Hughes outlined plans for replacing McCarran's older FDDI network, built on Optical Data Systems components, with an Enterasys gigabit core. He says he's still fond of the ODS gear and can't complain about downtime. So why switch? "It doesn't do what we want it to do," he says. For starters, the FDDI (100 Mbps) network doesn't support VLANs, nor can it provide the kind of bandwidth that Hughes needs to ship GIS (geographic information system) data and video around the facility. The GIS need was addressed two years ago with an initial Gigabit Ethernet rollout using Cisco series 6000 gear. After success of that project and discussions with vendors, Enterasys was chosen for the airportwide deployment. With desktop connections at 100 Mbps and a gigabit core, the GIS department (one of the recipients of the new gigabit network) now enjoys faster response times.
In addition, the airport sells dark fiber to the airlines, but, Hughes says, "We could offer them VLANs over copper," which is cheaper and quicker than fiber to implement.
But what about the security implications? The CTO of some airline, for instance, might be uncomfortable using McCarran's VLANs. "His data is already on my network," Hughes says. "We have the firewalls in place. We have operational security in place. We have intrusion protection in place."
It's interesting to note that McCarran has no chief security officer. There is no dedicated network security person, and Hughes makes no apologies for it. "Security is a shared responsibility," he says, a sentiment with which we heartily agree. He points out that, though McCarran runs a number of Microsoft products, "Our impact from SQL Slammer was exactly zero."
|
Central Command
McCarran controls all the front-end systems that present information about flights, passengers and personnel throughout the airport, right down to the baggage tag printers.
|
This speaks well for the facility's patch procedures, network design, content scanning and default firewall rule sets. A quick scan reveals McAfee virus protection on workstations with up-to-date signatures and engines, and when we tried to connect back to our office VPN by plugging into an Ethernet port, we were categorically denied. McCarran's "default deny" posture requires authentication to connect out to the Internet.
