How Purdue University Calumet Maintains Sanity in a Campus BYOD

advertisement
How Purdue University Calumet
maintains sanity in a campus BYOD
environment
Presented by: Tim Loudermilk - Supervisor of
Network Administration
ABOUT PURDUE UNIVERSITY CALUMET
An academically comprehensive regional
university and part of the Purdue
University system
• Located in Hammond, Indiana (less than 25
miles southeast of downtown Chicago).
• 19-building, 167-acre neighborhood campus
• An enrollment of over 10,000 students
• Athletics program sponsoring 12 sports.
• A residential campus offering apartmentstyle, private bedroom living for about 750
students
PURDUE CALUMET - NETWORKING TEAM
The Purdue Calumet Networking Team is a part of the Information
Services division and consists of:
• 1 Supervisor
• 2 Full time network administrators
• 2 Student workers
Responsible for the management, maintenance, and security of the
entire campus data network:
•
•
•
•
•
Fiber Optic and Copper cable plant management
WAN, LAN, WLAN administration
Firewall, IPS, NAC, SIM, and End Point Security administration
IP/DNS distribution and management
Compliance (PCI, HIPAA, FERPA, CALEA)
PURDUE CALUMET CAMPUS DIAGRAM
PURDUE CALUMET NETWORK CHALLENGES
Small team Responsible for:
• Over 7,000 network ports spread across 19 buildings
• A campus wireless network serving over 2,500 concurrent users and
over 7,000 unique devices per day
• Network support in Residence hall housing over 700 student
BYOD specific challenges
•
•
•
•
•
Public University – academic freedom
Device to User Identification (CALEA, DMCA)
Onboarding of personal devices
Security
Bandwidth/QOS
LEGACY NETWORK
Wired
• All wired ports across campus were plug and go. You plugged in and
received an IP via DHCP. Static MAC locking, VLANS, and port policy
were implemented to control unwanted devices and services such
as DHCP/DNS/WEB servers from being deployed on the edge.
Wireless
• Wireless network was built for coverage, based on 2.4Ghz even
though hardware was dual radio 2.4/5Ghz . 802.1x via PEAP was
used for security. Multiple SSID’s were enabled to maintain
backwards security (dynamic WEP/WPA/WPA2) and client (802.11b)
compatibility.
SOLUTIONS TO CHALLENGES
Comprehensive suite of Network management tools
•
•
Netsight Suite - Simplifies day to day network management
Netflow enabled distribution switches – LAN visibility
BYOD specific
• 802.1x and NAC provide user identity and device data
• Cloud Path Xpress Connect assist in 802.1x on-boarding
• Layered Security approach
•
•
NAC enforcing dynamic policies at wired or WLAN edge
Strict wireless filters (remove un-necessary multicast/broadcast traffic from the WLAN
which reduces unnecessary airtime)
•
•
MU to MU blocking on the WLAN
Strict firewall policy for BYOD segments
• Bandwidth rate-limits in place on BYOD WLAN network segments at
controller
• Allot Net Enforcer providing packet shaping across all campus networks
CURRENT NETWORK OVERVIEW - WIRED
• All 6,500 end user wired ports are configured for MAC
authentication providing end system visibility through NAC.
• NAC agent installed on all university owned workstations,
providing end system compliance reports.
• Dynamic port security policies configured on end systems
connecting to the network based on NAC rules and end
system group membership.
• MAC locking set in NAC on all office workstations to assist
desktop team with inventory control.
• Web based MAC registration configured on all open access
walk-up ports and in residence halls.
• Agent based end system security assessment required in
Residence halls
EXTREME/ENTERASYS ONEVIEW DASHBOARD
ONEVIEW NAC END SYSTEM VISIBILITY
ONEVIEW NAC END SYSTEM PROFILE
EXTREME/ENTERASYS ONEVIEW WIRELESS
PROXY RADIUS NAC VISIBILITY
We proxy radius all wireless requests to our NAC servers, which then
proxies through to our open source freeRadius servers.
QUARANTINE WIRELESS DEVICES
DYNAMIC WIRELESS POLICES
ON-BOARDING WITH CLOUDPATH
“Calnet Setup” SSID. Users are redirected to our XpressConnect web server.
Push multiple SSID configs to devices for failover or backward compatibility.
TOOLS - WLAN
Metageek
Eye P.A.
Capture from
AP into
Wireshark via
controller or
capture from
Macbook
TOOLS – OPEN SOURCE
Zenoss
• AP bandwidth
monitoring
• SNMP dhcp pool
monitoring
• Set notification
thresholds
PACKET SHAPING - ALLOT NETENFORCER
AC 1440
osX mavericks update
via iTunes in wireless
Subnet
To throttle or not to
throttle, that is the
question.
WIRELESS IMPROVEMENTS
• Increase AP density in high traffic areas and provide
full 5Ghz band coverage.
• Disable legacy SSIDs. Create WPA2/AES only SSID to
support full 802.11n modulation rates.
• Enable Guest and Calnet Setup on every other AP.
• Switch radio mode to a/n & g/n only.
• Enable auto 40Mhz channel width on 802.11a
radios. New iPhones support 40Mhz A channel width
• Increase minimum basic rates in high density areas
to fix sticky clients.
• Create AP filters to block unnecessary broadcast.
• Continue to enable MU/MU blocking.
• Enable MAC based auth on WPA-PSK SSID (dorm
media device support)
• Dump airplay multicast on local LAN to decrease
controller traffic.
• EduRoam Support
LIVE DEMO
Live Demo (Time
Permitting)
QUESTIONS
THANK YOU!
Download