Colorado city adopts open-source platform for its network gateway

Suite mixes free and commercial applications to manage traffic and handle security

Monitoring Internet access on the city of Westminster, Colo.’s network was becoming expensive, as maintenance costs for its networking tools increased. So earlier this year, network administrators decided to look for an alternative.

The goal was to maintain the baseline functionality of the Web filtering and monitoring being used on the network, which serves 1,000 employees in 23 locations around the city.

“Our objective when we started was to find a solution that did everything we were doing, but at less expense,” said David Puntenney, the city’s information technology director. Additional functionality for blocking or controlling malicious and unwanted traffic was optional. Key requirements for any product were low-risk implementation and ease of administration. “It’s easy to find a product that costs half as much, only to find it costs twice as much to administer,” Puntenney said.

The city settled on Untangle’s Open Source Network Gateway, which fulfilled not only the baseline Web filtering requirements but also includes a suite of add-ons that are saving the city more money.

Westminster uses an outside service for antivirus protection and to block spam. The service was stopping 90 percent of incoming spam, said network administrator John Neiberger, but the IT staff members still had to deal with the remaining 10 percent until they turned on the Untangle Gateway’s spam blocker.

“In August, it quarantined 10,000 more messages that we didn’t have to do manually,” Neiberger said. He estimated that freed 33 hours of IT staff members' time, at a savings of about $1,000 to the city.

The sweet spot for the Untangle Gateway has been small to midsize businesses because the single-server platform helps to eliminate the cost and complexity of maintaining multiple network appliances, said company chief operating officer Dirk Morris.

“But we found that in the last quarter, the largest percentage of our sales have been coming from larger organizations,” he said. “We’ve been seeing a lot of traction in cities,” such as Westminster.

Westminster, a Denver suburb of 108,000, which makes it the state’s seventh-largest city, began building its network in 1988 in a partnership deal that traded conduit space for fiber.

“Much of that build happened in the 1990s,” Puntenney said. The city gave employees outside e-mail access in the mid-’90s, but Internet access was limited. “We didn’t immediately open up Web access to everyone when we started,” he said. It was restricted to those with a specific business need.

But by 2002, as the Web was becoming ubiquitous and access was given to all employees, technology was put in place to monitor and control that access. The tools worked, but cost was becoming an issue.

“One of the driving factors was a 34 percent increase in our maintenance costs between 2002 and 2007,” Puntenney said. Costs took another jump at the start of 2009, and “we decided to take a look at what else was available.”

They looked at FortiGate appliances from Fortinet, but they were expensive and did not fit well with Westminster’s network architecture, Neiberger said. IT administrators downloaded a copy of Untangle for trial in June, and after straightening out a few kinks in the configuration, they began using it for Web filtering on their network.

The Untangle Gateway is an open-source platform that runs on a wide range of servers and supports a library of proprietary commercial and free open-source applications for network monitoring and protection. The idea of the multiapplication platform is to circumvent the expense and time of acquiring and managing separate tools, Morris said.

“It’s a much cheaper approach than having all of the appliances, because it’s all on one server,” he said. “We write the software that is the platform and go to third-party applications that apply to our customers.”

As simple as the idea is, execution was more complicated. “We found that running everything on one server is very hard,” Morris said.

Servers have adequate computing power to handle multiple applications, but latency would be a problem if more than three applications ran simultaneously.

“We found that the latency went up quadratically based on the number of applications,” Morris said. Increases in server power could not keep up with additional software because increasing the processing power deflected the latency curve only by a little bit.

Untangle developed a processing algorithm that solved at least part of the problem. Latency still is unavoidable, Morris said, but with the new algorithm, the increase now is linear. “If you double the processing power, that helps quite a bit” in allowing additional applications, he said. “Now Intel can keep ahead of Untangle.”

Untangle uses open-source tools for its gateway when possible, and it has partnered with commercial providers when necessary. The quality of a product cannot be determined by whether it is open source or proprietary, Morris said. Some open-source technology is the best available, but “some of it is terrible.”

Untangle does not claim that its tool suite is best of breed.

“Determining ‘best’ is tough,” Morris said. “In some cases, it’s not going to be the best application for everyone,” because a number of variables, including overall feature set and price, come into play. “It’s a judgment call on behalf of our customers.”

The current library includes 13 free open-source applications that provide basic network monitoring, filtering and management and 11 commercial applications for more advanced networking needs.

Westminster began using Untangle for Web filtering and later turned on the spam blocker that came with the package, which produced savings by providing an additional layer of defense. The city also is using antivirus, anti-phishing, protocol filters and intrusion prevention features that come with the basic suite of services.

Implementing wide-area network load balancing and failover tools could help the city boost the bandwidth of its Internet connection by supplementing 10 megabits/sec lines with a smaller cable connection.

“That provides us a great opportunity to increase bandwidth,” Neiberger said. “That’s going to be a huge benefit to the organization.”

About the Author

William Jackson is a Maryland-based freelance writer.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected