BY USE CASE
Secure Distributed Work
Powerful IT infrastructures are essential to the digitisation of public administrative bodies. The IT service provider, Dataport, now has a key role to play for public authorities in northern Germany. Founded in 2004 as a public body, the company is the only IT service provider in Germany to be supported by six federal states and a municipal IT association. Around 2,500 employees provide IT services to the regional authorities of Hamburg, Bremen, Schleswig-Holstein and Saxony-Anhalt, the tax administrations of Mecklenburg-Vorpommern and Lower Saxony, and to a range of local authorities in Schleswig-Holstein.
Dataport can provide the full range of IT services: whether they be data centres, devices, networks or specialist software, Dataport supplies everything that administrative bodies need to carry out their work. In addition, the company also offers an extensive range of services to the public sector, from IT procurement and training to project management and consultancy.
In recent years, Dataport’s largest project has been the amalgamation of six data centre facilities into one new data centre operating from two geo-redundant locations, creating one of the most secure and up-to-date data centres in Europe.
The two sites are linked via a high-speed redundant data connection and provide a fail-safe infrastructure for more than 600 different administrative processes, including registration procedures, police procedures and budgetary processes. Numerous modifications to the network architecture were needed in the course of the consolidation process. Dataport used this as an opportunity to bring the infrastructure up to a higher standard and to further optimise its IT operations. “We therefore chose to deploy Citrix Network as the main Application Delivery Controller,” says Björn Lüthje, Network and Data Centre System Engineer at Dataport. “The solution is now the secure gateway to our data centre and performs a number of tasks involved in providing standard and specialist processes.”
More secure access to IT resources from different networks
One of the major challenges faced by Dataport was the fact that the new data centre was running shared infrastructures for users from different federal states, such as Microsoft Exchange environments and Citrix Virtual Apps server farms. “Of course, part of the consolidation process was to take advantage of synergies and no longer operate separate infrastructures for each institution,” says Marco Misra, Network and Firewall Systems Specialist at Dataport. “However, this imposes strict security standards on us. The network architecture is therefore designed so that it is impossible for anyone to gain direct access to the data centre’s shared resources from the states’ networks.”
To create secure connections between the networks, Dataport implemented Citrix Gateway components. The solution encrypts all communications where external access is required to internal resources but also enables granular access control. This allowed Dataport to integrate the different administrative bodies securely into the shared backend infrastructure while at the same time enforcing adaptive security policies. “The Citrix Gateway allows us to either allow or deny remote access to resources on the basis of user role and user context,” explains Marco Misra. “We can therefore check that only authorised users have remote access to their Exchange inboxes, for instance.”
From Dataport’s perspective, it helps that the Citrix Gateway interacts seamlessly with other security technology – such as multi-step user authentication processes – allowing for a wide range of remote-access scenarios, including those for external users.
Comprehensive protection of web applications for citizens, companies and administrative bodies
These days, Dataport also safeguards its web applications using Citrix networking technology. The IT service provider deploys Citrix Web App Firewall to protect the growing number of web services from application-based threats, such as DDoS, SQL Injection, XSS and SSL attacks. “Web applications play an increasingly important role in public administration today, providing services to citizens and also facilitating collaborative work with other authorities and public-private partnerships,” says Torsten Brandt, Head of Data Centre Network Infrastructure at Dataport. “We therefore need to be able to provide reliable protection for web services at the application level.”
For Dataport, the application firewall offers comprehensive protection against known threats and can also identify suspicious application behaviour not previously recognised as an attack. The solution therefore protects Dataport’s internal infrastructure against zero-day exploits – security vulnerabilities for which security patches do not yet exist.
The Citrix Web App Firewall’s ‘Learning Engine’ also assists IT administrators in modifying security settings to meet the precise requirements of each individual application. “The solution analyses the application’s behaviour and makes recommendations to my employees to ensure that we can provide optimal protection to each and every web application,” says Torsten Brandt. For Dataport, no two web applications are the same. The IT service provider now runs a broad spectrum of generations and different kinds of online services – from Hamburg City Council’s transparency portal to web applications used for digital survey data capture.
The security of these web applications is regularly checked. All important processes undergo certification from the German Federal Office for IT Security (BSI). In addition, external specialists carry out frequent penetration tests on behalf of Dataport. “The assessors certify that Citrix Web App Firewall provides our web applications with a very high level of security,” confirms Torsten Brandt. “In addition, the solution acts as an internal Application Layer Gateway and monitors communications between the different areas of the network. This means that we comply with current BSI standards.”
Load balancing for centralised services: Citrix Networking replaces Cisco ACE
In addition to infrastructure safeguarding, the second key task of the Citrix Networking solution is to load balance the centrally provisioned processes. Previously, Dataport used Cisco ACE Appliances to load balance its application servers. When this solution was discontinued by the manufacturer, the IT service provider decided to switch to Citrix Networking technology for this too. “The Citrix solution was the best fit for our complex load balancing requirements, because it incorporates highly intelligent processes for managing application traffic,” says Björn Lüthje.
For Dataport, load balancing is no longer just a matter of optimising the even distribution of incoming user requests to the available resources; in fact, Application Delivery Controllers must now make rule-based decisions about which user is permitted to use the content in question in any given situation. The infrastructure’s health monitoring system has a crucial role to play in this. Citrix Networking continually evaluates detailed information about the system status and availability of individual application servers and automatically takes this information into account when distributing user requests. This ensures that users can continue to use services without interruption, even if individual components fail.
At present, Dataport is in the process of migrating around 500 centrally provisioned processes to the new load balancing platform, starting with load-intensive applications such as Microsoft Exchange and SharePoint. The Exchange environment alone is used by more than 100,000 users who require reliable access to their inboxes at all times.
“We are already seeing improvements as a result of switching to Citrix Networking technology,” reports Torsten Brandt. “We previously had to deal with frequent failures in the SharePoint environment during peak loads. The Citrix solution ensures that servers no longer operate beyond their full capacity, which means that services can still be accessed during peak periods. Features such as SSL Offload mean that Citrix Networking also frees up our backend servers from performing processor-intensive tasks. In the future, the existing Exchange infrastructure will therefore be able to handle more users at the same time.”
Citrix Networking gives us a solution that is fit for the future, ensuring that we can use a single platform to manage the diverse demands inherent to the provision of standard and specialist processes.