that hackers use to trick people into divulging private, secure information. It's still one of the leading causes of security breaches. For example, an employee might receive a phone call from someone who claims to work for your Internet service provider or other technical support. The caller says that he's fixing a problem and needs the user's password to test a possible solution. The employee hands over the information without verifying the caller's identity.

Firewalls at a Glance

With so many firewall products on the market, trying to fit each into a specific category would be nearly impossible. The following categories provide generalized descriptions of the most typical firewalls for different­-sized library networks. The manufacturers listed do not represent recommendations nor are they restricted to any particular category;they are meant to provide common names for each category.

TYPEPRICE RANGEDESCRIPTIONCOMMON MANUFACTURERS
Basic – Firewall commonly found in homes, small offices and small libraries.
From $50­ - $150
These firewalls provide basic port forwarding, packet filtering and logging. Although the specification may claim to support more connections, these are generally designed to support networks with 5-­10 computers.
Belkin, D­Link, Linksys and Netgear
Mid­range – These firewalls, made by Watchguard, Symantec and Sonicwall, are found in medium-sized libraries with more specific needs and with 10-­50 computers.
From $300­ - $700
These firewalls provide more advanced, stateful packet inspection and technologies such as VPN, user authentication, and content filtering.
Watchguard, Symantec and Sonicwall
Advanced – For larger library systems, advanced firewalls offer very high capacity and feature-­rich devices.
From $2,000 to well into five­ figures
You will not find these in most small to medium libraries.
Cisco, Checkpoint and Juniper

Network Performance Metrics Defined

TERMHOW IT APPLIES TO YOU

Latency

  • Refers to the amount of time (usually measured in milliseconds) it takes for data to travel from one location to another across a network (or across the Internet, which is a network itself).
  • Is sometimes referred to as delay, because your software is often waiting to execute some function while data travels back and forth across the network. For example, Internet Explorer can’t display a story from CNN.com until CNN’s Web servers respond to your request for that page.
  • Is often less than 100 milliseconds on today’s high­-speed network, which has very little impact on Web surfing.
If you’d like a more thorough explanation, see It’s the Latency, Stupid and It’s Still the Latency, Stupid.

Generally, you only need to be concerned about latency in two situations:

  • When your staff and patrons complain about a slow connection, high latency could be part of the problem, though you might not be able to do anything about it other than contact your ISP and ask them to address the issue.
  • Second, if you’re planning to install Voice over IP (VoIP) or any other application that relies on live, real­-time transmission of video or audio, you need to ask your service provider about their latency. Real­-time voice and video applications are sensitive to network delays. For instance, with VoIP, you’ll notice that the audio is choppy, with lots of pauses and dropped syllables. Jitter refers to variation in the amount of latency, and it has a similar negative impact on real­-time communication.

 

Bandwidth and throughput

These two terms are sometimes used interchangeably, and though they are related, they’re not quite the same. They both refer to the amount of data transferred between two points on a network in a given period of time. In other words, how many bits per second can you send across your network or over your Internet connection?

On a day-­to-­day basis, you’ll usually see them measured in Kbps (kilobits per second), Mbps (megabits per second) or Gbps (gigabits per second). Bandwidth generally refers to a theoretical maximum, while throughput is a real­-world, practical measurement. The distinction is relevant because ISPs will usually advertise their bandwidth, which is often higher than the throughput that you’ll actually receive. In other contexts, you’ll see the terms bandwidth, throughput and speed used interchangeably.

Bandwidth vs. latency

If you’re still having trouble grasping the difference between latency and bandwidth (or throughput), this analogy from the Gentoo Linux wiki might help: “Latency is a measure of the time a packet needs to get from point A to point B. Bandwidth measures the amount of data that got from A to B in a certain time. So, if you were to take a dictionary to your friend on the other side of town, your bandwidth would be good, but the latency would be bad (the time spent driving, to be exact). However, if you were to phone your friend and start reading the dictionary to him, the latency would be lower, but the bandwidth would be substantially less than in the first example.”

