Oct 23 2014

New Network Management Tools Make Life Easier for Higher Ed IT

New tools and software provide vulnerable campus networks with defense in depth.

Gartner predicts that by 2018, bring-your-own-device (BYOD) and similar programs will double, and perhaps even triple, as mobile technology expands beyond phones, tablets and notebook computers into cars, clothing, watches and even body cameras.

IT directors are already ­expanding campus networking and wireless services to include almost three times as many devices as there are faculty, staff and students, because three devices per person is now the norm. And with the Internet of Everything looming on the horizon, the number of devices per person easily could increase by a factor of 10 well before 2018.

Michigan's Calvin College, the University of Pennsylvania's Graduate School of Education (PGSE) and Inver Hills Community College in Minnesota are just three institutions among many thousands that now face such challenges. Network overload, security and tech support are the primary concerns confounding college IT professionals nationwide.

"It's a large job to oversee a fleet of college-owned mobile devices, tablets, and desktops, plus accommodate the thousands of faculty, staff, student and guest devices that appear on the network every day," Calvin College IT Director Brian Paige says. "It has posed a logistical challenge, which results in a large investment of staff time and effort."

Brian Paige
Photo: Brian Kelly

Calvin College's Brian Paige says new network management tools help him and his lean team manage multiple network components more strategically.

"We have many added threats," says James Brown, a network security engineer at Inver Hills. "BYOD comes in with viruses, malware, bots and sometimes malicious intent. Managing all the personal wireless devices is a real challenge."

"Security, asset management and data protection are serious concerns," PGSE IT Director Michael Herzog says, "but managing and maintaining technical support is also a legitimate consideration that must be addressed."

Management Solutions

Calvin College, located in Grand Rapids, Mich., uses Absolute Manage software to manage part of its fleet of desktop computers and Microsoft System Center Configuration Manager for Windows PC management. Both tools keep desktop systems up to date and secure, track the location of college-owned assets and ensure that they're in compliance with Calvin's software license agreements.

"Any time there is a change to an environment or the introduction of new technology, security needs to be addressed. The balance between data access, security and ITAM [IT Asset Management] has always been an active conversation," says Michael Haan, technology integration specialist at Calvin College.

The IT team is also designing a security information and event management system to provide broader, single-pane-of-glass oversight of security, data logs and other information used to make risk-based decisions. "The SIEM system works in conjunction with the other tools we've deployed, so we have access to actionable information for each of the devices on the network, whether mobile or fixed," says Adam Vedra, Calvin's information security officer and associate IT director.

Using these management tools, the team deploys devices with standard images and software. They also use Microsoft Active Directory to distribute group policies across the fleet, ensuring consistent configuration and central management.

"We have a close collection of instruments and tools that provide a consistent and streamlined ­administration system, which allows us to collectively manage our universe of devices," Paige says.

Service-Specific Delivery

The proliferation of new and varied devices has created logistical challenges at the University of Pennsylvania's Graduate School of Education in Philadelphia. It isn't the number of devices that concerns the IT team, but rather a shift that's moved PGSE away from device-specific support to a service delivery model. The concerns and challenges around network security remain the same, such as the assumption that an infected device could hit PGSE's network regardless of overall volume. "The real threat that keeps me up at night is data leakage and portability," Herzog says.

PGSE uses multiple tools to protect its environment from the multiple threat vectors that now exist. The institution's primary weapon is Absolute Software's suite of tools (Absolute Manage, Absolute Manage MDM and Absolute Service). The tight integration of this suite of products provides a wide range of tools through a single console for ease of use and management, such as
security monitoring, remote support, patch management, asset tracking and policy enforcement.

Absolute Manage MDM allows PGSE to enforce security policies and protocols on mobile devices attempting to access institutional data. For example, mobile devices must be ­protected by a passcode in case of loss
or theft. Absolute Safe provides a level of control over data access not previously available.

"The cornerstone of any strong IT management model begins with a solid baseline imaging process," Herzog says. "Ensuring we have a secure baseline before a machine is deployed greatly reduces the risks to the device. Then, it's a matter of tracking, proactively monitoring and patching assets."


Percentage of institutions that offer BYOD despite potential security risks; 56 percent use network access ­control to
automate BYOD processes

SOURCE: Bradford Networks, "The Impact of BYOD on Education," May 2013

It's also critical to create policies and best practices around which devices are permitted to access specific data sets and resources.

Gartner's Tim Zimmerman says there are many strategies: "It is paramount that they understand their objectives, document them in a policy, then use the policy to select and implement the right solution to meet their security needs."

Devices — and the ways that students want to use them — will continue to evolve, "but solid policy enforcement and passive scanning of devices or MDM applications will make it easier to decide if, when and how these devices can access network resources based on the security policy," he says.

Unified Vision

Inver Hills Community College's 5,000 full- and part-time students in Inver Grove Heights, Minn., all enjoy wireless access. Every day, 3,300 unique devices come online, all of which require access to college services. Inver Hills has relied on network access control since 2006, so when a wireless device attempts to access the network, it must have a valid college ID and password that identifies it as student, staff or faculty property. Without it, the system denies access.

Inver Hills deployed a Cisco Sourcefire intrusion prevention system (IPS) as a traffic manager and Cisco Sourcefire FireAMP to handle malware.

The team first used the tools as separate products with two consoles, but they've since been combined "so we can correlate between them through a single console," Brown says.

The system ensures that all devices have an anti-virus program, and all Windows security patches are installed before any device is permitted to log in.

Cisco's IPS monitor identifies infected devices or those controlled by a bot network that slip through a device's onboard anti-virus program. When detected, the Cisco IPS sends admins the device's IP address, which is then matched against student information, so that the student can be contacted and meet with IT team members to have the malware removed.


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT