For many corporate IT groups, the risk of viruses, spyware or other malicious code penetrating the network is worrisome but manageable. For the most part, they have control over the hardware and software running in their environment and can dictate policies for endpoint security. In a university setting, however, protecting the network is a different ballgame. College students bring a wide array of devices to campus. If one becomes infected, it can rapidly damage other machines on the network. Yet some students run out-of-date antivirus software and others intentionally disable security software in order to play online games.
In 2004, malware was wreaking havoc for the nearly 25,000 students attending Northern Arizona University (NAU) in Flagstaff at that time. “We faced an era of ‘super viruses,’” says John Campbell, director of academic computing for NAU. “Students were coming to campus and their computers were immediately getting infected. We needed to restrict network access to people who met certain criteria. That’s when we decided to implement a network access control (NAC) system. After reviewing a number of products, we deployed Perfigo SmartEnforcer, which was later acquired by Cisco® and renamed Cisco Clean Access.”
NAU rolled out the solution in its residential housing system, which serves about 7,000 students. The solution required a CCA server for each of the school’s 20 residence halls, plus one central “manager” machine. In addition, the university required development servers so that IT staff could supplement the system with custom code.
“We added our own service. The problem was that every time the application had an update, we had to fix a bunch of our custom code.”
Cisco provided updates two to four times a year. “With every update, we would start at 3 o’clock in the morning,” Bell reports. “We would upgrade the manager machine first, then work through the other 20 servers. Each system took about 15 minutes. Our goal was to be finished by 7 a.m., but occasionally there was a hiccup and users experienced downtime during the business day.” At 3am, Bell and her team would manually bypass the in-line Cisco NAC servers to reduce service outages but these heroic efforts still resulted in brief outages that could impact a student taking a quiz or working on a project requiring persistent Internet services. With SafeConnect managing the updates the IT staff can work during normal business hours and avoid the now unnecessary heroics and outages.
Moreover, each Cisco Clean Access server presented a single point of failure for network access. “When the Cisco product failed, it would completely take down a residence hall,” Bell says. “And the system failed with some frequency. There was one two-month period during which I replaced four hard drives.”
Managing the NAC infrastructure was time-consuming for Bell and other IT staff. “All in all, I spent about a third of my time dealing with issues related to Cisco Clean Access,” she says. In addition, NAU was unhappy that Cisco usually took three to six months to support a new operating system, Web browser, standard applications such as anti-virus protection, or new devices like the iPhone, iPad, or other netbooks .
“Students don’t wait months to try out new software or devices,” Campbell says. “Cisco’s delay in supporting emerging operating systems and beta versions meant that we couldn’t manage security for all the machines students brought to campus. We’d have to exempt them from Cisco Clean Access. We never had a major security incident, but we weren’t comfortable bypassing the system. We really felt this product wasn’t keeping up.”
As the university evaluated its NAC options, Dell recommended SafeConnect from Dell Preferred Partner Impulse Point. “Dell told us that SafeConnect is a product they really believe in,” Campbell says. “Dell has a lot of credibility here at NAU, so we added Impulse Point to our shortlist for consideration. And our procurement department appreciated being able to purchase SafeConnect through Dell.”
NAU deployed SafeConnect as a premises-based managed service. The solution runs on three Dell PowerEdge R610 servers running CentOS Linux. The servers reside on the NAU campus, but Impulse Point manages them.
SafeConnect is deployed and supported by the NAC Industry’s most comprehensive implementation and support services agreement. The health of the system is monitored from the Impulse Support Center on a continuous basis. Impulse Point is responsible for delivering all necessary hardware and software maintenance (which includes nightly updates for new operating systems, anti-virus and anti-spyware software, and devices), problem determination and resolution ownership, and ongoing feature enhancements. NAU maintains full control of its policies and enforcement rules via the SafeConnect Policy Management Console.
This managed service allows NAU to redirect IT staff time and resources to focus on other higher return on investment IT initiatives.
“It’s been night and day between the two company’s approaches to recognize and keep up with student populations and the operating systems, network devices, and anti-virus products they use,” Campbell says. “We’ve found Impulse to be extremely responsive to even the most unusual device and have seen first-hand their commitment to supporting emerging operating systems early in their release cycle.”
Now Bell and her colleagues have more time for value-added activities. “Our systems analysts have become much more strategic,” Campbell says. “They can spend more time thinking about where we’re going with the product and which policies make sense because they spend much less time fighting fires. Going with a managed service was a very easy decision for us.”
The new software functionality is also saving IT staff time. NAU has specified a list of acceptable DNS servers, and when a student’s computer uses a DNS server that’s not on the list, the application automatically checks the machine for certain types of malware attacks. It immediately quarantines infected computers. “Before, we had to go hunting for machines with these issues, and student workers would spend 20-30 hours a week to try and find rogue DNS servers,” Bell says. “SafeConnect simplifies network management.”
NAU still takes advantage of SafeConnect’s custom programming feature. “Writing custom code is much less of a challenge with Impulse Point because its API is rich enough to do everything we want to do,” Campbell says.
The student technology center, which is the first-tier student help desk, has also seen a workload reduction. “At the beginning of every term, they would get about 600 help desk calls related to Cisco Clean Access,” Campbell says. “When Impulse Point told us they could reduce that number, we were skeptical. But they were right. We expected the number of help desk calls to increase this year during students’ move-in week, since we’re using a new product that’s unfamiliar to returning students. But instead, we’ve received at least 50% fewer calls related to network access. Staff in the student technology center are redirecting their energies to more productive areas of helping students.”
“We have seen a help-desk reduction beyond move-in week—but we also use SafeConnect to solve problems we couldn’t before, allowing us to have more meaningful interactions with students in response to alerts requesting they call us,” adds Campbell.