Uptime or responsiveness

Uptime, sometimes referred to as availability or responsiveness, refers to the amount of time that a computer or a network connection is functioning and usable.

If you’re buying a leased line, the ISP’s guarantee with regard to uptime should be written into the Service Level Agreement. You also want to measure the uptime of your own hardware and software equipment to see if a device has a recurring problem.

Hardware and software

Your network relies on switches, servers, routers and firewalls, so network monitors can usually track metrics such as CPU utilization, remaining hard drive space and memory use. Also, by sending messages to your Web site, your OPAC and other key applications, your network monitor can track the responsiveness of mission-­critical services and software.

Etc.

There are hundreds of data points you could track on your network, so you’ll have to spend some time talking to your vendor or wading through the documentation.

Ten Factors to Consider when Shopping for a Telecom Provider

  1. Business vs. residential: ISPs usually distinguish between the services they market to businesses and the services they market to home users. Residential customers can usually choose between dial­-up, cable Internet, DSL and, in some areas, Fiber to the Home (FTTH). Business customers often have several additional options to choose from such as Frame Relay, Metro Ethernet, SONET and SDSL. The underlying technologies and protocols shouldn’t be your first concern, and the exact menu of choices varies a lot from city to city. What’s important here is that business-­class connections provide more reliability, greater upload speeds and other advantages important to some nonprofits. On the downside, business-­class connections usually cost a lot more. If your needs are limited you might not need a business grade connection. On the other hand, ISPs don’t always offer residential broadband service to office buildings and organizational customers.
  2. Reliability and service level agreements: Most business-­class Internet connections come with assurances regarding “uptime” and other metrics. In other words, your ISP might guarantee that 99.9 percent of the time your connection will work, and they promise to refund some of your money if they fail to meet that target. Also, they often make promises with regard to throughput, latency, dropped packets and other measures. These promises are usually captured in a Service Level Agreement (SLA). Bear in mind that your ISP only makes these promises with regard to service between your building and the edge of the ISP’s network (where it connects to the Internet backbone). Beyond that they have no control. Also, if you have several connections from the same provider, your ISP may make assurances about average, across­-the-­board metrics. For instance, if they promise a monthly average of 99.8 percent uptime across ten high­-speed connections, that leaves them a lot of leeway. Your main Internet connection could be down for roughly 14 hours a month and they’d still be within the terms of the SLA. Pay close attention to this type of detail. An example of an SLA can be found at Speakeasy.net.
  3. How long does the contract last? ISPs will sometimes offer reduced rates in exchange for a long-term contract. Be cautious about any contract that lasts for more than two years. The services, prices, providers and technologies are changing all the time in the Internet access market. When a cheaper, faster service shows up in your community a year from now, you don’t want to be locked into a four-­year contract.
  4. Equipment and installation costs: Residential plans usually have very low setup costs. You pay $50 to $75 for a modem and a $25 to $50 installation fee. On the other hand, for some business-­class Internet connections, the equipment can cost thousands. For example, if you buy a T-­1 connection, you need a CSU/DSU and a router, both of which can cost a thousand or more. Also, the installation and setup fees are usually much higher. You can roll some of these initial costs into your monthly bill by renting equipment from your ISP. In other words, you’ll trade lower up-­front costs for higher ongoing costs.
