As we become more dependent on diverse methods of obtaining and providing information, our structures must change, as well.
In the case of Media General, our network infrastructure has been designed to allow communication between all of our properties. The original hub and spoke design that we first implemented over a decade ago has morphed into a significantly complex network. What used to be a very neat, concise, simple drawing is now a mass—although a well-organized mass—of circuits and properties along with a host of equipment to keep it operational.
MANAGING CHANGES
For those operating in an enterprise-network environment, you've likely experienced the same concerns regarding network security and access. One of the biggest issues is managing the entire network and ensuring a safe environment. One of the biggest fears has always been a change that is implemented at a remote property, without proper approvals. The risk of a local site making a change can result in significant risk for that site, and potentially expose your entire enterprise.
Examples of these concerns include the unauthorized addition of a switch or hub that has unsecured wireless access, or connection of an unknown broadband source direct to the local area network. These pose risk to your networks and potentially an open door to your enterprise.
For these reasons, we have always had policies in place requiring review and approval of any significant network changes at local sites. Routers, for example, are maintained by our networking group… not local personnel. All the monitoring and policies in the world, however, can't stop someone from making a change.
Our typical model includes multiple direct circuits to a site, in addition to a broadband Internet service that is tunneled back to our firewalls. This allows us to ensure that Internet access is monitored and controlled safely, and also limits us to two enterprise-class firewalls. That makes overall management much easier on everyone.
(click thumbnail)
Station DMZPROVIDE A SECURE SOLUTION
During the past couple of years we have seen an increasing need for change to this approach. Sites are doing much more with digital content—both receiving and distributing—requiring greater flexibility and increased bandwidth. Broadband can offer fast Internet access with great bandwidth options at attractive pricing. A $100 per month broadband circuit offering a 10 Mbps download capacity is certainly more appealing than additional T1's at $600 per month or more. Of course, you need to be aware of the difference… broadband Internet is suited for some applications, whereas dedicated circuits are likely necessary for critical needs.
We're also seeing an increase of spot providers and a change in their delivery models—to Internet delivery. While each differs in detail, most are utilizing the Internet to provide digital content to our sites. The increase in volume and file sizes (due to high-definition content), is forcing us to rework our networks and rethink our approach. I recently enjoyed a good laugh from a vendor promoting this as their "green initiative." My take: Their "initiative" basically means we use our hardware, our bandwidth and our resources. Comical or not, that's becoming a reality. We'll be able to accommodate a multitude of vendor- and hardware-specific needs by using a controlled DMZ (demilitarized zone).
Our current focus is on HD content, spots and long-form programming. This alone is utilizing bandwidth at a rapidly increasing rate. We also want to utilize this for weather traffic and graphics delivery. This will also go a long way to help further our digital journalist needs, providing a direct path from field to station. In order to provide a secure solution, we decided to provide our sites with an established, yet controlled DMZ. Effectively, using appropriate hardware, we are putting into place a way of getting content directly to sites and providing a variety of solutions.
In addition to spot and content gathering, this also solves issues with bandwidth intensive projects we have to monitor newscast feeds. We have the opportunity to work and test Skype-type Internet-based solutions off of our network and eliminate security concerns. We can even begin having our digital journalists push content wirelessly directly to the station. And, it gives us a secure "playground" for testing.
BUILDING THE DMZ
We're beginning the implementation methodically and ensuring that the changes and opportunities (as well as the restrictions) are clearly communicated. With these changes come additional administrative and monitoring needs. We are suddenly looking at managing 20-plus firewalls, as opposed to two. We are building the environment safely, ensuring no direct access from the DMZ to the LAN. All connectivity to the DMZ must be initiated internally. We are working on solutions to capture logging of these systems and provide a centralized reporting source. We are also building each DMZ as identical as possible.
These changes are a significant departure from our previous models, but already showing benefit. It also requires our remote technical personnel to have a clear understanding of the operation now located at their site… and an increased responsibility of maintaining and monitoring the physical portion.
This implementation will allow us to continue to expand our capabilities of providing (and receiving) information in a variety of forms, efficiently and safely. We'll work to expand the scope, offload bandwidth intensive systems from our LAN's and WAN, and evolve into a new manner of providing connectivity. I'll keep you posted as we progress. Count on IT!
Michael J. Sutton is director of IT at Media General Broadcast Group in Richmond, Va. He can be reached atmsutton@mgbg.com.
