These days, the average college student comes to college equipped with much more than a notebook and tape recorder. Today’s students come armed with a plethora of desktops, laptops, and Netbooks, iPads, iPhones, hand-held smart phones and gaming devices. They also want to connect continuously from every corner of the campus. So access to the network is needed not only in the residence halls and classrooms, but from the quad, coffee house, and pizza parlor.
Like many campuses across the nation, Keystone College has had its share of computer-related security problems. An ongoing problem prompted Charlie Prothero, the Chief Information Officer, to research network access control (NAC) products.
“We were literally going door-to-door in the dorms with a laptop and Net Stumbler™ trying to find the misconfigured machines flooding the network with viruses and other garbage,” says Prothero. “Once we were able to tie the ownership of a machine to a specific person we’d get the bonus of dealing with the updates. And then we’d start all over again.”
Prothero continues, “We have never had a case of a malicious user. It’s always been an instance of the owner not having any knowledge of the problem. But the residence halls were completely out of control and threatening to consume all of our resources.”
Keystone College researched the NAC offerings available at the time and purchased the Perfigo application that would later become the Cisco Clean Access to run in a virtual environment. Recently, the school was informed that the product could no longer be offered as software-only to run in the virtual environment that Prothero had chosen and that Keystone would have to purchase multiple appliances to do accomplish the same task.
Knowing that he wanted to continue using NAC to help maintain the integrity of the network, Prothero turned to his peers for advice and posted a request for NAC references on the EDUCAUSE Security List Serve.
“The response was phenomenal,” says Prothero. “It’s really one of the best research tools available. I received recommendations based on real-world experience with both products and service. The EDUCAUSE List Serve led me to Impulse Point and SafeConnect.”
Already planning to upgrade its wireless network across the campus, Keystone College also required a NAC solution that would function consistently across both wired and wireless connections. The fact that SafeConnect NAC could seamlessly integrate with wireless access provided by Aruba Networks was another plus for Prothero.
“Anyone, anywhere, on the wireless network is directed through SafeConnect and their security situation is assessed in real time. We also wanted a solution that would be flexible and expand with students and faculty as they moved across campus. Now we’re able to have Single Sign-On capability irrespective of being on the ResNet or main campus.”
SafeConnect’s unique continuous posture assessment capability leverages Aruba’s Policy Enforcement Firewall (PEF) technology to assign per-user quarantine roles for clients not compliant with security requirements in real-time. When NAC is provided through an Aruba Controller, non-compliant users are immediately placed into isolation from other users through firewall rules. These firewall rules can be quickly and easily written to permit communication with remediation servers, or restrict a device to Internet-only guest access; and can even apply Web-based captive portal rules to display custom Web pages to users.
The residence halls at Keystone now require students to access the network through the college’s self-branded SafeConnect portal. In addition to recognizing and blocking devices with virus or spyware programs, SafeConnect also provides specific instructions on how users can correct the problem and regain access to the network.
“Running SafeConnect is much simpler for us than Cisco Clean Access. Now, it’s just easier. Students can get it going and corrected themselves without needing extensive help,” says Prothero.
SafeConnect™ offers an easy to implement and support endpoint policy management solution that allows organizations to control access to their networks based on an end user’s compliance with security policies, while seamlessly connecting to their existing multi-vendor infrastructure. Although not required, SafeConnect is also compatible with 802.1x, providing the flexibility to quarantine users at the router, switch, or endpoint device.
SafeConnect™ is supported by the NAC industry’s only proactive maintenance support offering. Impulse Point provides continuous proactive monitoring and support that includes hardware server and software problem determination and resolution, as well as upgrade protection to future software functional releases. Impulse Point prides itself on the quick, efficient, and accurate implementation of the SafeConnect NAC Solution and is available to provide personalized advice and support throughout project planning, installation, and deployment. All necessary Policy Appliance hardware, software licenses, and the following support services are included in the initial first year price of the SafeConnect solution:
The ability to maintain up-to-date support for the most current anti-virus, anti-spyware, operating system, and other endpoint security software is a major benefit of Impulse Point’s Managed Services Offering. Impulse Point owns the responsibility of identifying, supporting, and updating customers within 48 hours as a standard component of its managed support service.
The endpoint policy management capabilities shown to the right are included:
The SafeConnect solution performs both pre- and post-admission security checks in real time without any network traffic degradation. SafeConnect functions out-of-line and provides continuous security assessment and enforcement across wired, wireless, and VPN networks with no performance bottlenecks, maintenance-driven network outages, or as a single point of failure.
SafeConnect features a Single Sign-On (SSO) authentication capability that allows existing Active Directory-managed users to maintain their existing login process user experience.
The SafeConnect NAC solution helps drive a substantial reduction in help desk calls because it is intuitive and user friendly for both the end users and IT support management teams. Users not in compliance receive individualized policy notifications regarding the reason for non-compliance (e.g. out of date anti-virus protection) and are guided through the remediation process with instructions and a link to an internal or external source where the appropriate software or virus definition can be downloaded. Because the remediation process is simple and straight-forward, users follow through to regain compliance and access to the network. This results in fewer instances of non-compliance and ultimately fewer Help Desk calls.
School campuses need to quickly notify students and faculty in the event of an emergency situation. SafeConnect has the ability to broadcast an information or emergency message on-demand to everyone whose computer is authorized to access the campus network. SafeConnect can also send messages to specific devices, specific user groups (staff, faculty, students, etc.), or individual users. Notification can be made quickly and administrators can track the acknowledgements of receipt for compliance purposes.
Policy Administrators can define and change endpoint computing policies and enforcement rules by network segment or directory services policy group from a centralized policy management interface despite the number of remote or distributed locations. The solution also delivers real-time and historical policy status reporting that provides valuable insight into group or individual policy compliance to Policy Administrators and Help Desk personnel.
The following SafeConnect Endpoint Policy Management capabilities can be deployed in a phased-in approach (by IP address/range, subnet, VLAN) across wired, wireless, and VPN infrastructures.
Keystone College, located in La Plume, Pa., is recognized as the region’s “Most Beautiful Campus.” Keystone has a diverse student body with students from 14 states and 12 countries studying one of the many academic programs available online, on campus, and on the weekend. With a 10:1 student/faculty ratio, Keystone has a reputation for creating a caring and supportive environment dedicated to student’s needs. Students can prepare for leadership and broaden their educational experiences through athletics, global learning opportunities, an extensive career development center, countless student activities and clubs and organizations. For more information, please visit www.keystone.edu
Aruba is the global leader in distributed enterprise networks. Its award-winning portfolio of campus, branch/teleworker, and mobile solutions simplify operations and secure access to all corporate applications and services – regardless of the user’s device, location, or network. This dramatically improves productivity and lowers capital and operational costs. Listed on the NASDAQ and Russell 2000® Index, Aruba is based in Sunnyvale, California, and has operations throughout the Americas, Europe, Middle East, and Asia Pacific regions. To learn more, visit Aruba at http://www.arubanetworks.com.
EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. For more information, please visit www.educause.edu
6810 New Tampa Highway, Suite 400 Lakeland, Florida 33815
Copyright , Impulse Point. All Rights Reserved.