The University of Denver is ranked 84th among all public and private “National Universities” by U.S. News & World Report in a 2010 ranking. The school is also listed as the 48th best private university by the same publication, and is sometimes referred to as “The Harvard of the West.” More than 11,000 students are enrolled in undergraduate and graduate programs.
With such a large and diverse population, the University of Denver was concerned with registering and authenticating the different types of computing devices attempting to access their network. Additionally, concerns about the proliferation of malware and the spread of viruses across the network were an issue and the University wanted real-time visibility into the security status of these devices.
As a thought leader and highly visible private school, the University also needed to ensure that the tenets of academic freedom were protected as fiercely as the security of the network.
An in-house solution was initially developed to address these issues, but once the amount of time and resources necessary to maintain an internal solution were considered, the University searched for a commercially available Network Access Control solution that would solve both their security and academic freedom concerns. The solution would need to integrate into their Cisco network infrastructure as well as work with their Aruba wireless network in dormitories, classroom, offices – essentially all buildings and public spaces across the campus.
After researching NAC products from a variety of providers (including Cisco Clean Access and Bradford’s Campus Manager), the University chose Impulse Point’s SafeConnect NAC solution. Impulse Point worked closely with the University on a very deliberate deployment plan for the campus, phasing in segments of the network to ensure that each college, department, and student dormitory was educated and prepared prior to their rollout.
Impulse Point introduced SafeConnect to the network and wireless environments with no disruptions or rip-and-replace requirements. Due to the scalable design of the solution, up to 20,000 users can be managed with a total of only three servers. SafeConnect is network vendor and Layer2 switch independent and integrates into existing network architectures with no changes or continuous manipulation of Layer2 network switch devices, wireless access points, or VPN concentrators.
In conjunction with SafeConnect NAC, Cloudpath XpressConnect was introduced to simplify the end user experience of transitioning to a secure WPA2 Enterprise wireless network, and offered an added benefit of “silently” deploying SafeConnect’s Policy Key as part of the initial device wireless registration process to provide real-time (pre- and post-admission) security assessment and enforcement.
SafeConnect also participates in Single-Sign-On (SSO) authorization with the campus-wide wireless network provided by Aruba Networks. This enables end users to maintain their existing login process user experience, while providing security administrators with visibility and control.
“We spent a lot of time evaluating our options,” said Chad Burnham, Network Planner for the University of Denver. “Our decision to go with Impulse Point was in part because of their flexibility to work in our heterogeneous and open computing environment. We transitioned from Xirrus to Aruba without any issues, for example. And we also leveraged Impulse Point’s integration capability with Cloudpath to help us successfully achieve our vision of deploying our secure WPA2 Enterprise- 802.1x wireless strategy. Impulse Point met the challenge!”
The SafeConnect NAC solution provided the University of Denver with the flexibility to select the policy modules and associated enforcement options (quarantine, warn, audit) required to satisfy their specific Acceptable Use Policies (AUP) by campus location or user identity (students, faculty, staff, guests, etc.) in concert with open computing philosophies.
Impulse Point helps ensure that the University is able to balance their security concerns with academic freedom by providing real-time reporting and historical data on policy status events rather than specific information about the content of any information. SafeConnect ensures that devices connecting to the network comply with stated security policies (i.e., requiring up to date anti-virus protection or OS patches) but does not monitor content or network traffic. SafeConnect remains invisible to the user until their device is no longer in compliance with security policies. The user then receives a policy notification page informing them of the reason for noncompliance and instructions on how to correct the problem, along with a link to an internal or external source where the appropriate software can be downloaded.
By using SafeConnect, the University of Denver is able to simultaneously encourage the freedom of academic expression and secure their network. All devices (regardless of type) are registered and authenticated and users enjoy the advantages of Single Sign-On (SSO). Instances of non-compliance have been reduced and users among both student and faculty have become more aware of security best practices. There have been no instances of wide-spread viruses or malware across the network since SafeConnect has been deployed.
SafeConnect™ is supported by the NAC industry’s only proactive maintenance support offering. Impulse Point provides continuous proactive monitoring and support that includes hardware server and software problem determination and resolution, as well as upgrade protection to future software functional releases. Impulse Point prides itself on the quick, efficient, and accurate implementation of the SafeConnect NAC Solution and is available to provide personalized advice and support throughout project planning, installation, and deployment. All necessary Policy Appliance hardware, software licenses, and the following support services are included in the initial first year price of the SafeConnect solution:
The ability to maintain up-to-date support for the most current anti-virus, anti-spyware, operating system, and other endpoint security software is a major benefit of Impulse Point’s Managed Services Offering. Impulse Point owns the responsibility of identifying, supporting, and updating customers within 48 hours as a standard component of its managed support service.
The endpoint policy management capabilities shown to the right are included:
The SafeConnect solution performs both pre- and post-admission security checks in real time without any network traffic degradation. SafeConnect functions out-of-line and provides continuous security assessment and enforcement across wired, wireless, and VPN networks with no performance bottlenecks, maintenance-driven network outages, or as a single point of failure.
SafeConnect features a Single Sign-On (SSO) authentication capability that allows existing Active Directory-managed users to maintain their existing login process user experience.
The SafeConnect NAC solution helps drive a substantial reduction in help desk calls because it is intuitive and user friendly for both the end users and IT support management teams. Users not in compliance receive individualized policy notifications regarding the reason for non-compliance (e.g. out of date anti-virus protection) and are guided through the remediation process with instructions and a link to an internal or external source where the appropriate software or virus definition can be downloaded. Because the remediation process is simple and straight-forward, users follow through to regain compliance and access to the network. This results in fewer instances of non-compliance and ultimately fewer Help Desk calls.
School campuses need to quickly notify students and faculty in the event of an emergency situation. SafeConnect has the ability to broadcast an information or emergency message on-demand to everyone whose computer is authorized to access the campus network. SafeConnect can also send messages to specific devices, specific user groups (staff, faculty, students, etc.), or individual users. Notification can be made quickly and administrators can track the acknowledgements of receipt for compliance purposes.
Policy Administrators can define and change endpoint computing policies and enforcement rules by network segment or directory services policy group from a centralized policy management interface despite the number of remote or distributed locations. The solution also delivers real-time and historical policy status reporting that provides valuable insight into group or individual policy compliance to Policy Administrators and Help Desk personnel.
The following SafeConnect Endpoint Policy Management capabilities can be deployed in a phased-in approach (by IP address/range, subnet, VLAN) across wired, wireless, and VPN infrastructures.
The University of Denver is committed to improving the human condition and engaging students and faculty in tackling the major issues of our day. DU ranks among the top 100 national universities in the U.S. For additional information, go to www.du.edu
6810 New Tampa Highway, Suite 400 Lakeland, Florida 33815
Copyright , Impulse Point. All Rights Reserved.