Campus Network Accession - Authentication and Controlling

Student Laptops

Brian O’HoraBSc (Hons) & MBA Technology Management

Networks & Infrastructure ManagerInformation Systems ServicesUniversity of DublinTrinity CollegeBrian.OHora@tcd.ie

Growth - Student networking TCD

Residential network users

Year Users Growth

2002/3 276 n/a

2003/4 318 15.2%

2004/5 428 34.6%

2005/6 1021 138.6%

2006/7 ???? ????

Wireless network users

Year Users Growth

2002/3   n/a

2003/4 200 n/a

2004/5 750 275%

2005/6 > 1500 100%

2006/7 ???? ????

2005/6 Workflow required

1.Student submits web form2.Case logged in workflow system (Remedy)3.Public IP address assigned to NIC MAC

address, hardware table updated4.Machine added to MS AD domain5.Case assigned form USG to Networks for

port activation6.Port activated, documentation updated,

case reassigned USG7.User scheduled to attend clinic

2005/6 Workflow required

8. User attends clinic, supplied with custom security CD

9. Pre AV checks - stinger10.AV & E-Pol installation and configuration, OS

updates11.Network configuration12.Add machine to domain13.Application configuration – Browser and Mail14.Case updated and closed, records updated15.x2000 times – automation required !!!

2005/6 outcome – efficiencyconnections vs time

Cumulative Student network connections 2005/6

0200400600800

100012001400

29/0

9/20

05

29/1

0/20

05

29/1

1/20

05

29/1

2/20

05

29/0

1/20

06

28/0

2/20

06

29/0

3/20

06

29/0

4/20

06

29/0

5/20

06

Time (Date)

Cum

ulat

ive

num

ber

conn

ectio

ns

Methodologies in use to address this challenge

1. Resist need to network private machines2. Manage machines as standard corporate

machines3. Outsource residential network4. Manage the unmanaged by using an

emerging technology framework, Network Admission Control (NAC) to address challenges

Network Admission Control (NAC) - the wider environment

Analysis: Network Access Control Network Computing , October 06, 2006 “NAC (network access control) enforcement products will grow to $3.9 billion by 2008 from $323 million last year--that's more than 1,100 percent growth”

Lippis Report Issue 69: 2007 Is The Year of Network Access Control Oct 16, 2006 by Nick LippisSo is 2007 the year of NAC?1) NAC solves real problems2) NAC technology works3) Enterprises are deploying NAC. The data points are building and the

trend line is becoming clear. 2007 is the year of NAC.

TCD Self Service NAC project objectives

From start October 2006:• Improve quality of service for students

connecting computers to the College network

• Reduce IS Services staff involvement • Maintain or enhance Network Security• Provision of dynamic network

administration and network security information

TCD Self Service NAC scope target customers and areas

• Initial scope• Extended scope• Desirable – Wireless/VPN• Not under considerations –

Guest/EduRoam

TCD Self Service NACproject approach

• Surveyed current market place and Institutions using NAC

• Solutions identified – approx 20• Short listed - 6• Arranged presentations, trials and site visits• Submitted project proposal including business

case to Senior Management• Initiated restricted Request For Proposals,

closing 8th June

TCD Self Service NAC project business case

• Model 1 Transaction costs

• Model 2 Staff equivalents

• Model 3 Qualitative benefits

TCD Self Service NAC project RFP criteria

• Description of solution, features, integration with existing, user Scenarios(50)

• Solution roadmap, past and future• OEM/reseller information (20)• Cost (30)

TCD Network Admission Control project – evaluation

responses

• Responses received• Cost @ 30% weighting significant• Unexpected response• Cost determined outcome

KHIPU and Bradford Campus Manager selected

• TCD selects KHIPU Networks to supply NAC solution

• Khipu exclusive partners Bradford Campus Manager in the UK/Ireland

• Over 300 Campus Manager installations in the USA, Over 28 Campus Manager installations in the UK

• Over 1,250,000 Ports controlled by Campus Manager

• UK and International Education User Groups

Bradford Networks Company History

1999 2001 2002 2003 2004 20062000

► Began as custom engineering development services team► Network management software design expertise

► Demonstrated solution at an industry trade show► Concept and sample architecture developed► Functional prototype development – BRADFORD CAMPUS MANAGER

► Transition: engineering services to a product company ► Installed CAMPUS MANAGER in several educational institutions

Increased install base to over 200 clients

Educational Customers UK and Ireland

Sample Educational Customers USA, UK and Ireland

Bradford Campus Manager

“Out of band” solution – leverages existing network

TCD Self service NAC configuration

• Dual NS 1200/8200 appliance pairs for resilience, 3000 client user license purchased

• 116 CISCO switches across all residences and 200 Library communal area wired network points

• Private IP addressing• MS AD Authentication database• Role based access management - MS AD attribute• White list file for BCM and Bluecoat Web proxies• Client browser auto detect proxy settings used• Ongoing authentication enforced

TCD Self service NAC User Experience

• Connect to the network• Open a web browser, presented with SNAC welcome page• Next page - terms and conditions • Next page – OS specific page outlining the web browser

proxy settings• Next page - Registration page, name, contact number and

location• Download a scanning program to ensure computer is

compliant• If not compliant, advised how to self-remediate• Once your computer is compliant, asked to authenticate

with MS AD credentials to gain admission to appropriate network

TCD Self service NAC Endpoint Compliance

• On Registration/Rescan download and run CSA executable

• MS Windows OS/AV checks• Apple MAC OS/AV checks• Linux check

TCD Self service NAC registration welcome page

TCD Self service NAC terms & conditions of use

TCD Self service NAC MS IE proxy settings page

TCD Self service NAC registration page

TCD Self service NAC scan fail page

TCD Self service NAC registration complete

TCD Self service NAC Primary outcome – ability to meet

customer needs efficiencyCumulative Student network connections

2005/6 vs 2006/7

0200400600800

1000120014001600

29/0

9/20

05

29/1

0/20

05

29/1

1/20

05

29/1

2/20

05

29/0

1/20

06

28/0

2/20

06

29/0

3/20

06

29/0

4/20

06

29/0

5/20

06

Time (Date)

Lice

nces

con

sum

ed

TCD Self service NAC Economic perspective outcome

Assume total Capex and Opex cost over three years excluding labour

Assume cost per user in bands €0-10, €10-25, €25-50, €50-75 and €75-100

Cost per user currently €50-75 but €0-10 achievable within 3 years

TCD Self service NAC outcomes

• Repositioned to better meet network connectivity needs of students both effectively and efficiently as these needs evolve over time

• Control and support high numbers of “unmanaged” network devices

TCD Self service NAC secondary outcomes

• Improves job design• Requires and supports organisational

cultural and structural change• Wider technical improvements• Difficulties• Opportunities

Campus Network Accession Authentication and Controlling

Student Laptops “Each new wave of technology disrupts existing security

measures and introduces new vulnerabilities. In the case of information security, failing to deploy defensive solutions at the right time can leave the enterprise vulnerable. Delays in implementing identity, authentication, and access control products or services can leave the enterprise in catch-up mode in terms of business opportunity.”

Gartner, Inc. research (ID Number G00123949; The Future of Enterprise Security)

Campus Network Accession - Authentication and Controlling

Student Laptops“Got connected to the wireless and wired networks

yesterday. Such an improvement over the previous system!”

“OK, so have connected to the wired network in my room in college now, all nice and easy to set up compared to before!”

“It takes 40 seconds for the restart, and this (I think) has to be done everytime you boot up. Bring back the network clinics I say!!!”

Boards.ie October 2006