Sinclair Community College unifies wired and wireless networks and improves security.
Sinclair Community College wanted to expand its wireless network access for students and faculty beyond the usual locations, such as the cafeteria and dorms, to places where access really matters, such as classrooms, libraries and labs. It also wanted to offer access not only to the Internet, but to its internal networks and applications as well, while keeping up with the added security exposure that such an expansion would bring. Doing both at the same time was part of the college’s plan.
Open networks are security contradictions. They need protection from unauthorized users, but to be effective, they have to provide as much access as possible for faculty, staff and students. Strong outreach programs that bring community members to the campus to offer presentations, participate in forums, or take credit and noncredit classes, among other activities, add to the potential security risks. For a campus network to be effective, IT managers have to give users appropriate access to applications in the places they’re needed while reducing the chance that their carefully crafted system will be attacked.
IT managers at Sinclair Community College cut through this Gordian knot of access, security and cost issues by using their existing wired network to provide the transport for their wireless network and establishing a tiered-access strategy that protects against unauthorized users gaining access to information and network applications.
Says Kenneth Moore, CIO at the Dayton, Ohio, college: “We offer a lot of corporate and community services. We have many different types of people on our campus, from visitors to professors and students. We had to find a way to give them all wireless access, either to the Internet or to our internal network, without compromising our security.”
In 2005, when Sinclair’s IT Services director, Scott McCollum, met with the school’s network-equipment vendor, Enterasys Networks, to discuss ways to create a secure wireless infrastructure, authorization was an important part of the conversation. It eventually became clear that a one-size-fits-all approach wasn’t going to work. “We had to weigh the access requirements of different kinds of users with the school’s need to have a secure network,” McCollum says.
A large corporation can provide many kinds of access to users, but a community college with a modest budget has to find creative ways to support different types of access while limiting cost and implementation requirements by keeping it as simple as possible.
Accordingly, McCollum and his team came up with a strategy that could provide campuswide access without busting the school’s budget.
First, to keep hardware costs down, the wireless system would work through the organization’s existing wired network. The wired network, which McCollum estimates to be worth about $2 million, is an Enterasys Networks 10-Gigabit Ethernet architecture composed of a core of six routers with 31 switches, each connected to two core routers.
“By creating a [wireless network] that tunnels in through our wired network, we were able to use most of our infrastructure rather than adding a lot of new equipment,” says McCollum.
Second, because providing wireless access meant creating stricter authentication of users and devices, the school didn’t restrict the new security scheme to the wireless network but added it to the wired network as well. This kept the design simple while protecting the wired network. “It was something we were going to have to work on eventually, so it made sense to fold wired LAN security into the wireless project,” McCollum says. The school calls the combined wired and wireless security model its Secure LAN Strategy.
Third, for people who are not connected to the school but need Web access, Sinclair piggybacked on a deal the city of Dayton has with service provider HarborLink Network, which provides free wireless access in return for displaying pop-up ads.
In order to accommodate all types of users, McCollum’s team developed three tiers of authorization. “It was an evolutionary process,” he says. “When we were designing the system and specifying the different processes for authentication and the different types of users, we found that they naturally fell into three categories.”
The highest level, tier one, requires identification of both the device and the user. “We give people tier-one access when we own the computer and we know the person using the computer,” says McCollum. Tier one gives users access to the school’s applications and databases as well as to the Web. Staff, faculty and some students who are working in computer labs, the library or in some classrooms are given this classification.
Tier-two users are known to the college and can be authenticated — generally, faculty or staff — but the device they’re using is not owned by the college. Tier-two users have Web-only access through the college’s network.
Besides being restricted to Web access, unknown devices attempting to connect to the network also have to go through safety checks. “In tier two, the device is not trusted as in tier one,” says David Krasofsky, manager of systems and network administration at the school.
When users attempt to log in using their own device, a Cisco NAC appliance checks that the client has updated virus definitions and is using one of many approved antivirus applications (the approved list includes free antivirus applications). The school also uses Enterasys Networks’ NetSight Automated Security Manager and Dragon intrusion-detection systems to qualify unknown devices and to maintain safety.
Once the device is deemed to be in compliance with the school’s security policy, the authorized user can log in and access the Web.
Tier-three access is given to users who are not known to the network and therefore have no authorizations. Tier-three users are denied any access to the school’s network but can access the Web through HarborLink Network hot spots.
Sinclair Community College’s SCOTT McCOLLUM (left) and DAVID KRASOFSKY worked out tiered security access.
Sinclair Community College’s security is virtually the same on both the wired and wireless sides. For example, if users on the wired side are working on a tier-one device, unplug the supported wired device and plug in their own device, they would immediately be demoted to tier two, with access only to the school’s Internet connection.
McCollum says that the tiered system gives the school the capability of allowing tier-two users access to a subset of tier-one applications. In the future, tier-two users may have access to more than the school’s Internet, but so far the school hasn’t found it necessary to take advantage of that capability. Right now, other than the lack of pop-ups, access and bandwidth are the primary advantages tier-two users have over tier three. The school has at least some wireless access in every one of its 20 buildings, so tier-two users can connect to the Web from virtually any place on campus, while tier-three users are limited to a few public areas.
