Business Value Case Study - Posted 3/28/2008
Views: 404
Rate This Evidence:
University Optimizes Security for Campuswide Network, Increases IT Efficiency
La Trobe University, a leading higher education institution in Australia, had to automate network access controls for all clients connecting to the campuswide network. With more than 28,000 students and 2,600 staff, this was no small task. Compounding the problem was the University’s high turnover rate. Thousands of incoming new students would arrive each year, bringing with them thousands of new unsecured clients connecting to the network. The University needs to safeguard private information such as student records, commercially valuable research, and financial transactions. To provide an automated solution, La Trobe University upgraded to the 64-bit edition of Windows Server® 2008 Enterprise and could immediately detect and manage the health of every system connecting to the network. This has allowed La Trobe to eliminate unsecured machines connecting to its networks.
Situation
As a leading higher education institution in Australia, La Trobe University is constantly striving for the advancement of its students, its staff, and the institution as a whole. La Trobe was founded as the third university in the state of Victoria in 1967 with only 550 enrolled students. Today the University has grown to a half-dozen campuses across Victoria that accommodate 30,000 students and more than 3,000 staff members.
 |
All we can do is try to protect our little corner of the world and prevent unhealthy computers from getting to our central servers.... I actually think NAP is one of the best tools to help us keep our system safe. |
 |
|
Michael Piko
Systems Manager, La Trobe University |
|
|
With campuses spread throughout the state of Victoria, La Trobe has a very complex network solution. Bundoora, the largest of the seven campuses, is home to over 19,000 students as well as a large Research and Development Park. One hundred and forty kilometers north, the Bendigo campus is host to approximately 4,000 students and 400 staff. The central IT department on the Bundoora campus is responsible for remotely maintaining the network infrastructure of other campuses, as well as all desktop builds used in computer labs.
The University faces a unique network environment. With almost 30,000 client computers, La Trobe’s network is both large and dispersed. Not only must the network be available to students who directly connect while on campus, but access must also be made available to students working from home. The network security has to be able to transparently handle connections from clients anywhere—remote or local—running practically any operating system, including Windows® XP, Windows Vista®, and some Linux and Apple Mac OS X.
Because students are its primary customers, La Trobe University has network requirements that are very different from any corporation. Students require seamless access to the network in the residential colleges, classrooms, libraries, and other common areas. Unlike a corporation that is able to control what types of computers are assigned to employees, La Trobe must accept whatever laptop or desktop computer a student brings to the campus. The University’s IT department must also keep the network open by default, whereas in a corporate environment the network is closed.
Michael Piko, Systems Manager of La Trobe University, explains, “Instead of customers, we have students who make major use of our network infrastructure. Our staff and faculty also have affiliations with other companies outside of the University. They are not controlled employees. They already have a laptop or desktop before they come into the University.” All these conditions make providing a network security solution very difficult, because it must be able to handle such a unique environment.
Solution
By participating in the Microsoft Rapid Deployment Program, La Trobe University was given the chance to work with prerelease versions of the Windows Server® 2008 operating system. In order to ease the deployment and ensure it was taking full advantage of the operating system’s new capabilities, La Trobe worked closely with Dimension Data, a Microsoft® Gold Certified Partner. Dimension Data is a recognized global leader in the provision and management of specialist IT infrastructure solutions.
Early press releases by Microsoft created a buzz around the new Network Access Protection (NAP) feature, and its possible benefits for even the most diverse network environments, such as schools and universities where network security is often difficult. “Because we’re a university, we’re actually the worst case for a NAP deployment. If we can do it, then any company can do it. We have the most diverse set of computers and people,” says Piko.
“Our network has to be open by default because of all the students,” says David Hird, Systems Architect for La Trobe University. “When we saw the description of NAP in Windows Server 2008, it was very appealing. It could automatically segregate devices into proper areas.”
In a typical corporate environment, the IT department can control the client computers that are assigned to employees. It can set up the computers with the proper security settings already in place. Administrators can often push out updates to antivirus software and Microsoft updates automatically without user intervention.