Also reducing help desk calls is the system’s improved availability. The new Dell servers have had no downtime so far. “We have a long history with Dell,” says Campbell. “Of course our new Dell servers are running without any problems. That’s what we expect.”
More important, if SafeConnect goes down, network access fails open. “The fact that SafeConnect fails open was a big selling point of the solution,” Bell says. “. Traffic keeps running.” SafeConnect is also highly efficient. It doubled the school’s NAC capacity and because it uses 3 servers rather than 21, it consumes about 86 percent less power and cooling resources than Cisco Clean Access did. “Our campus is working to become carbon-neutral, so this is an important benefit of SafeConnect,” Campbell says.
The solution is cost-effective as well. “We’re saving money because we no longer need to run the test/development environment,” Bell says. “Before, we needed test machines running an array of different operating systems and antivirus applications—the managed service takes care of that for us. We’re saving about $1,000 a year on third-party software license fees.”
Campbell feels that NAU has found a different kind of technology partner in Impulse Point. “The difference is cultural,” he says. “Impulse Point came in and offered us options in how we set up our environment. They didn’t just tell us what to do. That was a breath of fresh air. Cisco seemed to have the attitude: ‘This is the way we understand managing corporate networks, and we assume you’re a corporate network, so please manage your network accordingly.’ That just didn’t work for us.”
On the first day of move-in week, NAU found a defect with the SafeConnect Mac installer. “Impulse Point fixed the problem, called me for approval, then installed the patch in our system—all less than eight hours after we first discovered the problem,” Bell says. “Cisco would take much longer to respond to service calls.” Now NAU wants to expand the use of SafeConnect’s API to send emergency alerts to students. “We’re working with Impulse Point on an integration with our emergency alert system,” Bell adds. “As of a year ago, Cisco didn’t want broadcasting functionality in their product, so they never would have met with us about this. Impulse Point and Dell understand us, and they’re dedicated to meeting our needs.”
Campbell concurs: “Impulse Point has exceeded my expectations. I’ve worked with a lot of vendors, and I’m hard to please. But I’ve been very, very happy, not only with the strategic design of this solution, but also with the deployment and the response that we get anytime we need help. Impulse support is atypical—instead of fighting to get past a first-tier support layer to get a resolution, our experience has been the first responder can actually resolve the problem. The combination of SafeConnect software on Dell hardware is performing extremely well for us.”
SafeConnect™ is supported by the NAC industry’s only proactive maintenance support offering. Impulse Point provides continuous proactive monitoring and support that includes hardware server and software problem determination and resolution, as well as upgrade protection to future software functional releases. Impulse Point prides itself on the quick, efficient, and accurate implementation of the SafeConnect NAC Solution and is available to provide personalized advice and support throughout project planning, installation, and deployment. All necessary Policy Appliance hardware, software licenses, and the following support services are included in the initial first year price of the SafeConnect solution:
The ability to maintain up-to-date support for the most current anti-virus, anti-spyware, operating system, and other endpoint security software is a major benefit of Impulse Point’s Managed Services Offering. Impulse Point owns the responsibility of identifying, supporting, and updating customers within 48 hours as a standard component of its managed support service.
The endpoint policy management capabilities shown to the right are included:
The SafeConnect solution performs both pre- and post-admission security checks in real time without any network traffic degradation. SafeConnect functions out-of-line and provides continuous security assessment and enforcement across wired, wireless, and VPN networks with no performance bottlenecks, maintenance-driven network outages, or as a single point of failure.
SafeConnect features a Single Sign-On (SSO) authentication capability that allows existing Active Directory-managed users to maintain their existing login process user experience.
The SafeConnect NAC solution helps drive a substantial reduction in help desk calls because it is intuitive and user friendly for both the end users and IT support management teams. Users not in compliance receive individualized policy notifications regarding the reason for non-compliance (e.g. out of date anti-virus protection) and are guided through the remediation process with instructions and a link to an internal or external source where the appropriate software or virus definition can be downloaded. Because the remediation process is simple and straight-forward, users follow through to regain compliance and access to the network. This results in fewer instances of non-compliance and ultimately fewer Help Desk calls.
School campuses need to quickly notify students and faculty in the event of an emergency situation. SafeConnect has the ability to broadcast an information or emergency message on-demand to everyone whose computer is authorized to access the campus network. SafeConnect can also send messages to specific devices, specific user groups (staff, faculty, students, etc.), or individual users. Notification can be made quickly and administrators can track the acknowledgements of receipt for compliance purposes.
Policy Administrators can define and change endpoint computing policies and enforcement rules by network segment or directory services policy group from a centralized policy management interface despite the number of remote or distributed locations. The solution also delivers real-time and historical policy status reporting that provides valuable insight into group or individual policy compliance to Policy Administrators and Help Desk personnel.
The following SafeConnect Endpoint Policy Management capabilities can be deployed in a phased-in approach (by IP address/range, subnet, VLAN) across wired, wireless, and VPN infrastructures.
Northern Arizona University offers undergraduate and graduate students a high-caliber global education set in a tight-knit community of students, faculty, staff, and alumni. Renowned for providing students with personal attention from professors, research opportunities, and hands-on learning NAU is also committed to bringing excellence to our campus through diverse backgrounds, skills, experiences and perspectives. NAU’s environment is unmatched for natural beauty and for student-centered programs and services. The rich and diverse natural environment surrounding NAU provides exceptional research opportunities. For more information, please visit www.nau.edu.
6810 New Tampa Highway, Suite 400 Lakeland, Florida 33815
Copyright , Impulse Point. All Rights Reserved.