Transcript Slide 1

Campus Network Accession Authentication and Controlling
Student Laptops
Brian O’Hora
BSc (Hons) & MBA Technology Management
Networks & Infrastructure Manager
Information Systems Services
University of Dublin
Trinity College
[email protected]
Growth - Student networking
TCD
Residential network users
Wireless network users
Year
Users
Growth
Year
2002/3
276
n/a
2002/3
2003/4
318
15.2%
2003/4
200
n/a
2004/5
428
34.6%
2004/5
750
275%
2005/6
1021
138.6%
2005/6
2006/7
????
????
2006/7
Users
Growth
n/a
> 1500
????
100%
????
2005/6 Workflow required
1.Student submits web form
2.Case logged in workflow system (Remedy)
3.Public IP address assigned to NIC MAC
address, hardware table updated
4.Machine added to MS AD domain
5.Case assigned form USG to Networks for
port activation
6.Port activated, documentation updated,
case reassigned USG
7.User scheduled to attend clinic
2005/6 Workflow required
8. User attends clinic, supplied with custom
security CD
9. Pre AV checks - stinger
10. AV & E-Pol installation and configuration, OS
updates
11. Network configuration
12. Add machine to domain
13. Application configuration – Browser and Mail
14. Case updated and closed, records updated
15. x2000 times – automation required !!!
2005/6 outcome – efficiency
connections vs time
1400
1200
1000
800
600
400
200
Time (Date)
29/05/2006
29/04/2006
29/03/2006
28/02/2006
29/01/2006
29/12/2005
29/11/2005
29/10/2005
0
29/09/2005
Cumulative number
connections
Cumulative Student network connections
2005/6
Methodologies in use to address
this challenge
1. Resist need to network private machines
2. Manage machines as standard corporate
machines
3. Outsource residential network
4. Manage the unmanaged by using an
emerging technology framework,
Network Admission Control (NAC) to
address challenges
Network Admission Control
(NAC) - the wider environment
Analysis: Network Access Control
Network Computing , October 06, 2006
“NAC (network access control) enforcement products will grow to $3.9
billion by 2008 from $323 million last year--that's more than 1,100
percent growth”
Lippis Report Issue 69: 2007 Is The Year of Network Access Control
Oct 16, 2006 by Nick Lippis
So is 2007 the year of NAC?
1)
NAC solves real problems
2)
NAC technology works
3)
Enterprises are deploying NAC. The data points are building and the
trend line is becoming clear. 2007 is the year of NAC.
TCD Self Service NAC
project objectives
From start October 2006:
• Improve quality of service for students
connecting computers to the College
network
• Reduce IS Services staff involvement
• Maintain or enhance Network Security
• Provision of dynamic network
administration and network security
information
TCD Self Service NAC scope
target customers and areas
•
•
•
•
Initial scope
Extended scope
Desirable – Wireless/VPN
Not under considerations –
Guest/EduRoam
TCD Self Service NAC
project approach
• Surveyed current market place and Institutions
using NAC
• Solutions identified – approx 20
• Short listed - 6
• Arranged presentations, trials and site visits
• Submitted project proposal including business
case to Senior Management
• Initiated restricted Request For Proposals,
closing 8th June
TCD Self Service NAC project
business case
• Model 1 Transaction costs
• Model 2 Staff equivalents
• Model 3 Qualitative benefits
TCD Self Service NAC
project RFP criteria
•
•
•
•
Description of solution, features,
integration with existing, user
Scenarios(50)
Solution roadmap, past and future
OEM/reseller information (20)
Cost (30)
TCD Network Admission
Control project – evaluation
responses
•
•
•
•
Responses received
Cost @ 30% weighting significant
Unexpected response
Cost determined outcome
KHIPU and Bradford Campus
Manager selected
•
•
•
•
•
TCD selects KHIPU Networks to supply NAC
solution
Khipu exclusive partners Bradford Campus
Manager in the UK/Ireland
Over 300 Campus Manager installations in the
USA, Over 28 Campus Manager installations
in the UK
Over 1,250,000 Ports controlled by Campus
Manager
UK and International Education User Groups
