Safe•Connect NAC Balances Network Security with Academic Freedom for the University of Denver
Background: The University of Denver is currently ranked 84th among all public and private "National Universities" by U.S. News & World Report in a 2010 ranking. The school is also ranked as the 48th best private university by the same publication, and is sometimes referred to as "The Harvard of the West." More than 11,000 students are enrolled in undergraduate and graduate programs.
Challenges: With such a large and diverse population, the University of Denver was concerned with registering and authenticating the different types of computing devices attempting to access their network. Additionally, concerns about the proliferation of malware and the spread of viruses across the network were an issue and the University wanted real-time visibility into the security status of these devices. As a thought leader and highly visible private school, the University also needed to ensure that the tenets of academic freedom were protected as fiercely as the security of the network. The solution would need to integrate into their Cisco network infrastructure as well as work with their Aruba wireless network in dormitories, classroom, offices – essentially all buildings and public spaces across the campus. An in-house solution was initially developed but once the amount of time and resources necessary to maintain an internal solution were considered, the University searched for a commercially available Network Access Control solution that would solve both the security and academic freedom concerns.
Best Deployment Scenario - Security Solution for Education
Solution provided by Impulse Point: After researching products from a variety of providers (including Cisco Clean Access and Bradford’s Campus Manager), the University chose Impulse Point’s Safe•Connect NAC solution. Impulse Point worked closely with the University on a very deliberate deployment plan for the campus, phasing in segments of the network to ensure that each college, department and student dormitory was educated and prepared prior to the rollout. Impulse Point introduced Safe•Connect to the network and wireless environments with no disruptions or rip-and-replace requirements. Due to the scalable design of the solution, all 20,000 plus users can be managed with a total of only three servers. Safe•Connect is network vendor and Layer2 switch independent and integrates into existing network architectures with no changes or continuous manipulation of Layer2 network switch devices, wireless access points, or VPN concentrators. Cloud Path Networks’ XpressConnect was introduced to simplify the end user experience of transitioning to a secure WPA2 Enterprise wireless network, and offered an added benefit of “silently” deploying Safe•Connect’s Policy Key as part of the initial device wireless registration process to provide real-time (pre- and post-admission) security assessment and enforcement.
“We spent a lot of time evaluating our options,” said Chad Burnham, Network Planner for the University of Denver. “Our decision to go with Impulse Point was in part because of their flexibility to work in our unique environment. We transitioned from Xirrus to Aruba without any issue, for example. We also leveraged Impulse Point’s integration capability with Cloudpath to help us achieve our vision of deploying our secure WPA2 Enterprise-802.1x wireless strategy.”
The Safe•Connect NAC solution provided the flexibility for the University of Denver to be able to select and use only the policy modules needed to satisfy the requirements of their security plan. The University implemented the policy modules standard to the Safe•Connect solution including compliance with anti-virus, anti-spyware, Microsoft OS patches, as well as registration and authentication. Other standard policy modules include peer-to-peer file sharing, access points, and power management. Custom policies can also be created based on the existence or non-existence of file types, registry settings, services, and processes on individual endpoint devices.
Impulse Point helped ensure that the University was able to balance their security concerns with academic freedom by providing real-time reporting and historical information on policy status events rather than specific information about the content of any files. Safe•Connect also provides Single-Sign-On (SSO) capabilities with the campus-wide wireless network provided by Aruba Networks. This enables end users to maintain their existing login process user experience, while providing network administrators with visibility and control. Safe•Connect ensures that devices connecting to the network comply with stated security policies (i.e., requiring up to date anti-virus protection or OS patches) but does not monitor content or network traffic. Safe•Connect remains invisible to the user until their device is no longer is compliance with security policies. The user then receives a policy notification page informing them of the reason for noncompliance and instructions on how to correct the problem, along with a link to an internal or external source where the appropriate software can be downloaded. The University of Denver also benefits from Safe•Connect’s Managed Support Service. Impulse Point offers the industry’s only fully deployable and managed support service available for a NAC solution. Installation is accomplished remotely in hours instead of days with onsite consultants. In addition to turnkey installation and training, the University benefits from proactive 24/7 monitoring, problem determination and resolution, daily policy configuration backups and restoration recovery services, software and appliance hardware maintenance, and future software enhancement protection.
Summary: By using Safe•Connect, the University of Denver is able to simultaneously encourage the freedom of academic expression and secure their network. All devices (regardless of type) are registered and authenticated and users enjoy the advantages of single-sign-on as long as the device remains compliant with security policies. Instances of non-compliance have been reduced and users among both student and faculty have become more aware of security best practices. There have been no instances of wide-spread viruses or malware across the network.
Listed below are some of the benefits of Safe•Connect to colleges and universities:
Automated Authentication and Enforcement
Single Sign-On (SSO) and Guest Management Capability
Identity-Driven Policy Assignment and Reporting
Assessment and Network Monitoring:
Pre- and Post-Admission (Real-time) Endpoint Policy Management
Real-time and Historical Policy Status Reporting
End User Experience:
Enhanced User Experience
Guided Self-Remediation Process
System Parameters and Performance:
Flexibility in Enforcing Policy (Quarantine, Warn/Quarantine, Audit Only)
Non-Intrusive Ease of Deployment allowing for Phased Roll-out
Installs in Hours, not Days or Weeks
Scalable with Distributed Security Assessment and Layer2 Quarantine Design
Operationally Managed Service Support
Proactive Continuous Monitoring and Maintenance
Product reviews and assessments:
Strong/Loyal Higher Education Customer Base
Surge in Competitive NAC Replacements
Lower Total Cost of Ownership
Fewer Components to Install, Integrate, and Manage
Reduced Help Desk Calls
6810 New Tampa Highway
Lakeland FL 33815