A university, on the other hand, has little control of what devices connect to the network. Incoming students often arrive with their own computers that the IT department has no control over. Usually, these computers are not updated with the latest Microsoft updates, nor is a firewall enabled. They often do not even have antivirus software installed on them. La Trobe University’s IT department urgently required a solution that would allow for seamless integration of new clients on the network. With approximately 10,000 students arriving and leaving each academic year, the solution had to be able to automatically deal with unsecured clients without the intervention of the already stretched IT department.
| 1 |
- Unsecured client connects to network.
|
- User must authenticate to access University's network, but no health check is performed on the computer.
|
- Client computer is routed to the NAP server before given access to network resources.
|
- System health checks are done automatically; all computers can be set up with anti-virus software and firewalls before connecting to internal networks.
|
| 2 |
|
|
- NAP automatically checks the health of the computer to determine if it meets the set health standard. Such parameters include whether the latest Microsoft security updates have been installed, if a firewall is enabled, or if the anti-virus software is up to date. It then attempts to fix any problems and ensures that the computer is compliant with the University's health standard.
|
- System health checks are done automatically, without intervention by IT staff, and unsecured clients are quarantined to off-network resources until remediated.
|
| 3 |
- Noncompliant system is remediated.
|
|
- If possible, NAP automatically remediates system by enabling a firewall or down-loading the latest updates. However, if user intervention is required, the system is sequestered to remediation servers where users can download utilities to bring their computers into compliance.
|
- All remediations are done either automatically or by the end user. Number of virus and malware incidents will fall as computers are constantly checked for the latest security patches and updates, returning valuable hours to the IT staff.
|
| 4 |
- Client is given open access.
|
|
|
|
La Trobe found just such a solution in the 64-bit edition of Windows Server 2008 Enterprise. This new server technology includes the long-awaited Network Access Protection (NAP) feature, which is the Microsoft policy-based quarantining service. With NAP, an administrator can set a baseline for a “healthy” computer. When a computer initially connects to a network via a wired or wireless connection, the Network Policy Server (NPS) compares the computer’s status with the health baseline. If any requirement is not met, the NPS server can prevent the computer from accessing the network or automatically remediate the computer to bring it inline with network policy. Once the computer is fixed, by the user or automatically, it will undergo a second health check and if deemed secure, the computer will be granted full access to the network. La Trobe can also include remediation servers in the solution. Clients that don’t pass the health check are redirected to these servers, where they are given access to the Internet and any remediation resources the University provides.
|
Because we’re a university, we’re actually the worst case for a NAP deployment. If we can do it, then any company can do it. We have the most diverse set of computers and people. |
|
|
Michael Piko
Systems Manager, La Trobe University |
|
|
The University can set up NAP to automatically fix the offending computer. If, for instance, a firewall is not enabled or security updates not installed, NAP can automatically enable the firewall or install the updates onto the system and then allow access to the full network. By setting a health standard for all computers connecting to the network, La Trobe can use NAP to dramatically reduce the number of virus and malware infections on its network. With NAP, La Trobe can stop unsafe clients that could possibly bring dangerous Trojans or worms, before they ever connect to the network.
La Trobe faced a unique challenge in that before the Network Policy Server can conduct a health check, a NAP agent must first be installed on the computer. Because Windows Vista and Windows XP SP3 already include such an agent, the NAP process will be completely seamless to these users. However, with a wide variety of client computers on its network, including the majority being Windows XP SP2 or SP1, the IT department specially designed a NAP agent that can be installed on these pre-Windows XP SP3 clients. This is handled via the remediation server where computers that don’t meet the health check are sent. Other operating systems such as Linux and the Apple Mac OS X must have their own NAP agents. Several third-party vendors are already in the process of releasing such a client.
La Trobe initially rolled out NAP to a subset of its network users and chose to use its own IT department as the pilot group. This subnet included approximately 150 clients. Initially La Trobe enabled NAP client in monitoring-only mode, so NAP could check health statuses, but didn’t quarantine any clients that failed the check. As the staff becomes more familiar with the technology and they are assured that NAP will not cause any major disruptions in work, they will roll out NAP to subsequent subnets throughout the University. During 2008, La Trobe will deploy NAP widely across its campuses, with the result that the Network Policy Server will be handling thousands of requests.
Benefits
Using Windows Server 2008, the University is able to restrict out-of-compliance clients that try to connect to the University’s IT subnets. By being able to set a health standard for all clients on the network, the IT staff is able to reduce its exposure to dangerous viruses, Trojans, and malware.