Bradford Networks Company
History

1999
2000
2001
Increased install base to over 200 clients
2002
2003
2004
2006
► Transition: engineering services to a product company
► Installed CAMPUS MANAGER in several educational institutions
► Demonstrated solution at an industry trade show
► Concept and sample architecture developed
► Functional prototype development – BRADFORD CAMPUS MANAGER
► Began as custom engineering development services team
► Network management software design expertise
Educational Customers
UK and Ireland
Sample Educational Customers
USA, UK and Ireland
Bradford Campus Manager
“Out of band” solution –
leverages existing network
TCD Self service NAC
configuration
• Dual NS 1200/8200 appliance pairs for resilience, 3000
client user license purchased
• 116 CISCO switches across all residences and 200
Library communal area wired network points
• Private IP addressing
• MS AD Authentication database
• Role based access management - MS AD attribute
• White list file for BCM and Bluecoat Web proxies
• Client browser auto detect proxy settings used
• Ongoing authentication enforced
TCD Self service NAC
User Experience
•
•
•
•
•
•
•
•
Connect to the network
Open a web browser, presented with SNAC welcome page
Next page - terms and conditions
Next page – OS specific page outlining the web browser
proxy settings
Next page - Registration page, name, contact number and
location
Download a scanning program to ensure computer is
compliant
If not compliant, advised how to self-remediate
Once your computer is compliant, asked to authenticate
with MS AD credentials to gain admission to appropriate
network
TCD Self service NAC
Endpoint Compliance
• On Registration/Rescan download
and run CSA executable
• MS Windows OS/AV checks
• Apple MAC OS/AV checks
• Linux check
TCD Self service NAC
registration welcome page
TCD Self service NAC
terms & conditions of use
TCD Self service NAC
MS IE proxy settings page
TCD Self service NAC
registration page
TCD Self service NAC
scan fail page
TCD Self service NAC
registration complete
TCD Self service NAC
Primary outcome – ability to meet
customer needs efficiency
Time (Date)
29/05/2006
29/04/2006
29/03/2006
28/02/2006
29/01/2006
29/12/2005
29/11/2005
29/10/2005
1600
1400
1200
1000
800
600
400
200
0
29/09/2005
Licences consumed
Cumulative Student network connections
2005/6 vs 2006/7
TCD Self service NAC
Economic perspective outcome
Assume total Capex and Opex cost
over three years excluding labour
Assume cost per user in bands €0-10,
€10-25, €25-50, €50-75 and €75-100
Cost per user currently €50-75 but €0-10
achievable within 3 years
TCD Self service NAC
outcomes
• Repositioned to better meet network
connectivity needs of students both
effectively and efficiently as these
needs evolve over time
• Control and support high numbers of
“unmanaged” network devices
TCD Self service NAC
secondary outcomes
• Improves job design
• Requires and supports organisational
cultural and structural change
• Wider technical improvements
• Difficulties
• Opportunities
Campus Network Accession
Authentication and Controlling
Student Laptops
“Each new wave of technology disrupts existing security
measures and introduces new vulnerabilities. In the case
of information security, failing to deploy defensive
solutions at the right time can leave the enterprise
vulnerable. Delays in implementing identity,
authentication, and access control products or
services can leave the enterprise in catch-up mode
in terms of business opportunity.”
Gartner, Inc. research (ID Number G00123949; The
Future of Enterprise Security)
Campus Network Accession Authentication and Controlling
Student Laptops
“Got connected to the wireless and wired networks
yesterday. Such an improvement over the previous
system!”
“OK, so have connected to the wired network in my room in
college now, all nice and easy to set up compared to
before!”
“It takes 40 seconds for the restart, and this (I think) has to
be done everytime you boot up. Bring back the network
clinics I say!!!”
Boards.ie October 2006