Transcript of How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by: Tim...
- Slide 1
- How Purdue University Calumet maintains sanity in a campus BYOD
environment Presented by: Tim Loudermilk - Supervisor of Network
Administration
- Slide 2
- ABOUT PURDUE UNIVERSITY CALUMET An academically comprehensive
regional university and part of the Purdue University system
Located in Hammond, Indiana (less than 25 miles southeast of
downtown Chicago). 19-building, 167-acre neighborhood campus An
enrollment of over 10,000 students Athletics program sponsoring 12
sports. A residential campus offering apartment- style, private
bedroom living for about 750 students
- Slide 3
- PURDUE CALUMET - NETWORKING TEAM The Purdue Calumet Networking
Team is a part of the Information Services division and consists
of: 1 Supervisor 2 Full time network administrators 2 Student
workers Responsible for the management, maintenance, and security
of the entire campus data network: Fiber Optic and Copper cable
plant management WAN, LAN, WLAN administration Firewall, IPS, NAC,
SIM, and End Point Security administration IP/DNS distribution and
management Compliance (PCI, HIPAA, FERPA, CALEA)
- Slide 4
- PURDUE CALUMET CAMPUS DIAGRAM
- Slide 5
- PURDUE CALUMET NETWORK CHALLENGES Small team Responsible for:
Over 7,000 network ports spread across 19 buildings A campus
wireless network serving over 2,500 concurrent users and over 7,000
unique devices per day Network support in Residence hall housing
over 700 student BYOD specific challenges Public University
academic freedom Device to User Identification (CALEA, DMCA)
Onboarding of personal devices Security Bandwidth/QOS
- Slide 6
- LEGACY NETWORK Wired All wired ports across campus were plug
and go. You plugged in and received an IP via DHCP. Static MAC
locking, VLANS, and port policy were implemented to control
unwanted devices and services such as DHCP/DNS/WEB servers from
being deployed on the edge. Wireless Wireless network was built for
coverage, based on 2.4Ghz even though hardware was dual radio
2.4/5Ghz. 802.1x via PEAP was used for security. Multiple SSIDs
were enabled to maintain backwards security (dynamic WEP/WPA/WPA2)
and client (802.11b) compatibility.
- Slide 7
- SOLUTIONS TO CHALLENGES Comprehensive suite of Network
management tools Netsight Suite - Simplifies day to day network
management Netflow enabled distribution switches LAN visibility
BYOD specific 802.1x and NAC provide user identity and device data
Cloud Path Xpress Connect assist in 802.1x on-boarding Layered
Security approach NAC enforcing dynamic policies at wired or WLAN
edge Strict wireless filters (remove un-necessary
multicast/broadcast traffic from the WLAN which reduces unnecessary
airtime) MU to MU blocking on the WLAN Strict firewall policy for
BYOD segments Bandwidth rate-limits in place on BYOD WLAN network
segments at controller Allot Net Enforcer providing packet shaping
across all campus networks
- Slide 8
- CURRENT NETWORK OVERVIEW - WIRED All 6,500 end user wired ports
are configured for MAC authentication providing end system
visibility through NAC. NAC agent installed on all university owned
workstations, providing end system compliance reports. Dynamic port
security policies configured on end systems connecting to the
network based on NAC rules and end system group membership. MAC
locking set in NAC on all office workstations to assist desktop
team with inventory control. Web based MAC registration configured
on all open access walk-up ports and in residence halls. Agent
based end system security assessment required in Residence
halls
- Slide 9
- EXTREME/ENTERASYS ONEVIEW DASHBOARD
- Slide 10
- ONEVIEW NAC END SYSTEM VISIBILITY
- Slide 11
- ONEVIEW NAC END SYSTEM PROFILE
- Slide 12
- EXTREME/ENTERASYS ONEVIEW WIRELESS
- Slide 13
- PROXY RADIUS NAC VISIBILITY We proxy radius all wireless
requests to our NAC servers, which then proxies through to our open
source freeRadius servers.
- Slide 14
- QUARANTINE WIRELESS DEVICES
- Slide 15
- DYNAMIC WIRELESS POLICES
- Slide 16
- ON-BOARDING WITH CLOUDPATH Calnet Setup SSID. Users are
redirected to our XpressConnect web server. Push multiple SSID
configs to devices for failover or backward compatibility.
- Slide 17
- TOOLS - WLAN Metageek Eye P.A. Capture from AP into Wireshark
via controller or capture from Macbook
- Slide 18
- TOOLS OPEN SOURCE Zenoss AP bandwidth monitoring SNMP dhcp pool
monitoring Set notification thresholds
- Slide 19
- PACKET SHAPING - ALLOT NETENFORCER AC 1440 osX mavericks update
via iTunes in wireless Subnet To throttle or not to throttle, that
is the question.
- Slide 20
- WIRELESS IMPROVEMENTS Increase AP density in high traffic areas
and provide full 5Ghz band coverage. Disable legacy SSIDs. Create
WPA2/AES only SSID to support full 802.11n modulation rates. Enable
Guest and Calnet Setup on every other AP. Switch radio mode to a/n
& g/n only. Enable auto 40Mhz channel width on 802.11a radios.
New iPhones support 40Mhz A channel width Increase minimum basic
rates in high density areas to fix sticky clients. Create AP
filters to block unnecessary broadcast. Continue to enable MU/MU
blocking. Enable MAC based auth on WPA-PSK SSID (dorm media device
support) Dump airplay multicast on local LAN to decrease controller
traffic. EduRoam Support Increase AP density in high traffic areas
and provide full 5Ghz band coverage. Disable legacy SSIDs. Create
WPA2/AES only SSID to support full 802.11n modulation rates. Enable
Guest and Calnet Setup on every other AP. Switch radio mode to a/n
& g/n only. Enable auto 40Mhz channel width on 802.11a radios.
New iPhones support 40Mhz A channel width Increase minimum basic
rates in high density areas to fix sticky clients. Create AP
filters to block unnecessary broadcast. Continue to enable MU/MU
blocking. Enable MAC based auth on WPA-PSK SSID (dorm media device
support) Dump airplay multicast on local LAN to decrease controller
traffic. EduRoam Support
- Slide 21
- LIVE DEMO Live Demo (Time Permitting)
- Slide 22
- QUESTIONS
- Slide 23
- THANK YOU!