Joseph Haynes UNIVERSITY of MARY WASHINGTON Copyright Joseph

Joseph Haynes, UNIVERSITY of MARY WASHINGTON Copyright Joseph Haynes, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 1

University of Mary Washington • Two Campuses in Virginia approximately 50 miles south of Washington, DC. The Mary Washington College campus is in Fredericksburg. The College of Graduate and Professional Studies is in Stafford. • Over 4000 students with about 3000 students living on the Fredericksburg campus. • Redundant core, HSRP, STP, Gigabit / Fast Ethernet, and ATM. • Network access is available to visitors in the Libraries and several meeting rooms. We also have suites for visitors who stay over night. 2

Introduction • Why did we need a Network “admission” system? • Why did we choose Cisco Clean Access? • How did we deploy it? • Was it a success? 3

Computers on Campus • Most computers on campus are owned and managed (or mismanaged) by students and visitors. • Tremendous diversity exists in the type and quality of hardware and software ranging from outdated to state of the art. • All flavors of Windows, Macintosh, Linux, Unix, Xbox, Playstation, PDAs, etc. • Wireless routers, connection sharing devices, bridges, hubs, etc. • FTP servers, Web Servers, SAMBA, CIFS, P 2 P, Netmeeting, IM, out of date anti-virus (if installed at all), operating systems lack critical patches. 4

Challenge 2 - User Expectations • Full, unrestricted network access at all times. • Must be a community of tolerance and experimentation. • Anonymity is highly valued. • Access and openness are considered to be rights rather than privileges. • Proactive security measures can be viewed as too bureaucratic and intrusive. 5

Rude Awakening • Wake up Call - August, 2003 – Blaster arrived along with students. Nachi followed and made the problem worse. • At least 75% of student computers were infected with something. Even more computers were vulnerable. • Clean up took a huge effort that lasted all semester. • Then came Sasser in May. It started all over again! • Something had to be done to prevent this situation in the future. 6

What were our options to enforce desktop security policies on student and visitor computers? • Honor System – Rely on students to maintain their own system security with our guidance. Not realistic. • Have the university’s IT staff manage student computers. What staff? • Deploy a desktop management system such as ZENWorks, SMS, or Patchlink. Too intrusive. • Deploy Net. Reg/Nessus. No time/staff to develop the system. • Look for an “off the shelf” solution. What are we looking for? 7

Goals • Ensure minimum desktop security standards are met on computers that are not managed by us, yet they connect to the university network. (visitors and students) • Do it in the least intrusive way possible. • Reduce the overall burden on our IT staff. • Reduce the worm/virus infection problem by at least 75%. • Be as flexible and scalable as possible. 8

System Requirements • Support open systems – LDAP, RADIUS, 802. 1 Q, etc. Must NOT require Windows domains or AD. • Versatile – We didn’t want to re-architect our entire network to deploy it. We wanted a lot of flexibility in what we could verify and manipulate such as: role assignment options, guest access, bandwidth management, firewalling, MAC address exclusion (the Xbox feature), vlan identification, customizable user interface, AV installation and operation, logging and reporting features. • Superior support from vendor – This was a reason we decided to go with a commercial product in the first place. • Proven Performance – The product should have been successfully deployed in similar environments. • Price – The eighth layer of the OSI model. 9

The Top Contenders • Campus Manager • Still. Secure Safe. Access • Cisco Clean Access (Perfigo) • We also looked at several others, but they were quickly eliminated due to price or lack of an installed base in a similar environment. 10

Why Cisco Clean Access? • Of all the contenders, CCA met more of our requirements than any one of the others. • It is very versatile with a highly customizable end user interface. • Proven installed base at other universities. • Price was competitive. • Could be deployed with minimal reconfiguration of our existing network. • Scalable. • Impressed with the support we received throughout the evaluation phase. • Gave us the added benefit of “instant” wireless network security once it was deployed. • We preferred the distributed “agent” approach rather than the “server” method of scanning. 11

Deployment • We had six weeks to deploy the system. • We determined that we would require authentication, Norton AV, and critical Windows updates. In addition, we would verify that Windows auto-update and Norton’s Live-update were turned on before granting “full” access to users. • Most of the time was used in developing pages for guiding users. Up until now, students just plugged in and surfed. 12

Network Architecture 13

Details • Authenticate against RADIUS. Soon to be LDAP. • Run DHCP on separate system. (Don’t put all your eggs in one basket. ) • Maintain redundant layer 2 connections to residence halls. • Deploy one Manager and two Clean Access servers. (1500 students on each) • Our “back out” plan allowed us to completely remove the system from our network and have students online again in less than 60 seconds without moving a single network cable. We didn’t need it! • Deployed on wireless network. • Soon to be expanded to all wired public access ports. 14

Conceptual Network Diagram of CCA Deployment 15

Network Admission Process 1. User connects to wired or wireless network and opens a browser. 2. User is in a “captive portal” and must authenticate using network credentials. 3. If user is a guest on the wireless network, they may enter by clicking the “guest access” button. Guests are given limited access to the network. 4. Authenticated user computers must install the CCA agent. The agent scans their computer for policy compliance. 5. Failed computers are quarantined with very limited access until brought into compliance. 6. Compliant computers are given "full" access. We still block known trouble ports such as 42, 69, 445, 9996, etc. 7. Repeat scans will be required on a regular basis or as needed. 16

Network Admission Process 17

What’s the Motivation for Students? • Instant Messenger is the “carrot”. Students can’t access it until their computers have passed the scan. • Students realize that we do not use the system to monitor their activity. • Parents were very enthusiastic about the system. • Security awareness among students has been heightened. 18

Biggest Problems • Microsoft’s decision to release SP 2 around the same time students were moving in. • Removing anti-virus programs that the university doesn’t support. • Spyware related problems. • Student computers with hardware problems. 19

Deployment Results • 90% of all student computers were online and met our security standards within 24 hours after they arrived. • Of the remaining 10%, many were malfunctioning due to SP 2, difficulty removing unsupported AV programs, spyware, or hardware issues. • There have been NO interruptions of email or network/Internet access due to viruses or worms. • Awareness of computer security among students has been heightened. • Our wireless network deployment plans were shortened by six months since Cisco Clean Access is now used for wireless security. • Performance has been excellent. 20

Conclusion • An automated policy enforcement system was necessary to enforce desktop security policy for student and visitor computers. • We chose Cisco Clean Access because it was the most mature, versatile, scalable, and complete system we evaluated. The support we received was very good. • We had to perform minimal network reconfiguration, create user documentation, train desktop support and help desk personnel, and make sure we had a good “back out” plan. • Students are motivated to maintain the security of their systems. • The deployment has been a great success. We feel that CCA paid for itself in one semester. 21

Q&A Joseph Haynes, University of Mary Washington Director of Infrastructure Services jhaynes@umw. edu 22