CN’s investment arm upgrades for tighter network security

CN Investment Division, which manages the multi-billion dollar pension fund of CN’s 63,000 employees and pensioners was at a critical juncture. Its network relied on a Cisco Catalyst 6500 series switch which had reached the end of its eight-year life. The network had experienced a few downtime episodes that cost the company hours of productivity and it was time to upgrade.

“If anything failed on the infrastructure, we had four to five hours of downtime,” says François Coallier, supervisor of technical support, CN Investment Division. “We needed a faster recovery . . . we had to change to something else immediately. We had to make sure every workstation on the network was meeting certain security requirements.”

CN contacted Cisco and was referred to Montreal-based integrator and Cisco partner CCSI CompuCom.

“It all started with a faulty 6500 that François lacked confidence in,” says Martin Roy, solution architect at CCSI. “We came up with a temporary solution to help alleviate (the problem) and more or less extend the life of the 6500. Once we had a temporary solution in place, we decided to go and replace the rest of the infrastructure.”

CCSI took a inventory of CN’s requirements and built a network configuration based on those details. Uptime and built-in redundancy was key, considering that CN runs critical trading and accounting systems, and needs up-to-the-second information from stock market data feeds. Further downtime could have tragic results for the investment portfolios managed by CN’s team of traders.

A new network was designed using two Cisco Catalyst 6500 switches at the core with 3560e switches running out to the desktops. Running two main switches means that if one fails, the other will take over, avoiding any possibility of network downtime. CCSI also arranged for multiple Internet connections from different carriers in order to ensure constant availability.

“We started with the network and after we had chosen something that was rock solid, then we added security layers to it,” says Roy. “We looked to provide an end to end solution as opposed to just security at the edge.”

Roy also added a Cisco NAC (Network Admission Control) appliance to govern the level of access permissible for each desktop on the network, as well as Cisco’s Adaptive Security Appliance and Advanced Inspection and Prevention module to prevent network intrusion and the incursion of malicious traffic.

The new network was tested by CN Investment Division’s IT department before it was rolled out company-wide.

“When IT services were happy with the infrastructure they were getting, we decided on a cut over date,” says Roy. “At close of business on Friday, everybody went home and we basically started transitioning all the ports from old infrastructure to new infrastructure.

“The overall process probably took about five to six hours. We came back for more testing the following day and then Monday morning, everybody was back to business as if nothing had happened but on a faster and more secure infrastructure.”