4-page Case Study - Posted 10/1/2008
Views: 1061
Rate This Evidence:
University Achieves Greater Network Visibility, Saves $75,000 with Security Tools
Ball State University wanted to deliver enhanced security for its IT environment and to monitor and manage network health. Previously, the university lacked an effective way to tell if computers were properly updated and in compliance with security policies. Ball State deployed Network Access Protection (NAP), which is a feature of the Windows Server® 2008 operating system and helps administrators assess, monitor, and enforce compliance with security policies. The university also adopted Microsoft® Forefront™ Client Security for antivirus protection. Ball State now has better visibility into the health of its network, and its IT staff can be more responsive to issues. The university’s new security products provide users with a positive experience and improved performance, while saving U.S.$75,000 each year in support and maintenance costs.
Situation
Ball State University is not just an outstanding institute of higher education—it also conducts projects and research that drive innovation as it educates future professionals. To support its tradition of innovation, the university must maintain excellent facilities and a reliable IT network for students, professors, and staff.
 |
These solutions help us empower end users, reduce the amount of hand-holding that they need to be productive, and make security measures as transparent and painless as possible. |
 |
|
Alex Chalmers
Lead Enterprise Systems and Security Architect, Ball State University |
|
|
More than 900 faculty members and approximately 18,000 students share the same network, which is divided between the main campus and 29 residence halls, separated by a firewall. During the academic year, the network has approximately 20,000 nodes, a little more than half of which are used by students. “It’s critical that our network stay healthy so that faculty, staff, and students can get the information they need to do their work,” says Alex Chalmers, Lead Enterprise Systems and Security Architect for University Computing Services for Ball State University.
In the past, however, IT staff members faced difficulty maintaining a secure environment. Both students and professors take their portable computers off the campus network frequently, making it hard for IT staff to know where those computers have been connected and if their users have deployed the proper updates. “Our goal is to ensure that users follow our security best practices, but we didn’t have a great way to do that,” says Chalmers. “We lacked a mechanism for automated remediation, and even monitoring the health of our network was a challenge. I had to check multiple sources to get a sense of what was going on in our environment.”
Ball State also needed to simplify its visibility into its network usage. For instance, if the university received a takedown notice under the United States Digital Millennium Copyright Act (DMCA), the method to determine who was responsible for the instance of illegal downloading or sharing required correlating data across a number of management systems.
In 2005, Ball State purchased a wireless tool for network authentication. The university successfully deployed the tool for its wireless networks, but when it attempted to set up the tool for its wired network, the tool presented several challenges. To address the issues, Ball State had to deploy and maintain separate in-line appliances. “Although the wireless side of things worked just fine, the tool’s special requirements to function on the wired side came with high costs for adequate bandwidth and throughput,” recalls Chalmers. “And the system’s multiple moving parts also made it difficult for us to adequately maintain.”
Solution
Ball State University soon decided to abandon the wireless tool and instead deploy Network Access Protection (NAP) to meet its authentication and remediation needs. A feature of the Windows Server® 2008 operating system, NAP provides components and an application programming interface that help administrators assess, monitor, and enforce compliance with health-requirement policies for network access and communication. Says Chalmers, “We’d heard of NAP and were attracted to it for several reasons, including the fact that its agent is built right into the client operating system, which meant that we would not need to manage agent versions and deployments in addition to operating system updates.” Although the university had not deployed Windows Server 2008 prior to its NAP implementation, it began to plan other deployments as its NAP project progressed.
The university also elected to make a transition from its Symantec antivirus client security product to Microsoft® Forefront™ Client Security, which provides unified malware protection for business desktops, laptops, and server operating systems that is easy to manage and control. “Forefront Client Security made a lot of sense for us to adopt because of its integration with NAP,” says Chalmers. “It also seemed like a cost-effective antivirus solution because we can maintain it with less effort but still receive superior performance.”
The Ball State IT team launched its wide-scale implementation of Forefront Client Security in July 2008. IT staff members installed client agents using the university’s existing Windows Server Update Services distribution infrastructure. The university is also involved in a technology adoption program (TAP) for Forefront Client Security, which is testing the upcoming version of the product, known as Stirling. “We volunteered for the Stirling TAP because we feel strongly about helping Microsoft meet the needs of the education sector and making an already good product even better,” explains Chalmers.
For its NAP deployment, the university developed a proof of concept—in about one hour. It quickly expanded that into a pilot project that involved approximately 50 devices that were used by IT staff members. The pilot system took about three days for the university to build, configure, and test. “Given that our pilot system configuration was nearly identical to our production configuration, I would say that the pilot build was faster than alternative technologies to provide the same level of coverage,” says Chalmers.
As shown in Figure 1, Ball State opted to use the 802.1X enforcement scenario, although it also may use NAP to monitor Internet Protocol (IP) security–protected traffic in the future. Unlike the university’s previous tool, NAP is standards-based and requires no specific hardware configuration or in-line appliances.
|
We’re taking advantage of a suite of products rather than deploying point solutions, and it’s producing high levels of monitoring and management, which also makes for better server utilization. |
|
|
Alex Chalmers
Lead Enterprise Systems and Security Architect, Ball State University |
|
|
The pilot project, which began in December 2007, included testing compliance, remediation, and a prerelease version of the Forefront Integration Kit for NAP. “It went so smoothly that we just used the same configurations and moved straight from pilot to production deployment,” says Chalmers.
