Security and BandwidthBy Wylie Wong | Posted 2011-07-28 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
As colleges and school districts face an onslaught of mobile devices, IT departments must provide ample network bandwidth while dealing with the security risks generated by those devices.
Security and Bandwidth
SUNY College at Old Westbury provides IT support for 4,000 students, about 1,200 of whom live in dorms. Eighteen months ago, when CIO Seybold saw an explosion of personal mobile computing devices on campus, he began looking for a way to secure the devices and control bandwidth.
To improve security, Seybold offered students free Symantec antivirus software for their notebook computers. He also tried to use a network access control (NAC) appliance to ensure that they had the latest antivirus software definitions and the correct security settings before allowing them onto the network.
Students embraced the antivirus software, but they balked at the NAC technology because it required them to install a security agent on their computers. The NAC appliance was also problematic because it didn’t support smartphones or tablets, so it didn’t secure every device used on the compus.
Realizing that the appliance wasn’t meeting the college’s needs, Seybold switched to a policy-based approach. It encompasses a Riverbed Cascade device that monitors the network and analyzes user and traffic behavior to detect threats.
Now, when students, faculty and staff members log on to the wired and wireless networks with their user names and passwords, they are authenticated via 802.1x and are given network rights based on their user groups. Cascade determines the normal behavior of applications and systems; if it discovers anomalies that could mean worms, malware, botnets and other threats, it immediately alerts the IT staff.
To manage network bandwidth, Seybold purchased the SonicWall E-Class NSA E7500 firewall, which monitors traffic flow, ties user IDs with applications and enforces policies. He created a policy that gives professors in classrooms bandwidth priority from 9 a.m. to 6 p.m. After 6 p.m., when classes are not in session, students get unfettered access to bandwidth.
Security is a work-in-progress, according to Seybold. He deploys an intrusion-prevention system as part of a multilayered security approach. Seybold also plans to build tighter integration between the Riverbed and SonicWall devices, so they will work more in tandem to defend the network.
“We’re on the road to a solution,” Seybold says. “It’s a journey, and we’ve already taken some good steps.”
Managing Student Devices
While a NAC appliance didn’t work well at the Old Westbury campus, it was the perfect fit for Michigan’s East Grand Rapids Public Schools. The district, which has 1,600 computers for its 2,900 students, can’t afford a one-to-one computing program.
As a result, in 2003, it launched a Bring Your Own Technology (BYOT) initiative so students can bring their personal mobile computing devices to school. Initially, the effort received a tepid response, garnering only 30 participants, because of a drawn-out process that was necessary so the IT staff could evaluate student computers to make sure they were secure.
To simplify and automate the process, Jeff Crawford, the district’s manager of networking and security, purchased Avenda Systems’ eTIPS NAC appliance, which allows students—as well as faculty and staff—to easily connect their notebook computers and other mobile devices to the district’s WiFi network.
When a user logs on, the NAC performs a quick computer health check, making sure that both a firewall and antivirus software are enabled before the device is allowed onto the network. The NAC also allows the IT department to set up policies for specific users: Faculty get a higher class of service, such as more bandwidth; students gain access to the Internet, printers and their own files, but they are blocked from critical district applications, Crawford says.