Every fall, Central Michigan University (CMU) faces the daunting challenge of hooking up over 7,000 new computers to its network in a matter of a few days. The main objective is to allow its incoming students, professors and staff to connect to the network quickly. However, the network administrators also must make sure that the laptops, desktops, iPods and gaming systems attempting to plug in to the university network meet security requirements first before being granted full access. With all these devices logging on, the risk of contamination to the network from viruses, spyware and non-compliant software present on the local devices is ever present.
Ryan Laus, associate network manager at CMU, says his team looked at solutions on and off for several years. “It was not a very big issue until Blaster and Nachi were released [August 2003] and networks everywhere were scrambling to try and get a handle on network security. Prior to this event, the quarantining of systems on campus was a manual process.”
As his team observed the networks of larger universities being crippled with these viruses, they quickly assembled a team of students armed with over 1,600 CDs containing all the latest Windows patches, a site licensed anti-virus application and spyware removal tools. That fall term they documented over 850 viruses infected systems. And, Laus says, these were just the really bad ones. “One associate network manager did nothing but enable and disable ports for over three months, and that didn't count all the time spent by the other network managers and security administrators,” he says.
The team knew that this had to change and that started with system registration followed up with some form of system remediation. “We came across Bradford Network's solution the following spring and it was just what we had been looking for,” says Laus.
Campus Manager requires each device to register before being allowed access to the network. This identity management function -- which includes user owner information for each device, the ability to map the device and user to a physical location, and a log of the user's and the device's connection activity -- provides the information necessary in isolating unwanted activity and adhering to regulations and policies. The solution allowed Laus's team to very quickly associate a problem system with a specific user. What used to take them a few hours to do, they could now do in a matter of seconds.
“With the limited resources we have, it has allowed us to do a lot more with less. Because Campus Manager talks to all our residence hall switches, this gives us the ability to apply policies to users no matter where they connect.” For example, if he has to disable an infected machine and the user tries to move ports, Campus Manager will recognize this and take action on the client regardless of what port the user plugs into.
Joe Roth, network administrator, Binghamton University, agrees that it was the major outbreak of worms and exploits that really brought network security and end-user compliance to the forefront. It was time to begin to ensure that the machines brought into the network were clean and up to date before allowing them access to the network, he says.
“The basic thought process was that if we could bring them into the start of the semester clean and prepared to deal with a virus or worm outbreak, then maybe it would minimize the impact. Another benefit of the process was that our users were also receiving a certain amount of education in the endpoint security department. Having a user know what anti-virus software and patches are is crucial, and us checking for the presence of these types of things on their PC lets them know that it is important. It helps them take the initiative to keep their PC clean and up to date.”
Roth says that the Bradford Networks solution simplifies the idea of NAC on campus by providing a single point of interface for any web-based device, along with support for all three major operating systems and all major anti-virus vendors. In addition, he says the system remains vendor agnostic, so his team has no concerns about future support for any network equipment that they may deploy.
Granularity is the key
Jerry Skurla, vice president of marketing, Bradford Networks, Concord, N.H., says Campus Manager provides the granularity that a campus environment needs. The family of appliances was originally developed in 2002 and is now in its third generation of software.
"We help schools create a small website into which its users login via a VLAN. There's a remediation process which verifies machine configuration. A dissolvable agent then does a check. Some schools require a permanent agent, which allows ongoing checks.”
The product's distributed software architecture provides flexibility, he says. Bradford Networks' clients on college campuses can range anywhere from 100 students to 35,000.
"Campus Manager's out-of-band capabilities protect existing infrastructure,” Skurla says. It is critical, he adds, that the solution works with equipment already on the network.
“One of the biggest reasons we chose Bradford was the fact that unlike Perfigo [now Cisco Clean Access], Bradford's product was not an inline appliance,” says Laus. “Once a user was registered, the product essentially stepped out of the way and let the switches switch and the routers route. While we haven't needed to do this, it is also something that can easily be turned off if problems start to occur without serious disruption to the users. I believe Cisco does make an out-of-band solution, but I don't think it is as robust as Campus Manager or able to support as many vendors.”
Laus has high praise for Campus Manager's Client Security Agent (CSA). “It has really cut down on the number of infected machines, and ensures that all machines that plug into the network meet a certain criteria.”
Campus Manager is also an integral part of many of the homegrown solutions that CMU has created, allowing, for example, the university to pull data directly from the Campus Manager database and tie it together with other data sources, such as SAP and SMS. “We present this data in our helpdesk portal, which is used by help desk operators, department techs and even end-users,” he says.
It is also an essential piece of the university's network bandwidth quota system. “Our NBQS has allowed us to regulate internet bandwidth without shaping and application blocking. The end result of all of this is that we can offer the students 100 Mbps connections to their systems, not continually block peer-to-peer traffic, not have to worry about viruses spreading, and we have not received a copyright infringement complaint in well over three years. Without a system like Campus Manager as a core component, it would be difficult to do this.”
Josh Fedor (right), IT security project manager at Hofstra University, Hempstead, Long Island, adds that the student experience is enhanced through the use of the product as it gives them anti-virus and anti-spyware capabilities.
For the 13,000 students and over 1,200 faculty members spread out over its campus, the process of hooking up to the network is simple, says Fedor. When logging on, they must authenticate using their university ID. They then download a thin client that dissolves when it's done scanning the registry for anti-virus, anti-spyware, firewalls, etc. The software then switches configurations on the machines, such as turning on the firewall and turning on Windows Updates.
"Student machines are very unpredictable. They're using various operating systems and different devices. Campus Manager allows us to get to those machines and keep them up to date and protected."
Campus Manager greatly improves the university's security posture, he says. "It's simple and straightforward. Everyone's happy. It gives us a layered defense and control over the network."
The Campus Manager family of appliances from Bradford Networks, Concord, N.H., combines three elements in its NAC solutions:
– Greg Masters