Linux and Security at Salem Hospital: A Case Study
Oregon's capital city of Salem is located midway between Portland and Eugene in the middle of the Willamette Valley. Next to Pringle Creek Park sits the 450-bed Salem Hospital, a not-for-profit acute care facility and the city's largest employer, with 500 physicians and 3,300 total employees.
But just as the banks of Pringle Creek are crowded with larches, mulberries, and Douglas firs, the IS department at Salem Hospital had accumulated a hodgepodge of more than a half-dozen incompatible firewalls from an assortment of vendors and free/open-source projects. The acquisition of each security device seemed cheap at the time, but the end result has been undue complexity and high administrative costs for the staff of five network engineers.
The challenge was to find some kind of perimeter security that held the sutures together and that was simple to manage and capable of locking down a heavily regulated industry environment at little to no cost. It found a solution 5,200 miles away, in Germany.
"Because we are a not-for-profit organization, we have to watch our spending closely", said Carl Wharton, network systems engineer at Salem Hospital. Wharton and his coworkers keep about 175 Compaq, Hewlett Packard and IBM servers humming happily in the data center that sends traffic through 70 Xtreme routers.
With more than 500 volunteers, the number of end users that must be protected against viruses and network intrusions can be as 3,800 people. A T1/Frame Relay cable connects three main campus buildings, five outbuildings and two satellite offices.
Technology from Asita and NetGear, plus freeware from Monowall were put in-line. Red Hat 9 was installed with its Webmin interface. The command-line interface common to the open-source firewall project netfilter/iptables, however, necessitated specialized know-how in an area where only one engineer had expertise.
"We realized that to keep things patched and current was almost a full-time job in itself. We also realized that I was one of the few maintaining all these firewalls, making it tough to take time off", said Wharton. "We needed to find a way to make it easy for our staff to maintain these firewalls."
The IS department then began a search for perimeter security products, preferably ones equipped with Web interfaces to permit easier management. The team evaluated security products by appliance vendors Asita and NetScreen Technologies, the latter since acquired by Juniper Networks. Salem also tested the Shoreline firewall, more commonly known as Shorewall, a tool for configuring the open-source project Netfilter.
Another key concern for Salem Hospital, besides cost and ease of administration, was the hardware question: specifically, whether to go with a firewall appliance. "One thing we wanted was the ability to put the firewall on hardware that would be a standard piece of equipment in our data center", said Wharton. "We use 4- and 6-port NICS on DL360s as standard platforms, we wanted to have backup equipment ready, and we didn't want to keep another appliance on the shelf in the event of failure."
Because Wharton runs Mozilla and Linux on his desktop, he had a hankering for a Linux-based solution that would provide the Web interface he wanted while also meeting his budget constraints. The team went on-line and discovered Astaro Security Linux, a comprehensive perimeter security product that features integrated virus and spam protection, intrusion detection and content filtering, plus a stateful packet inspection firewall and virtual private network (VPN) gateway. Astaro is supplied as software, so Wharton could use his standard hardware of choice.
Astaro Security Linux incorporates 80 open-source projects, including well-established ones such as Netfilter, Squid and Snort. It provides financial backing to the netfilter/iptables project to keep that ball of evolution rolling. The German-founded Astaro company integrates these projects with a proprietary management platform.
It's easy for Astaro to offer its product at lower cost than competitive products. "We bought a 25 IP license for testing and soon got used to the interface and functions, then we went ahead once we were comfortable and purchased an unlimited license", said Wharton.
The next big tasks for Salem were to reduce the number of firewalls and to change over from using a dial-up connection to using Astaro's VPN for connecting securely to suppliers. "We still are in the process of consolidating our seven firewalls", said Wharton. "We had a freebie firewall called Monowall, but Astaro is more enterprise robust. We had some NetGear firewalls too, but we're in the process of going from one firewall to two firewalls with a DMZ in-between."
Wharton has been using Astaro Security Linux for 18 months now. When asked if he had experienced any unforeseen problems, he concluded, "I don't see any bad outcome. I like the way we can maneuver, make comments and name folders the way we like. We can see the benefit of consolidating the firewalls under one type, and because of that, our manageability problem has been taken care of."