Mobile Stretches Network Security

By Wylie Wong  |  Posted 2011-07-28

At SUNY College at Old Westbury, New York, students want the freedom to use their mobile devices on campus. They also want Internet access everywhere ... and they want it fast. What they don’t want is to have to load special security software.

In an effort to make life easier for the students without exposing the college to risk, CIO Marc Seybold turned to a network behavior-analysis tool to monitor network traffic for anomalies that can signify potential security threats. He also installed a new firewall device that controls bandwidth usage.

See Also: Colleges Work With Industry Partner

“Defense has to become organic,” says Seybold. “The greater number of devices and operating systems you wind up with, the more vectors for infection there are, so you want something dynamically looking at the network and responding in real time.

“We also have to prioritize traffic, so students can do their classwork and have a reasonable amount of discretionary activity, while faculty and administrators can do their work and not be disrupted by students who are going on Facebook or YouTube.”

Old Westbury is not unique. As colleges and school districts face an onslaught of mobile devices owned by students, faculty and staff, IT departments must provide ample network bandwidth while dealing with the security risks generated by those devices. In response, they are regularly bolstering their campus and WiFi networks and deploying technologies to better manage those devices, control bandwidth and thwart security attacks.

Other educational institutions are investing in technologies that allow them to centralize and better manage their IT operations.

A new breed of WiFi equipment

Glendale Community College, in Glendale, Ariz., is providing blazing fast Internet speeds with a new breed of WiFi equipment that is also much simpler to manage.

Three years ago, the college’s WiFi network was a nightmare. The IT department had cobbled together 60 wireless access points from different vendors. The APs carried all the intelligence, forcing senior network administrator Joshua Krek to individually configure, manage and troubleshoot them all. “I was at the end of my rope trying to keep things running,” he recalls.

To fix this problem, the IT department revamped its wireless network and standardized on Hewlett-Packard’s enterprise-class WiFi equipment. It includes a wireless LAN controller that Krek uses to centrally configure and manage access points.

During the past school year, the IT staff upgraded the WiFi network again, this time with HP’s E-series Multi- Service Mobility (MSM) 400 series APs. The dual-radio 802.11n access points transmit three data streams per wireless radio, providing a throughput of 900Mbps. “With the newest gear, I can get higher density and increased bandwidth,” Krek says.

He has deployed 110 access points across three different campuses. Thanks to the new equipment, Krek is trimming the time it takes to manage the network from 10 hours a week to two hours.

Security and Bandwidth

SUNY College at Old Westbury provides IT support for 4,000 students, about 1,200 of whom live in dorms. Eighteen months ago, when CIO Seybold saw an explosion of personal mobile computing devices on campus, he began looking for a way to secure the devices and control bandwidth.

To improve security, Seybold offered students free Symantec antivirus software for their notebook computers. He also tried to use a network access control (NAC) appliance to ensure that they had the latest antivirus software definitions and the correct security settings before allowing them onto the network.

Students embraced the antivirus software, but they balked at the NAC technology because it required them to install a security agent on their computers. The NAC appliance was also problematic because it didn’t support smartphones or tablets, so it didn’t secure every device used on the compus.

Realizing that the appliance wasn’t meeting the college’s needs, Seybold switched to a policy-based approach. It encompasses a Riverbed Cascade device that monitors the network and analyzes user and traffic behavior to detect threats.

Now, when students, faculty and staff members log on to the wired and wireless networks with their user names and passwords, they are authenticated via 802.1x and are given network rights based on their user groups. Cascade determines the normal behavior of applications and systems; if it discovers anomalies that could mean worms, malware, botnets and other threats, it immediately alerts the IT staff.

To manage network bandwidth, Seybold purchased the SonicWall E-Class NSA E7500 firewall, which monitors traffic flow, ties user IDs with applications and enforces policies. He created a policy that gives professors in classrooms bandwidth priority from 9 a.m. to 6 p.m. After 6 p.m., when classes are not in session, students get unfettered access to bandwidth.

Security is a work-in-progress, according to Seybold. He deploys an intrusion-prevention system as part of a multilayered security approach. Seybold also plans to build tighter integration between the Riverbed and SonicWall devices, so they will work more in tandem to defend the network.

“We’re on the road to a solution,” Seybold says. “It’s a journey, and we’ve already taken some good steps.”

Managing Student Devices

While a NAC appliance didn’t work well at the Old Westbury campus, it was the perfect fit for Michigan’s East Grand Rapids Public Schools. The district, which has 1,600 computers for its 2,900 students, can’t afford a one-to-one computing program.

As a result, in 2003, it launched a Bring Your Own Technology (BYOT) initiative so students can bring their personal mobile computing devices to school. Initially, the effort received a tepid response, garnering only 30 participants, because of a drawn-out process that was necessary so the IT staff could evaluate student computers to make sure they were secure.

To simplify and automate the process, Jeff Crawford, the district’s manager of networking and security, purchased Avenda Systems’ eTIPS NAC appliance, which allows students—as well as faculty and staff—to easily connect their notebook computers and other mobile devices to the district’s WiFi network.

When a user logs on, the NAC performs a quick computer health check, making sure that both a firewall and antivirus software are enabled before the device is allowed onto the network. The NAC also allows the IT department to set up policies for specific users: Faculty get a higher class of service, such as more bandwidth; students gain access to the Internet, printers and their own files, but they are blocked from critical district applications, Crawford says. 

BYOT is gaining traction, with about 160 students regularly connecting their own mobile devices to the WiFi network. The district hopes to increase participation, and district leaders are discussing whether they should require all students to bring their own devices to school.

To gear up for such an eventuality, the district recently installed a new 802.11n WiFi network with 240 access points throughout the district, one in each classroom.

“We believe students learn better when they bring their own technology to school,” says Crawford, “so that’s the direction we’re headed.”

Centralization Reduces Costs

With 90,000 students in five main campuses, the Lone Star College System, based in the Houston area, has experienced huge growth during the past three years. Each campus had previously managed its own technology infrastructure, but the IT department began a centralization effort to reduce costs, says Link Alander, associate vice chancellor of technology services.

Lone Star built a new green, high-efficiency data center and consolidated 95 percent of its servers using server virtualization software. The college deploys Symantec’s application virtualization software, which helps it save money by reducing software licensing costs via one-time or short-term use of software.

For example, Alander explains, if professors need to use a particular application for a day or two, IT can send it to them through a virtualization layer. The college is also piloting desktop virtualization.

To automate many tasks IT had done manually, the college deployed Symantec’s Altiris IT Management Suite. The software allows the IT staff to remotely image PCs and remotely patch and update software on all computers.

The suite includes asset-management software, which provides campus IT leaders with real-time inventories of hardware and software. This helps with IT planning and software-license compliance.

Alander can run reports on software usage. That’s cost-effective because if some employees don’t use certain applications, he can reduce software licenses for those applications. The technology also automatically turns off PCs at night to save energy.

For security, the college system deployed Symantec Endpoint Protection—which provides antivirus and anti-spyware on desktop and notebook computers—and Symantec Endpoint Encryption across all laptops.

A consulting firm estimates that, from the time the Symantec management and security software was installed in March 2009 through the end of 2011, the college system will save about $2.7 million from reduced costs and labor productivity gains.

“If you don’t have automation tools in place, you can’t provide a high level of service,” Alander says. “Tools have given me the ability to see everything going on in the organization. We can control risk, and our teams have the ability to remediate items faster and deploy images more quickly.”