Years ago, the Internet evolved from a research network to a commercial one. To facilitate that change, what had been a single, government-funded system converted to many independently operated networks. This required the use of network access points (NAPs), where Internet service providers would interconnect their systems to others, allowing an e-mail from one network to reach the users on another.

NAPs were generally set up in university computer room closets, old, damp central offices, or as in the case of the largest NAP of the era, MAE East (MAE stood for Metropolitan Area Ethernet, or Exchange, depending on who you ask), a parking garage in Tysons Corner, Va. Considering the applications for the Internet were limited to e-mail, gopher and other antiquated applications, this bailing wire and masking tape approach suited the Internet perfectly.

Experiments led to alternative NAPs such as the Palo Alto Internet Exchange (PAIX), adding security and other features to support newer networks. However, the players on the Internet also changed, quickly making the original PAIX experiment inappropriate for larger enterprises, government and other sources of online content.

Enter IBXs

A new design was required – one that would accommodate the burgeoning growth of interconnecting networks, operate in multiple locations, record robust audit trails and meet security audits. Most importantly, the new design would need to incorporate a security system that could scale without impacting operational efficiencies, with speed of access to equipment being paramount.

The managers of PAIX took these limitations and began working on a new design. The new datacenters, known as Internet Business Exchanges, would be an average of 100,000 to 200,000 square feet, incorporating hundreds of individual clients, yet set a new security standard in the industry. With the assistance of Richard Mohr of Andersen/Mohr Associates, Equinix Inc. of Foster City, Calif., began to develop this new security profile and apply it to an aggressive construction plan.

The requirements were stringent: perimeter security, such as concrete embankments or bollards, to assist with blast radius enforcement; thick concrete and Kevlar in the outer envelope of each building to meet the service level agreements of financial customers; extensive and comprehensive digital video surveillance, archived for a minimum of 30 days; easily referenced audit trails that included the general location of visitors at all times; the capability to instantly remove electronic access, even if the individual was inside the building; and mantraps and interlocking doors, designed to prevent “piggybacking” or sneaking in behind an authorized visitor.

Because of the nature of its client-oriented business, the company was faced with preserving access speed to equipment within its centers while ensuring ultimate security. If a client such as Yahoo!, Microsoft, IBM or the federal government arrived at the front door of an IBX, access needed to be processed quickly, while meeting the stringent security measures that often caused delays at traditional datacenters.

Biometrics to the rescue

The company looked to the use of advanced software combined with biometrics to address this paradox. Initially, the design team designated five levels of biometrics between the outside of a facility through to the individual client’s equipment cages. This meant placing biometrics on the exterior doors and mantrap interlocking doors, as well as on interior spaces, such as customer care areas, and finally, without exception, on individual cages. Each client within a “neighborhood” needed to conform to the most stringent security levels required within that zone, or security would be compromised for all clients. This meant the installation of thousands of biometric devices in each facility. These devices would need to be easy to control, require little to no maintenance, and have virtually zero failure rates.

Unfortunately, the electronic systems for biometric door control and key management that the company required did not exist on the market in 1998. Most access or door controller software ran on client-only setups, with little to no robustness or redundancy. Biometrics, also young in its deployment, often used proprietary RS-232 loops and controller software separate from the door controller equipment. Monitoring locations and visit purposes were generally relegated to CRM systems, separate from security. In typical datacenters, if coffee was spilled on the security officer’s machine at a front desk, an entire control system could fail, or be inaccessible. The company needed a custom solution, with high availability, running on more advanced operating systems than were available off the shelf at the time.

On the hardware side, the company field-tested fingerprint, retinal, iris and hand geometry recognition. Speed and reliability being primary requirements, fingerprint systems tended to fail on external doors and required high maintenance. Iris systems were in their infancy stage, and thus had an unacceptable rate of failure. Retinal systems were rejected by customers, not surprisingly, because these customers were uncomfortable with placing their heads in a yoke and having a beam shot into their eyes. Hand geometry solutions remained. Fortunately this solution met the requirements, and was reasonably priced to deploy in large scale. Ingersoll-Rand’s Recognition Systems (Campbell, Calif.) biometric hand readers were deployed throughout Equinix’s IBXs.

To solve the software problem, the company developed and patented its own software to be used as a frontend on the top of products such as AMAG Technologies of Torrance, Calif., or Keri Systems of San Jose, Calif., or initially biometric software such as HandNet. The results were astounding: Upon deployment, access authorization times decreased from ten minutes to one. The new software recognized persons rather than the key he or she was holding. The audit trail, exported to a customized Oracle database, recorded indefinitely who was where at all times. Through the integration of biometrics to the customized frontend, an individual “scanning in” to the front door was automatically registered at the officer’s desk in the lobby. A customer’s profile was displayed automatically, and the individual could be compared quickly to the profile. Once authorized, the officer activated additional biometrics, allowing a client to proceed quickly into the facility.

The model succeeds

In 1999, Equinix opened the first of its advanced IBX centers in Ashburn, Va. Similar IBX centers have since been deployed in major markets in the U.S. and Asia-Pacific. By 2004, Equinix was operating over 1.3 million square feet in five countries. Through its service model and advanced datacenter features and security, Equinix has attracted every major network and content site into its facilities. Over 95 percent of the world’s Internet networks and users are available in each center, where every major domestic and international network has deployed its hubs. The largest retail and investment banks; the majority of the futures, commodities and options trading infrastructure; and the largest system integrators have located their massive infrastructure within the company’s walls. IBM has chosen to use the company as their location to host their massive global e-business customers.

Finally, with Equinix on the GSA schedule, the federal government has become a large customer, using the company’s IBXs for critical infrastructure in multiple locations. As the leading provider of network-neutral data centers and Internet exchange services, the company now operates 14 highly secure Internet datacenter hubs, representing over 1.3 million square feet, in five countries. Thus is the Internet, at least a few important pieces of it, protected through biometrics.