Campus Network Accession - Authentication and Controlling Student Laptops Brian O’Hora BSc (Hons) & MBA Technology Management Networks & Infrastructure Manager Information Systems Services University of Dublin Trinity College

Growth - Student networking TCD Residential network users YearUsersGrowth 2002/3276n/a 2003/ % 2004/ % 2005/ % 2006/7???? Wireless network users YearUsersGrowth 2002/3 n/a 2003/4200n/a 2004/ % 2005/6 > % 2006/7????

2005/6 Workflow required 1.Student submits web form 2.Case logged in workflow system (Remedy) 3.Public IP address assigned to NIC MAC address, hardware table updated 4.Machine added to MS AD domain 5.Case assigned form USG to Networks for port activation 6.Port activated, documentation updated, case reassigned USG 7.User scheduled to attend clinic

2005/6 Workflow required 8.User attends clinic, supplied with custom security CD 9.Pre AV checks - stinger 10.AV & E-Pol installation and configuration, OS updates 11.Network configuration 12.Add machine to domain 13.Application configuration – Browser and Mail 14.Case updated and closed, records updated 15.x2000 times – automation required !!!

2005/6 outcome – efficiency connections vs time

Methodologies in use to address this challenge 1.Resist need to network private machines 2.Manage machines as standard corporate machines 3.Outsource residential network 4.Manage the unmanaged by using an emerging technology framework, Network Admission Control (NAC) to address challenges

Network Admission Control (NAC) - the wider environment Analysis: Network Access Control Network Computing, October 06, 2006 “NAC (network access control) enforcement products will grow to $3.9 billion by 2008 from $323 million last year--that's more than 1,100 percent growth” Lippis Report Issue 69: 2007 Is The Year of Network Access Control Oct 16, 2006 by Nick Lippis So is 2007 the year of NAC? 1)NAC solves real problems 2)NAC technology works 3)Enterprises are deploying NAC. The data points are building and the trend line is becoming clear is the year of NAC.

TCD Self Service NAC project objectives From start October 2006: Improve quality of service for students connecting computers to the College network Reduce IS Services staff involvement Maintain or enhance Network Security Provision of dynamic network administration and network security information

TCD Self Service NAC scope target customers and areas Initial scope Extended scope Desirable – Wireless/VPN Not under considerations – Guest/EduRoam

TCD Self Service NAC project approach Surveyed current market place and Institutions using NAC Solutions identified – approx 20 Short listed - 6 Arranged presentations, trials and site visits Submitted project proposal including business case to Senior Management Initiated restricted Request For Proposals, closing 8 th June

TCD Self Service NAC project business case Model 1 Transaction costs Model 2 Staff equivalents Model 3 Qualitative benefits

TCD Self Service NAC project RFP criteria Description of solution, features, integration with existing, user Scenarios(50) Solution roadmap, past and future OEM/reseller information (20) Cost (30)

TCD Network Admission Control project – evaluation responses Responses received 30% weighting significant Unexpected response Cost determined outcome

KHIPU and Bradford Campus Manager selected TCD selects KHIPU Networks to supply NAC solution Khipu exclusive partners Bradford Campus Manager in the UK/Ireland Over 300 Campus Manager installations in the USA, Over 28 Campus Manager installations in the UK Over 1,250,000 Ports controlled by Campus Manager UK and International Education User Groups

Bradford Networks Company History ►Began as custom engineering development services team ►Network management software design expertise ►Began as custom engineering development services team ►Network management software design expertise ►Demonstrated solution at an industry trade show ►Concept and sample architecture developed ►Functional prototype development – BRADFORD CAMPUS MANAGER ►Demonstrated solution at an industry trade show ►Concept and sample architecture developed ►Functional prototype development – BRADFORD CAMPUS MANAGER ►Transition: engineering services to a product company ►Installed CAMPUS MANAGER in several educational institutions ►Transition: engineering services to a product company ►Installed CAMPUS MANAGER in several educational institutions Increased install base to over 200 clients

Educational Customers UK and Ireland

Sample Educational Customers USA, UK and Ireland

Bradford Campus Manager

“Out of band” solution – leverages existing network

TCD Self service NAC configuration Dual NS 1200/8200 appliance pairs for resilience, 3000 client user license purchased 116 CISCO switches across all residences and 200 Library communal area wired network points Private IP addressing MS AD Authentication database Role based access management - MS AD attribute White list file for BCM and Bluecoat Web proxies Client browser auto detect proxy settings used Ongoing authentication enforced

TCD Self service NAC User Experience Connect to the network Open a web browser, presented with SNAC welcome page Next page - terms and conditions Next page – OS specific page outlining the web browser proxy settings Next page - Registration page, name, contact number and location Download a scanning program to ensure computer is compliant If not compliant, advised how to self-remediate Once your computer is compliant, asked to authenticate with MS AD credentials to gain admission to appropriate network

TCD Self service NAC Endpoint Compliance On Registration/Rescan download and run CSA executable MS Windows OS/AV checks Apple MAC OS/AV checks Linux check

TCD Self service NAC registration welcome page

TCD Self service NAC terms & conditions of use

TCD Self service NAC MS IE proxy settings page

TCD Self service NAC registration page

TCD Self service NAC scan fail page

TCD Self service NAC registration complete

TCD Self service NAC Primary outcome – ability to meet customer needs efficiency

TCD Self service NAC Economic perspective outcome Assume total Capex and Opex cost over three years excluding labour Assume cost per user in bands €0-10, €10-25, €25-50, €50-75 and € Cost per user currently €50-75 but €0-10 achievable within 3 years

TCD Self service NAC outcomes Repositioned to better meet network connectivity needs of students both effectively and efficiently as these needs evolve over time Control and support high numbers of “unmanaged” network devices

TCD Self service NAC secondary outcomes Improves job design Requires and supports organisational cultural and structural change Wider technical improvements Difficulties Opportunities

Campus Network Accession Authentication and Controlling Student Laptops “Each new wave of technology disrupts existing security measures and introduces new vulnerabilities. In the case of information security, failing to deploy defensive solutions at the right time can leave the enterprise vulnerable. Delays in implementing identity, authentication, and access control products or services can leave the enterprise in catch-up mode in terms of business opportunity.” Gartner, Inc. research (ID Number G ; The Future of Enterprise Security)

Campus Network Accession - Authentication and Controlling Student Laptops “Got connected to the wireless and wired networks yesterday. Such an improvement over the previous system!” “OK, so have connected to the wired network in my room in college now, all nice and easy to set up compared to before!” “It takes 40 seconds for the restart, and this (I think) has to be done everytime you boot up. Bring back the network clinics I say!!!” Boards.ie October 2006