Networking

4 Tips to Ensure Secure Automated Network Management in Higher Ed

There’s no one-size-fits-all approach, but these tips can help you establish a more secure network at your institution.

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Education IT managers have been building and managing large networks for decades. It’s only in the past few years, however, that large-scale network management tools equipped to match the size and complexity of education networks have become available. Revisiting network management strategies every few years is an important part of taking advantage of new techniques and technologies. Here are four tips for ensuring secure network management in higher education.

1.) Get an Accurate Scope of Vertical and Horizontal Management

Network management tools are often described as being “single pane of glass” solutions for the entire network. But in a diverse education environment, there are good reasons to partition management tools across different scopes. Data centers, for example, require a significantly different view and level of management than campus buildings or remote offices. This doesn’t mean you can’t have a single platform in areas such as firewall management or network device configuration — just that you should consider tools which are designed for multiple administrative domains or multitenant operation.

Setting the scope for each view within a tool requires looking both vertically and horizontally. Vertical scopes such as splitting the network into core data centers and even different types of buildings (e.g., administrative, educational, research) are one set of divisions. But horizontal scoping is also important. For example, information security teams may need to combine information across different vertical scopes, product types and vendors to accomplish their goals, but the perfect tools for information security might not be able to scale enough to also include network capacity planning and performance monitoring. It’s better to pick the right tool for the job instead of trying to shoehorn everything into a single product.

Click the banner below to access CDW's resources for campus connectivity.

2.) Speed Up Network Automation with Personae and Objects

Even the smallest network serves a diverse set of requirements; administrators, faculty, students, servers and researchers all come with their own needs when it comes to performance, accessibility and network design. While you want to meet the needs of every one of your customers, a key technique for keeping a network consistent and secure is to reduce your architecture to a small set of very well-documented use cases. These personae turn into configuration elements — firewall rules, switch port and Wi-Fi settings, load balancer and IPS settings, and even log retention policies.

Whether there are 20 or 200 different use cases, they can serve as a base for all automation efforts once you’ve taken the time to enumerate and document them. Any changes in configuration should be kept consistent across a particular use case. This is especially important as education IT managers incorporate Infrastructure as a Service and Software as a Service cloud solutions and as orchestration tools are increasingly used to automate configuration of everything from switches to firewalls.

FIND OUT: How network upgrades enable universities to accelerate research.

3.) Automate Network Monitoring, but Don’t Over-Monitor

Just using the words “network monitoring” can cause confusion, because monitoring has many different meanings: Reachability monitoring, alerting, application performance monitoring, capacity analysis, and responding to events all require different approaches and often different tools, yet all still fall under the generic term “network monitoring.”

None of this confusion should reduce IT managers’ commitment to good monitoring. The important first step is to define the scope of each monitoring domain to see what tool fits best. It’s unlikely that a single monitoring tool will handle all these cases well. Education IT managers need to make good decisions about when they can reuse an existing tool, log server or management system and when they need something new.

A good strategy is to focus on the consumer of the monitoring rather than the device types being monitored, then work your way backward from there. This is especially true in education environments, where a distributed network management style is typical and features such as overlapping scopes of responsibility are common.

Over-monitoring is a common problem with automated tools because the default configuration of many tools treats all elements equally. Education IT managers with large-scale network scopes must constantly tune their monitoring strategies to avoid performance problems (both in the network and in monitoring tools) that can come with looking at things too frequently or in too much depth. A good strategy — one that comes naturally from building personae and use cases — will weigh criticality, type of use and users, expected failure modes, and high availability capabilities to drive what parameters are being monitored, how often they’re monitored and how long metrics are kept. For example, counting network switch port errors is something that can happen once every day in a modern network, while measuring application response time might require minute-by-minute graphing.

LEARN MORE: Machine learning and automation help universities secure their network.

4.) Treat Wi-Fi Differently Than Wired Networks

Managing Wi-Fi for availability and security is not the same as managing wired networks. Though Wi-Fi floats on top of the wired network, it’s an application in itself and requires a very different set of management tools to combat its unique challenges. Commonalities, such as making sure that access points are up and running, can be deceptive. Education Wi-Fi networks are highly dependent on network services such as authentication and Dynamic Host Configuration Protocol, and may also link to mobile device management (enterprise mobility management or unified endpoint management) tools. Keeping everything up and measuring response time and failure rates is new to network managers used to handling wired networks.

Wi-Fi networks also have their own performance problems, often caused by factors out of the control of the IT manager, such as interference from other nearby Wi-Fi access points and even the movement of people and objects within a building. Automating detection of radio-frequency problems and tuning is so important that every enterprise-ready wireless controller system includes these options. However, it’s up to the IT manager to establish the parameters for automated tuning, such as signal and noise level goals and capacity levels, so that the Wi-Fi management system can work effectively.

Vera Shestak, GOLDsquirrel, Kuzmik_A, Turnervisual, wasan prunglampoo, M-A-U/Getty Images