While the project design required careful thought and consideration, the implementation phase turned out to be far more challenging and problematic than expected.
McCollum’s cautious approach was one reason for the extra time, but a lack of industry knowledge about nonproprietary network-authentication technologies was also a big stumbling block, he says. Because the project affected the existing heavily used wired network, he wanted to make sure that any disruption to it would be minimal. “An important goal was to allow, as much as possible, users to continue working on the network as they always did while we were constructing the new one,” says McCollum.
Accordingly, the school rolled out the project one building at a time. “We hit new snags and learned new things about each building we worked on,” Krasofsky says.
McCollum and Krasofsky point out that in 2005, when the project was launched, the 802.1x security standard was still new, and there was little in the way of information or utilities to help. “We had to create a lot of our own software tools to make this work,” Krasofsky says.
He also says he found that when he hit a snag — for example, if a device wasn’t responding to the network — and tried to find a common reason, the list of potential troublemakers was very large. “We had so many pieces, so many variables, there wasn’t one place to go to find the problem,” he says. For example, the problem might be in the network, in the network interface card, or in the client or the certificate server.
Checking each device individually became too time-consuming, so Krasofsky’s team developed a homegrown set of tools that allowed network workers to view the entire system. It also gave them the ability to see which devices were not responding.
Sometimes the glitch was deceptively simple, and the solution, once the problem was uncovered, was very easy. For example, after the team had completed a few buildings, they came to a building where they could not get the PCs to communicate with the new network. The team discovered the machines were running Windows 2000. When the team upgraded the machines, they worked fine. “It wasn’t until we hit machines with the old operating system that we discovered that it wouldn’t work with our new security infrastructure,” says Krasofsky.
In another example, the team discovered that some network devices, primarily printers, simply stopped working after a few minutes. In order to get them back online, someone had to physically switch them off and on. That off/on workaround was a clue to the problem. “We found that some devices, like printers, weren’t as chatty on the network as PCs. And when a device is silent for awhile, the network stopped recognizing it,” says Krasofsky. It turned out that the printer had to be used about every six minutes in order to remain online. The team created a patch that pinged all the printers every five minutes, and the problem was solved.
Most of the time, once a problem was solved, the solution usually worked throughout the network. So with growing expertise, the team completed many buildings faster than the previous one.
Users are happy with the completed network, McCollum says. The only complaint is the reach of the wireless network. “People want more — more bandwidth and access in more locations,” he says. To address the requests from faculty and staff, the school has been adding access points when there is a valid business need. McCollum has also requested some funding for next fiscal year that would allow him to increase the footprint of the wireless network even further.
For students and guests who access the Web through the Internet service provider, Sinclair recently implemented a new service in conjunction with Harborlink, called Harborlink-Premium, which allows a user to pay a monthly charge for a better connection in more locations. The college also plans to offer a variation of this service to clients of the corporate training center that will allow them to pay for daily or weekly premium accounts.
Figuring the total investment of the new network is difficult because the school made good use of its existing network infrastructure. “A lot of the expense was actually use of equipment we already have,” says McCollum. So while the cost is estimated at just under $200,000, much of that is more of an accounting charge than an genuine out-of-pocket expense. As for equipment specifically purchased for the project, McCollum says the school paid about $35,000 for the Cisco NAC and about $12,000 for the remote authentication dial-in user service (RADIUS) servers.
In building the network, Sinclair Community College managed to be frugal and yet expand the network’s capabilities, which isn’t an easy thing to do. It melded its wired and wireless networks into a more efficient unified network, partnered with an ISP to expand coverage, and tightened its security in the process. With the new network, Sinclair Community College found that measuring the new network’s success isn’t only about costs and deadlines, but about the user’s experiences with it. If a new network isn’t convenient or doesn’t work for the user — or worse, allows the wrong user into the wrong place — it might as well be the old network it replaced.
But McCollum isn’t seeking a return on the investment that’s measured in dollars. “This is an important service to our users. They needed access, we needed security,” he says.
To authorize devices, Sinclair uses Enterasys Matrix N-Series switches that support the IEEE 802.1x standard for port-based network access control.
On the wireless side of the network, the request for authorization arrives at the wireless controller switch, which sends the authorization request to a RADIUS-based Microsoft Internet Authentication Service (IAS) server.
All school-owned devices have supplicants, which identify themselves to the server. If the device cannot be authenticated, it is quarantined on a virtual LAN (VLAN) and limited to Web access.
The RADIUS server also looks up the user’s account in an Active Directory database to determine if the user is authorized to access the network.
Nightmare Sinclair’s new network requires that a device be owned by the school in order for it to be connected to the school’s network. The school decided to enforce the same policy on the wired as well as the new wireless network, partly because of past problems with unsupported devices.
David Krasofsky, manager of systems and network administration at Sinclair, remembers one of the worst examples of this: Someone connected a Linux box to the network, and the Linux OS had a routing protocol that Sinclair’s network didn’t recognize. “Our switches saw that and started recalculating routes all over the network. At least one entire building lost network access,” Krasofsky says.