  5. Uploading vs. downloading: Uploading, or upstream, refers to the transfer of data from within your local area network to machines outside your network, and downloading is the reverse. We spend most of our time on the Internet downloading Web pages, files, audio streams, etc., as do our patrons. However, since libraries host Web sites, email servers, Web-­accessible online catalogs and other services, your ability to send data upstream over your Internet connection is nearly as important as your download speed. In fact, with more and more patrons uploading videos, photos and other large files to sites such as YouTube and Flickr, you should think about upload speeds even if you aren’t hosting a Web site or an OPAC in your building. Most broadband connections marketed to home users (e.g., DSL and cable) are asymmetric. In other words, the upload speed is much lower than the download bandwidth. With DSL, for example, your download rate might be 1-Mbps, while your bandwidth for uploading is only 150-Kbps. In fact, residential service contracts from some ISPs expressly forbid the hosting of Web sites and other online services. On the other hand, business-­class broadband connections usually provide more bandwidth for uploading. If you have a leased line (e.g., a T­-1 line), your upload and download speeds are usually the same. SDSL is another synchronous technology that’s often used for business-­grade Internet access.
  6. Scalability: If you need more bandwidth a year from now, will your existing networking equipment and data lines handle the extra traffic? How much will your ISP charge you to upgrade the connection?
  7. Integrated voice and data service: Ten years ago, most companies sent their phone traffic over one connection and their data over another, and these lines were often purchased from different providers. It’s more and more common to get both services from the same vendor, over the same lines, sharing much of the same equipment. For example, you can lease a T-­1 line from your phone company and use half of it for Internet traffic and half for phone traffic, and a single device can handle routing and security for both services. Also, bear in mind that some networking technologies can allocate bandwidth dynamically while others can’t. In other words, if the voice section of your high­-speed line is empty because nobody’s making a call, can staff and patrons use that bandwidth to surf the Web?
  8. Managed services: If you have the required expertise, you can manage your own routers and the other networking equipment you need for Internet access. However, most ISPs offer a managed option where they handle all the configuration and troubleshooting. Sometimes the managed equipment still resides in your building, but in other cases, it’s hosted by your ISP. When it’s time to dispose of the router or the firewall, the service provider takes care of it. Obviously, you pay more for this type of service.
  9. How does this impact e-­rate? If you plan to buy new equipment or upgrade your Internet connection, how will it impact your e­-rate application? If you plan to change service providers and you apply for discounts under Priority 1, make sure your new provider is an eligible telecommunications carrier. Also, the cost of on­-premises telecommunications equipment is often eligible for e­-rate discounts under Priority 1 if the equipment is integral to the provision of the high­-speed connection. For a short explanation of what’s eligible under e­-rate and what isn’t, see Appendix G of Recipes for a 5-­Star Library. For the long explanation, see the 2008 eligible services list.
  10. Redundancy: Do you have more than one way to get to the Internet? Sooner or later a construction crew will cut a line somewhere in your town, or a transformer will blow up. Some ISPs can provide redundancy by selling you two data lines that connect to the ISPs network at two different locations. In other words, you can lease two T­-1 lines that terminate at two different Points of Presence (or POP, which just refers to a phone company facility near your building). If that’s too expensive, you could lease a single T­-1 from the phone company and buy cable Internet service or dial­up service as a backup solution in case your primary line goes down. Of course, you should only consider this if 24x7 Internet access is critical to the operation of your library. For anything besides dial­-up access, you’ll pay a lot of money for a redundant connection that you might need only once or twice a year.

