Slide 1

How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by: Tim Loudermilk - Supervisor of Network Administration

Slide 2

ABOUT PURDUE UNIVERSITY CALUMET An academically comprehensive regional university and part of the Purdue University system Located in Hammond, Indiana (less than 25 miles southeast of downtown Chicago). 19-building, 167-acre neighborhood campus An enrollment of over 10,000 students Athletics program sponsoring 12 sports. A residential campus offering apartment- style, private bedroom living for about 750 students

Slide 3

PURDUE CALUMET - NETWORKING TEAM The Purdue Calumet Networking Team is a part of the Information Services division and consists of: 1 Supervisor 2 Full time network administrators 2 Student workers Responsible for the management, maintenance, and security of the entire campus data network: Fiber Optic and Copper cable plant management WAN, LAN, WLAN administration Firewall, IPS, NAC, SIM, and End Point Security administration IP/DNS distribution and management Compliance (PCI, HIPAA, FERPA, CALEA)

Slide 4

PURDUE CALUMET CAMPUS DIAGRAM

Slide 5

PURDUE CALUMET NETWORK CHALLENGES Small team Responsible for: Over 7,000 network ports spread across 19 buildings A campus wireless network serving over 2,500 concurrent users and over 7,000 unique devices per day Network support in Residence hall housing over 700 student BYOD specific challenges Public University academic freedom Device to User Identification (CALEA, DMCA) Onboarding of personal devices Security Bandwidth/QOS

Slide 6

LEGACY NETWORK Wired All wired ports across campus were plug and go. You plugged in and received an IP via DHCP. Static MAC locking, VLANS, and port policy were implemented to control unwanted devices and services such as DHCP/DNS/WEB servers from being deployed on the edge. Wireless Wireless network was built for coverage, based on 2.4Ghz even though hardware was dual radio 2.4/5Ghz. 802.1x via PEAP was used for security. Multiple SSIDs were enabled to maintain backwards security (dynamic WEP/WPA/WPA2) and client (802.11b) compatibility.

Slide 7

SOLUTIONS TO CHALLENGES Comprehensive suite of Network management tools Netsight Suite - Simplifies day to day network management Netflow enabled distribution switches LAN visibility BYOD specific 802.1x and NAC provide user identity and device data Cloud Path Xpress Connect assist in 802.1x on-boarding Layered Security approach NAC enforcing dynamic policies at wired or WLAN edge Strict wireless filters (remove un-necessary multicast/broadcast traffic from the WLAN which reduces unnecessary airtime) MU to MU blocking on the WLAN Strict firewall policy for BYOD segments Bandwidth rate-limits in place on BYOD WLAN network segments at controller Allot Net Enforcer providing packet shaping across all campus networks

Slide 8

CURRENT NETWORK OVERVIEW - WIRED All 6,500 end user wired ports are configured for MAC authentication providing end system visibility through NAC. NAC agent installed on all university owned workstations, providing end system compliance reports. Dynamic port security policies configured on end systems connecting to the network based on NAC rules and end system group membership. MAC locking set in NAC on all office workstations to assist desktop team with inventory control. Web based MAC registration configured on all open access walk-up ports and in residence halls. Agent based end system security assessment required in Residence halls

Slide 9

EXTREME/ENTERASYS ONEVIEW DASHBOARD

Slide 10

ONEVIEW NAC END SYSTEM VISIBILITY

Slide 11

ONEVIEW NAC END SYSTEM PROFILE

Slide 12

EXTREME/ENTERASYS ONEVIEW WIRELESS

Slide 13

PROXY RADIUS NAC VISIBILITY We proxy radius all wireless requests to our NAC servers, which then proxies through to our open source freeRadius servers.

Slide 14

QUARANTINE WIRELESS DEVICES

Slide 15

DYNAMIC WIRELESS POLICES

Slide 16

ON-BOARDING WITH CLOUDPATH Calnet Setup SSID. Users are redirected to our XpressConnect web server. Push multiple SSID configs to devices for failover or backward compatibility.

Slide 17

TOOLS - WLAN Metageek Eye P.A. Capture from AP into Wireshark via controller or capture from Macbook

Slide 18

TOOLS OPEN SOURCE Zenoss AP bandwidth monitoring SNMP dhcp pool monitoring Set notification thresholds

Slide 19

PACKET SHAPING - ALLOT NETENFORCER AC 1440 osX mavericks update via iTunes in wireless Subnet To throttle or not to throttle, that is the question.

Slide 20

WIRELESS IMPROVEMENTS Increase AP density in high traffic areas and provide full 5Ghz band coverage. Disable legacy SSIDs. Create WPA2/AES only SSID to support full 802.11n modulation rates. Enable Guest and Calnet Setup on every other AP. Switch radio mode to a/n & g/n only. Enable auto 40Mhz channel width on 802.11a radios. New iPhones support 40Mhz A channel width Increase minimum basic rates in high density areas to fix sticky clients. Create AP filters to block unnecessary broadcast. Continue to enable MU/MU blocking. Enable MAC based auth on WPA-PSK SSID (dorm media device support) Dump airplay multicast on local LAN to decrease controller traffic. EduRoam Support Increase AP density in high traffic areas and provide full 5Ghz band coverage. Disable legacy SSIDs. Create WPA2/AES only SSID to support full 802.11n modulation rates. Enable Guest and Calnet Setup on every other AP. Switch radio mode to a/n & g/n only. Enable auto 40Mhz channel width on 802.11a radios. New iPhones support 40Mhz A channel width Increase minimum basic rates in high density areas to fix sticky clients. Create AP filters to block unnecessary broadcast. Continue to enable MU/MU blocking. Enable MAC based auth on WPA-PSK SSID (dorm media device support) Dump airplay multicast on local LAN to decrease controller traffic. EduRoam Support

Slide 21

LIVE DEMO Live Demo (Time Permitting)

Slide 22

QUESTIONS

Slide 23

THANK YOU!