How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by: Tim Loudermilk - Supervisor of Network Administration ABOUT PURDUE UNIVERSITY CALUMET An academically comprehensive regional university and part of the Purdue University system • Located in Hammond, Indiana (less than 25 miles southeast of downtown Chicago). • 19-building, 167-acre neighborhood campus • An enrollment of over 10,000 students • Athletics program sponsoring 12 sports. • A residential campus offering apartmentstyle, private bedroom living for about 750 students PURDUE CALUMET - NETWORKING TEAM The Purdue Calumet Networking Team is a part of the Information Services division and consists of: • 1 Supervisor • 2 Full time network administrators • 2 Student workers Responsible for the management, maintenance, and security of the entire campus data network: • • • • • Fiber Optic and Copper cable plant management WAN, LAN, WLAN administration Firewall, IPS, NAC, SIM, and End Point Security administration IP/DNS distribution and management Compliance (PCI, HIPAA, FERPA, CALEA) PURDUE CALUMET CAMPUS DIAGRAM PURDUE CALUMET NETWORK CHALLENGES Small team Responsible for: • Over 7,000 network ports spread across 19 buildings • A campus wireless network serving over 2,500 concurrent users and over 7,000 unique devices per day • Network support in Residence hall housing over 700 student BYOD specific challenges • • • • • Public University – academic freedom Device to User Identification (CALEA, DMCA) Onboarding of personal devices Security Bandwidth/QOS LEGACY NETWORK Wired • All wired ports across campus were plug and go. You plugged in and received an IP via DHCP. Static MAC locking, VLANS, and port policy were implemented to control unwanted devices and services such as DHCP/DNS/WEB servers from being deployed on the edge. Wireless • Wireless network was built for coverage, based on 2.4Ghz even though hardware was dual radio 2.4/5Ghz . 802.1x via PEAP was used for security. Multiple SSID’s were enabled to maintain backwards security (dynamic WEP/WPA/WPA2) and client (802.11b) compatibility. SOLUTIONS TO CHALLENGES Comprehensive suite of Network management tools • • Netsight Suite - Simplifies day to day network management Netflow enabled distribution switches – LAN visibility BYOD specific • 802.1x and NAC provide user identity and device data • Cloud Path Xpress Connect assist in 802.1x on-boarding • Layered Security approach • • NAC enforcing dynamic policies at wired or WLAN edge Strict wireless filters (remove un-necessary multicast/broadcast traffic from the WLAN which reduces unnecessary airtime) • • MU to MU blocking on the WLAN Strict firewall policy for BYOD segments • Bandwidth rate-limits in place on BYOD WLAN network segments at controller • Allot Net Enforcer providing packet shaping across all campus networks CURRENT NETWORK OVERVIEW - WIRED • All 6,500 end user wired ports are configured for MAC authentication providing end system visibility through NAC. • NAC agent installed on all university owned workstations, providing end system compliance reports. • Dynamic port security policies configured on end systems connecting to the network based on NAC rules and end system group membership. • MAC locking set in NAC on all office workstations to assist desktop team with inventory control. • Web based MAC registration configured on all open access walk-up ports and in residence halls. • Agent based end system security assessment required in Residence halls EXTREME/ENTERASYS ONEVIEW DASHBOARD ONEVIEW NAC END SYSTEM VISIBILITY ONEVIEW NAC END SYSTEM PROFILE EXTREME/ENTERASYS ONEVIEW WIRELESS PROXY RADIUS NAC VISIBILITY We proxy radius all wireless requests to our NAC servers, which then proxies through to our open source freeRadius servers. QUARANTINE WIRELESS DEVICES DYNAMIC WIRELESS POLICES ON-BOARDING WITH CLOUDPATH “Calnet Setup” SSID. Users are redirected to our XpressConnect web server. Push multiple SSID configs to devices for failover or backward compatibility. TOOLS - WLAN Metageek Eye P.A. Capture from AP into Wireshark via controller or capture from Macbook TOOLS – OPEN SOURCE Zenoss • AP bandwidth monitoring • SNMP dhcp pool monitoring • Set notification thresholds PACKET SHAPING - ALLOT NETENFORCER AC 1440 osX mavericks update via iTunes in wireless Subnet To throttle or not to throttle, that is the question. WIRELESS IMPROVEMENTS • Increase AP density in high traffic areas and provide full 5Ghz band coverage. • Disable legacy SSIDs. Create WPA2/AES only SSID to support full 802.11n modulation rates. • Enable Guest and Calnet Setup on every other AP. • Switch radio mode to a/n & g/n only. • Enable auto 40Mhz channel width on 802.11a radios. New iPhones support 40Mhz A channel width • Increase minimum basic rates in high density areas to fix sticky clients. • Create AP filters to block unnecessary broadcast. • Continue to enable MU/MU blocking. • Enable MAC based auth on WPA-PSK SSID (dorm media device support) • Dump airplay multicast on local LAN to decrease controller traffic. • EduRoam Support LIVE DEMO Live Demo (Time Permitting) QUESTIONS THANK YOU!