Automatic Protection
Network Access Protection requires little or no intervention by users connecting to the network. Client computers running Windows Vista or Windows XP SP3 already have a NAP agent installed and can painlessly connect to the network. Other client computers will have to install a small NAP agent first before connecting. Remediation servers provide users with all the resources they need to become fully compliant with the health standards set by the University. Because the NAP solution is also highly scalable, it can automatically handle the duty of helping to ensure security compliance as new students arrive every year.
|
We have deployed NAP on a couple of our most sensitive networks.… If the machines on these networks are not healthy, then we open ourselves up to attack.… The small cost in time and money of improving the health of those critical networks is insignificant compared to the cost of the University networks and domains being targeted for attack. |
|
|
David Hird
Systems Architect, La Trobe University |
|
|
La Trobe has chosen to spearhead the deployment by first testing Windows Server 2008 on its most critical servers. “We have deployed NAP on a couple of our most sensitive networks,” Hird says. “These networks have access through firewalls to our server subnets. If the machines on these networks are not healthy, then we open ourselves up to attack. If you can compromise the workstation of an administrator, then there’s a potential for damage. The small cost in time and money of improving the health of those critical networks is insignificant compared to the cost of the University networks and domains being targeted for attack.”
“All we can do is try to protect our little corner of the world and prevent people from getting to our central servers.... I actually think NAP is one of the best tools to help us keep our system safe,” says Piko.
Hird also sees great benefits in finally having tightened security compliance. He says, “Our machines are directly on the Internet. We have public IP addresses for everything. So unless you have a local firewall, you have nothing and you are really exposed. The fact that we can force students to turn [firewalls] on gives them protection. That is going to give us substantial benefits in terms of machines on the Internet…. It is a big boost because of the way our environment is set up, because anything we can do to protect the user’s machines is a big benefit.”
Students, as well as the University’s IT department, will see benefits from having NAP monitoring the network. With a reduced number of unsecured machines on the network, the students’ computers will be safeguarded from malicious software that could potentially destroy their data or render their computers useless until serviced. As students are relying more and more on computers for daily tasks such as taking notes, writing reports, and researching, any computer downtime can have a significant negative impact on the student’s grades. Piko explains, “The savings [of Windows Server 2008] for the students will be the pain and suffering saved by preventing their laptops from being destroyed by malicious software.”
|
- Percent of out-of-compliance clients on network
|
|
|
- Number of virus-related help-desk calls
|
|
|
- Number of malicious intent attacks on internal networks
|
|
Increased IT Efficiency
La Trobe expects that support time spent by the IT department on solving staff or students’ malware-related problems will be significantly reduced.
Using Windows Server 2008 will also greatly affect La Trobe University’s processes in the future. The IT department plans to take advantage of other technologies such as Read-Only Domain Controller, failover clustering, Server Core, and hypervisor virtualization in the future.
Building on the NAP deployment, the University has begun migration to Dynamic Host Configuration Protocol (DHCP)–assigned IP addresses. “We’ve had mostly static IP addresses and leveraging off the NAP project, we are moving towards dynamic IP addresses and that will save us significant time and resources in manually assigning and managing IP addresses,” Hird explains. After La Trobe deploys failover clustering, it will be able to centralize critical servers.
Piko talks about clustering, “We’re starting to take over a lot of infrastructure activities. For example, we have a File and Print Server consolidation project coming and we’re going to use Windows Server 2008 and [failover] clustering to do this. [Windows Server 2008] will be robust enough to handle large loads and it will save us having a lot of little individual servers out in the field while centralizing our management. Because of the way a university works, you end up having to have a lot of IT expertise in a lot of different places. Just being able to centralize all that saves us a lot of costs.” The University will also use Server Core to reduce its server footprint and at the same time save time in server management and updating.
About Business Value Assessment
This business value research study was developed by Capgemini using the Microsoft Value Framework to assess the business value of Windows Server 2008. Capgemini is one of the world's foremost providers of Consulting, Technology, and Outsourcing services. For information on how to repeat this study for your organization, contact your local Microsoft representative or go to:
www.microsoft.com/value
Partner Profile
Dimension Data is a specialist IT services and solution provider that helps clients plan, build, support, and manage their IT infrastructures.
Windows Server 2008
Windows Server 2008, with built-in Web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, Web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized data center. Powerful new tools like Internet Information Services 7.0, Windows Server Manager, and Windows PowerShell™, allow you to have more control over your servers and streamline Web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller harden the operating system and protect your server environment to ensure that you have a solid foundation on which to build your business.
For more information about the 64-bit edition of Windows Server 2008 Enterprise, go to:
www.microsoft.com/windowsserver2008
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com
For more information about La Trobe, visit the Web site at:
www.latrobe.edu.au
For more information about Capgemini, visit the Web site at:
www.capgemini.com