Bandwidth Management Techniques — Tips and Actions

BANDWIDTH MANAGEMENT TECHNIQUEDESCRIPTIONTIPS AND ACTIONS
Traffic shapers limit the speed and bandwidth available to certain data streams.
You can limit a particular type of application (e.g., specify that traffic from file­-sharing software can never exceed 200 Kbps), or you can specify how much bandwidth is available to each user. This technique is sometimes known as packet shaping or bandwidth limiting.
  • Limiting by type of application (or port number) is occasionally difficult because software can be designed to use random port numbers to communicate in order to evade traffic shapers.
  • Also, port 80 (the HTTP port for standard Web traffic) handles a wide variety of different data, and you don’t want to throttle it all indiscriminately.
  • Most traffic shapers can handle these routine evasive maneuvers by inspecting each packet of data carefully.
  • Investigate your packet­-shaping tool to see what kinds of distinctions it can make. For example, can it tell the difference between Web audio and Web video? Can't recognize BitTorrent traffic, regardless of the port it’s traveling across?
Quality of Service (QoS) complements packet shaping, and it often requires packet shaping to work effectively.
Packet shaping delays and limits low­-priority Internet traffic, which makes room for higher-­priority traffic. QoS, in turn, prioritizes the important or delay-­sensitive network traffic, making sure it gets sent out before other traffic streams and guaranteeing that it arrives at its destination within a specified time frame (e.g., under 100 milliseconds). Real-­time media, such as voice, video and online gaming, react badly to latency and jitter, so they often need QoS. For instance, latency above 145 milliseconds makes Voice over IP calls unlistenable. On the other hand, most of us can surf the Web at much higher latencies without noticing a serious delay, so there’s no point in applying QoS to ordinary Web traffic.
  • To obtain true QoS, with guaranteed latency and bit rates, you need to have some control over the entire network connection, including the equipment at both ends and all the circuits and routers in between. Usually, this means you have to pay your service provider for higher-­quality point­-to­-point connections (aka leased lines), because you can’t guarantee QoS over the public Internet.
  • On the flip side, you can implement packet shaping on one end of a network connection, so it’s often cheaper and less difficult to set up. Packet shapers can usually prioritize certain traffic streams, but they can’t guarantee delivery the way an end­-to­-end QoS connection can.
WAN optimization doesn’t discriminate between traffic streams the way packet shapers and QoS devices do. Instead, optimizers use a variety of techniques to strip out the inefficiencies and redundancies from network traffic. In other words, an optimizer speeds up all the traffic that passes through it.
Compression and caching are two basic techniques that optimizers use, but there are a variety of advanced algorithms that we won’t get into here. As with the other devices that we’ve discussed, WAN optimizers usually reside at the edge of your network, behind your router or firewall.
  • With certain types of WAN optimizers, you need a device at both ends of the network connection. For example, to take advantage of compression, you need a device at the far end of the connection that’s capable of decompressing.
Web caching is a piece of software or hardware that saves copies of recently accessed pages in memory or on a hard drive in order to speed up retrieval.
If you have 200 patrons surfing the Web on any given day, chances are that they’re accessing the same sites over and over again. Some of these sites are saved, or cached, in the Web browser on each individual desktop computer. If you return to a story you were reading half an hour ago, you don’t have to wait while your browser pulls down a fresh copy from a remote Web site. Instead, your browser shows you the version contained in the browser’s local cache. However, this only helps your personal connection. If the patron next to you wants access to the same article, they can’t get it from your local cache. They have to send another request to the remote Web server and download the same article that you downloaded half an hour ago. A Web­ caching server acts like a big shared cache for the entire network. All the PCs on the network can be configured to check the server first to see if a copy of the desired page has already been retrieved for someone else.
  • Some Web pages are constantly updated (e.g., weather information or stock quotes), and other sites are fairly static.
  • Obviously, your caching server shouldn’t hold and redistribute a page of stock quotes that someone retrieved two hours ago.
  • Any request for time­-sensitive information should bypass the caching server. Fortunately, most Web pages contain this information. A field in the page header will tell your caching server how long the page should be held.

Network Inventory

As with anything IT-related, you have the option to automate all or part of your network inventory. Many different types of software (e.g., asset management programs, network management programs, network inventory tools) have the ability to scan your network and collect information about your existing equipment. However, it takes time to find the right tool, learn it, and integrate it with your networking equipment. If you don’t have a large network, or don’t have the time to investigate network inventory software, use the worksheets provided here.

At the end of each inventory sheet, we’ve included space below for you to record administrative logon information. As always, be careful about how you handle sensitive usernames and passwords. It’s often a good idea to record usernames and passwords in a separate, encrypted file. Also, regardless of how you record logon information, be sure to protect these worksheets and any IT documentation. Even without passwords, a hacker could use the information to compromise your network.

