With some of the biggest challenges facing the world today centring on sustainability, climate change and energy security, the University of Cambridge Institute for Sustainability Leadership (CISL) is taking the lead when it comes to delivering high-quality education and support to government, non-governmental organisation (NGO) and enterprise leaders.
Based in Cambridge, with offices in Cape Town in South Africa and Brussels in Belgium, CISL has around 53 staff members. That figure has grown substantially in the past five years, and with industry and academic contributors frequently on-site as well, its two-strong IT team must frequently deal with the needs of up to 80 people.

Its recent growth, and the increasing levels of interest in and collaboration around sustainability issues, has placed increasing pressure on an ageing IT resource, which has been felt particularly on the availability of network services, and user experience of applications and shared file systems.
When CISL’s IT manager, Ellis Karim, took charge a few years ago he found an elderly network composed mostly of 3Com – which was absorbed into what is now Hewlett Packard Enterprise back in 2009 – equipment, with a 3Com Superstack 3 firewall that operated in a non-standard configuration with both the private and public network. This is something Karim, by his own admission, did not have “the time or knowledge” to fix.
Given that the University of Cambridge provides the institute with its backbone connectivity to the internet, his initial priority was to sort out its storage infrastructure and put in place a virtualisation system.
However, it quickly became apparent that with new and emerging security threats, time-consuming configuration and management challenges, poor throughput performance and – above all – a serious lack of visibility into the applications active on the network, more extreme measures needed to be taken.
Freedom of choice
Although it remains under the University of Cambridge’s wing when it comes to some aspects of its IT, CISL retains a degree of autonomy to seek out and deploy the optimal solutions to meet its needs.
Therefore, after consulting with peers, Karim drew up a wish-list of technical capabilities for the replacement firewall, which included greater control of applications, URL filtering, antivirus, intrusion prevention, high availability, identity-based policy enforcement, on-premise IP routing, and browser-based management capabilities.
“We just knew the old devices would only get more troublesome in the face of extra demands. We were worried that threats were in danger of breaking through, though we had no visibility of what was going over the network,” he says.
“We don’t have internal security skills, but needed confidence that we had advanced security capabilities.”
Karim turned to integrator Metropolitan Networks to supply two Fortinet FortiGate-100D integrated security appliances, which adopted a two-stage approach to the roll-out due to the problems caused by the complex and non-standard configuration of the 3Com equipment. Nevertheless, he says, setting up the new appliances themselves was “very straightforward”.
“Metropolitan Networks were fantastic, and we relied heavily on them to ensure no downtime during the changeover. We weren’t firewall experts before, and now we never have to be,” Karim adds.
Both of the new appliances are also backed by Fortinet’s global research operation FortiGuard, which provides up-to-the-minute intelligence on current cyber criminal activities and techniques to offer continuously upgraded protection.
The invisible made visible
For CISL, visibility into the network has been the most immediate impact of the deployment. The ability to see what bandwidth was being spent and by who means Karim can now plan and manage the use of tools such as Skype for Business in a way that he could not before, he says.

“[We] now route all our traffic internally with each IP packet security-inspected, and receive daily emailed reports. We’re able to create simple, clear rules about specific applications and user groups – which is a great benefit that reduces the burden on me,” says Karim.
He is also planning to extract further value from the new appliances by bringing more of their on-board capabilities into play. These features include an in-built two-factor authentication server, and SSL virtual private network (VPN) functions.
“Time will tell what else we select from the toolset, but we’re confident we can do more without affecting performance or the stability of our growing network needs,” Karim concludes.

Leave a Reply