Students expose their wireless laptops, PDAs or smartphones to corruption every time they download a beta IM client, fill out a pop-up survey, receive a software update, transfer files from a media player, swap ringtones, or subscribe to a podcast. University staff and faculty expose their personal wireless devices to malware threats as well.
Then they use these same unmanaged — and potentially compromised — wireless devices to access university network resources. University IT has no control over whether these personal wireless devices contain the latest anti-virus software, the most current OS patches, or applications that are vulnerable to outside attacks. In addition, students frequently enroll, graduate or transfer, creating a rapidly changing user population and adding more challenges for credentialing and support.
In the traditional campus local area network (LAN), IT assumed that they could keep the network secure by restricting access to university-managed computers. Every year, more resources were spent trying to further harden the network perimeter.
But today's students and staff are highly mobile. They need to be productive using personal wireless devices that are outside the network perimeter — and beyond IT control. With wireless, the traditional "hard perimeter" network model has effectively been inverted. Retrofitting network security becomes ineffective when it consists of continual attempts to harden a fluid perimeter.
Traditionally, IT restricted wireless bandwidth using media access controls like WEP (wired equivalent privacy). However, WEP authentication keys were shared by any student entering the perimeter at that wireless hub. WEP required IT to update and maintain security keys on every wireless device, resulting in lost keys, frustrated users and more help desk calls.
Today's inverted network is inherently insecure. Rather than trying to secure the network itself, a more practical approach is to secure communications to resources using network access controllers like SSL VPNs. SSL VPNs allow IT to have central control over wireless communications across a distributed urban campus environment. Students within range of any of the wireless hotspots dispersed throughout the campus can view a secure portal, but are denied access to resources unless they confirm authentication. This lets IT secure each student's wireless communications with resources, while reducing demand for support.
With certain SSL VPN solutions, automated endpoint control agents can scan unmanaged wireless devices to detect software certificates, patches or anti-virus signatures. If the scan results meet policy criteria, a student can be allowed access to resources. If not, the student can be redirected to a quarantined self-remediation site, or simply be denied access.
More students expect wireless access, and competitive universities must meet the demand. But this trend is not limited to academia. Executives use smartphones to access corporate resources. Salespeople use PDAs to access sensitive data via Wi-Fi hotspots at cafés, hotels and airports. Today's corporate LAN is increasingly a mobile network of wireless laptops and PDAs.
Moving forward, as wireless technology makes access to network resources more mobilized, even hardened networks are inherently insecure. Instead of securing the network, IT should focus on securing communications with network resources.
- Joseph Salwach is associate vice president, information services, DePaul University.
HOT TIPS FROM DEPAUL UNIVERSITY
Today's university students expect wireless access from personal mobile devices outside the firewall (e.g., smartphones with built-in high speed internet connectivity).
Personal mobile devices operate outside the traditional hardened perimeter LAN, and outside of direct IT control, effectively inverting the traditional "hardened-perimeter" network.
The ability to provide easy to use, yet secure wireless communications in an urban environment is perfect for an inverted network.
Because inverted networks are inherently insecure, it is more important for IT to secure communications than try to harden an increasingly fluid perimeter.
Unmanaged device users often find ways to work around restrictions put in place to prevent their access to untrusted websites, and are particularly vulnerable to phishing and malware attacks.
By securing wireless communications with SSL VPN, you can safely provide remote access to more educational options for students and staff, whether on-campus or off-campus.
DePaul chose Aventail SSL VPN because it delivered the best user experience and was easy to add to DePaul's complex network. — Joseph Salwach
