How Purdue University Calumet maintains sanity in a campus BYOD environment

1. How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by:  Tim Loudermilk - Supervisor of Network Administration

2. About purdue University Calumet • An academically comprehensive regional university and part of the Purdue University system • Located in Hammond, Indiana (less than 25 miles southeast of downtown Chicago). • 19-building, 167-acre neighborhood campus • An enrollment of over 10,000 students • Athletics program sponsoring 12 sports. • A residential campus offering apartment-style, private bedroom living for about 750 students

3. Purdue Calumet - Networking team • The Purdue Calumet Networking Team is a part of the Information Services division and consists of: • 1 Supervisor • 2 Full time network administrators • 2 Student workers • Responsible for the management, maintenance, and security of the entire campus data network: • Fiber Optic and Copper cable plant management • WAN, LAN, WLAN administration • Firewall, IPS, NAC, SIM, and End Point Security administration • IP/DNS distribution and management • Compliance (PCI, HIPAA, FERPA, CALEA)

4. Purdue Calumet campus diagram

5. Purdue Calumet Network Challenges • Small team Responsible for: • Over 7,000 network ports spread across 19 buildings • A campus wireless network serving over 2,500 concurrent users and over 7,000 unique devices per day • Network support in Residence hall housing over 700 student • BYOD specific challenges • Public University – academic freedom • Device to User Identification (CALEA, DMCA) • Onboarding of personal devices • Security • Bandwidth/QOS

6. Legacy network • Wired • All wired ports across campus were plug and go. You plugged in and received an IP via DHCP. Static MAC locking, VLANS, and port policy were implemented to control unwanted devices and services such as DHCP/DNS/WEB servers from being deployed on the edge. • Wireless • Wireless network was built for coverage, based on 2.4Ghz even though hardware was dual radio 2.4/5Ghz . 802.1x via PEAP was used for security. Multiple SSID’s were enabled to maintain backwards security (dynamic WEP/WPA/WPA2) and client (802.11b) compatibility.

7. Solutions to Challenges • Comprehensive suite of Network management tools • Netsight Suite - Simplifies day to day network management • Netflow enabled distribution switches – LAN visibility • BYOD specific • 802.1x and NAC provide user identity and device data • Cloud Path Xpress Connect assist in 802.1x on-boarding • Layered Security approach • NAC enforcing dynamic policies at wired or WLAN edge • Strict wireless filters (remove un-necessary multicast/broadcast traffic from the WLAN which reduces unnecessary airtime) • MU to MU blocking on the WLAN • Strict firewall policy for BYOD segments • Bandwidth rate-limits in place on BYOD WLAN network segments at controller • Allot Net Enforcer providing packet shaping across all campus networks

8. Current Network Overview - wired • All 6,500 end user wired ports are configured for MAC authentication providing end system visibility through NAC. • NAC agent installed on all university owned workstations, providing end system compliance reports. • Dynamic port security policies configured on end systems connecting to the network based on NAC rules and end system group membership. • MAC locking set in NAC on all office workstations to assist desktop team with inventory control. • Web based MAC registration configured on all open access walk-up ports and in residence halls. • Agent based end system security assessment required in Residence halls

9. Extreme/Enterasys OneView Dashboard

10. Oneviewnac End system visibility

11. Oneviewnac end system profile

12. Extreme/Enterasys oneview wireless

13. Proxy radius NAC visibility We proxy radius all wireless requests to our NAC servers, which then proxies through to our open source freeRadius servers.

14. Quarantine Wireless devices

15. Dynamic wireless polices

16. On-boarding with cloudpath “Calnet Setup” SSID. Users are redirected to our XpressConnect web server. Push multiple SSID configs to devices for failover or backward compatibility.

17. Tools - WLAN Metageek Eye P.A. Capture from AP into Wireshark via controller or capture from Macbook

18. Tools – Open Source • Zenoss • AP bandwidth monitoring • SNMP dhcp pool monitoring • Set notification thresholds

19. Packet shaping - Allot netenforcer AC 1440 osX mavericks update via iTunes in wireless Subnet To throttle or not to throttle, that is the question.

20. Wireless improvements • Increase AP density in high traffic areas and provide full 5Ghz band coverage. • Disable legacy SSIDs. Create WPA2/AES only SSID to support full 802.11n modulation rates. • Enable Guest and Calnet Setup on every other AP. • Switch radio mode to a/n & g/n only. • Enable auto 40Mhz channel width on 802.11a radios. New iPhones support 40Mhz A channel width • Increase minimum basic rates in high density areas to fix sticky clients. • Create AP filters to block unnecessary broadcast. • Continue to enable MU/MU blocking. • Enable MAC based auth on WPA-PSK SSID (dorm media device support) • Dump airplay multicast on local LAN to decrease controller traffic. • EduRoam Support

21. Live demo Live Demo (Time Permitting)

22. questions

23. Thank You!