Switch

MAKE/MODEL
LOCATION
IP ADDRESS
VLAN INFO (IF ANY)
    IP    

Subnet Mask

 
Gateway  
ADMIN LOGON CONNECTED TO
SPEED SERIAL #
ASSET TAG #


     
PORTS
DATE PURCHASED
PURCHASE ORDER #
TECH SUPPORT PHONE NUMBER
TOTAL FREE
     
   
NOTES

Wireless Access Point

MAKE/MODEL
LOCATION
IP ADDRESS (WIRELESS SIDE)
IP ADDRESS (WIRED SIDE)
    IP
  IP
 
Subnet Mask
  Subnet Mask
 
Gateway
  Gateway
 
SSID (i.e., the name of your wireless network)
ADMIN USERNAME AND PASSWORD
WIRELESS SECURITY KEY (IF ANY)
SERIAL #
ASSET TAG #


     
DHCP INFO
DATE PURCHASED
PURCHASE ORDER #
TECH SUPPORT PHONE NUMBER


     
NOTES

Router

MAKE/MODEL
LOCATION
INTERNAL ADDRESS
EXTERNAL ADDRESS
    Static?
  Static?
 
Router IP
  Router IP
 
Subnet Mask
  Subnet Mask
 
Gateway   Gateway
 
ADMIN LOGON REMOTE ACCESS WHERE IS THE CONFIGURATION FILE?
SERIAL #
ASSET TAG #


     
PORTS DATE PURCHASED
PURCHASE ORDER #
TECH SUPPORT PHONE NUMBER
TOTAL FREE
     
   
NOTES

Firewall

MAKE/MODEL
LOCATION
INTERNAL ADDRESS
EXTERNAL ADDRESS
    Static?
  Static?
 
Firewall IP
  Firewall IP
 
Subnet Mask
  Subnet Mask
 
Gateway   Gateway
 
ADMIN LOGON REMOTE ACCESS WHERE IS THE CONFIGURATION FILE?
SERIAL #
ASSET TAG #


     
PORTS DATE PURCHASED
PURCHASE ORDER #
TECH SUPPORT PHONE NUMBER
TOTAL FREE
     
   
NOTES

Internet Connection Hardware

EQUIPMENT TYPE (E.G., CABLE MODEL)
MAKE/MODEL
INTERNAL ADDRESS
EXTERNAL ADDRESS
    Static?
  Static?
 
Hardware IP
  Hardware IP
 
Subnet Mask
  Subnet Mask
 
Gateway   Gateway
 
ADMIN LOGON REMOTE ACCESS INFO
LOCATION
SERIAL #
ASSET TAG #


     
CONNECTION SPEED (E.G., 1.54 MBPS) DATE PURCHASED
PURCHASE ORDER #
TECH SUPPORT PHONE NUMBER


     
NOTES

Other Network Information

DHCP Server

Server Name
 
IP Address
 
Subnet Mask
 
Gateway
 
Physical Location
 
Range 1
 
Exceptions
 
Range 2
 
Exceptions
 
Range 3
 
Exceptions  
Notes  

DNS Information

Primary DNS Server
 
IP Address
 
Who Hosts It?
 
Notes  
   
Secondary DNS Server
 
IP Address
 
Who Hosts It?
 
Notes  

Web Site

Web Site URL
 
Web Server Software
 
Root File Directory
 
FTP Server Name
 
FTP logon Info
 
Web Server Software
 
(if hosted internally)
 
Server Name
 
Physical Location
 
IP Address
 
Subnet Mask
 
Gateway
 
   
(if hosted by a third party)
 
Web Hosting Company
 
Web Host Contact Info
 
Account Management URL
 
Account Management Logon Info
 
Monthly Bandwidth/Storage Limits
 
Cost
 
   
Notes
 

Domain Registration

Domain Name  
Registrar Name
 
Registered Admin Contact
 
Registered Technical Contact
 
Registration Login Information
 
Contact Email  
Expiration Date
 
Last Renewed