As of September 2008, Ball State is entering the auto-remediation stage—a phase that it was unable to reach with its previous solution. The university is deploying auto-remediation into its original pilot area as it deploys NAP to the rest of its primary campus. With auto-remediation, NAP will automatically fix a client computer to bring it into compliance with Ball State security policies before allowing it to log on to the network. “We certainly don’t view remediation as punitive. Rather, it’s there to help users quickly do what they can to address issues that could cause their computers to be out of compliance and therefore quarantined.”
Ball State plans to roll out NAP in stages. The phased deployment began in June 2008 and is expected to take about 12 months. In anticipation of increased NAP usage, the university has centralized the location where it logs and reports network health and issues, using a solution based on Microsoft SQL Server® 2005 data management software.
Benefits
With its move toward an integrated security environment using NAP and Forefront Client Security, Ball State is establishing a more manageable network with enhanced security and visibility. “We’re taking advantage of a suite of products rather than deploying point solutions, and it’s producing high levels of monitoring and management, which also makes for better server utilization,” says Chalmers. “Because NAP and Forefront work together, we have an enhanced level of security. Integrating them in our environment, particularly in our student computer centers, lets us know if someone tampers with anything or if a particular computer isn’t healthy.”
Enhanced Network Visibility
Through its use of NAP, Ball State has a much better view of the health of its IT environment. The solution helps Ball State ensure that the computers connecting to its network are fully updated, running the latest antimalware, and maintaining acceptable levels of security. “We also like the visibility into the network that NAP affords,” says Chalmers. “We can determine who’s logged on and where, map the specific devices that are attached to the network, identify how many nodes we truly have, and enjoy more advanced reporting, data analysis, and statistics than we had before.”
The university expects to better handle everything from network usage issues to those related to DMCA takedown notices. For example, the takedown process begins with a request that indicates the external IP address of the accused violator and a timestamp of the violation. With NAP and centralized logging in place, tracing that information to a user is a straightforward process. “We determine the internal IP address from the firewall logs and then query the Network Policy Server accounting logs for user sessions with the IP address that was active at the time of the violation timestamp,” explains Chalmers. “Previously, for wired connections, after determining the internal IP address of the system we would need to determine what network switch port correlated to that IP address, what network jack correlated to the given switch port, and if one or more computers were connected to the jack.
Continues Chalmers, “We now can use a combination of internal and external IP addresses and times to track users. And, if an employee happens to be away during the time his logon information was used, we can see that those user credentials have been compromised.”
The new solution also supplies valuable information, such as spikes in network usage, performance issues, and trending data. Continues Chalmers, “From a holistic perspective, adding these solutions has made my job considerably easier. Integrated views with tailored reporting information give me a much better understanding of the state of the university’s environment, and I no longer need to visit nine screens to try to get it.”
Better User Experience and Performance
Ball State can now streamline network use for its user community. The previous product required faculty and students to log on in two separate areas for security purposes before granting them network access. The new solution has a dynamic background, which means that users log on just once. “We think user satisfaction regarding our services will definitely increase as a result of the improved network access and computer health,” says Chalmers.
|
Because we’re being more proactive in our network management—reducing the likelihood of problems and helping users help themselves through NAP functionality—we think that we’ll see considerable savings. |
|
|
Alex Chalmers
Lead Enterprise Systems and Security Architect, Ball State University |
|
|
Ball State hopes users will notice the positive differences that the university is making in the IT environment. “These solutions help us empower end users, reduce the amount of hand-holding that they need to be productive, and make security measures as transparent and painless as possible,” says Chalmers. “Users appreciate how much more smoothly things are running, particularly the way we’ve been able to streamline client authentication and updating.”
Also, IT staff members have seen improved performance on the computers that use Forefront Client Security. “We’ve noticed that the computers still using Symantec run considerably slower during a scan than those with Forefront Client Security,” says Chalmers. “Scans are essential, so it’s great that they’ll no longer have a negative impact on users’ productivity.”
Improved IT Responsiveness and Flexibility
The Ball State IT team expects to keep its network running more smoothly and its users happier now that it has NAP. “It’s really valuable for us to know right away when a computer is not compliant with our security policies,” says Chalmers. “We can address the issue more quickly and easily. And, if the auto-remediation feature is turned on, we may not have to do anything because often the system can take care of the issue on its own.”
Ball State maintains flexibility because NAP is standards-based and interoperates with any current hardware infrastructure. Plus, NAP doesn’t require additional devices, so the IT team has fewer places to look if a problem occurs. “We can address issues more quickly than we could with our previous solutions,” says Chalmers. “We really appreciate that our NAP solution fits our existing infrastructure, doesn’t lock us into a specific hardware appliance, and doesn’t require specialized knowledge to manage.”
Easier IT Maintenance
That same flexibility extends to the university’s use of Forefront Client Security. “It’s far easier to keep our client computers up-to-date now and to manage them overall,” says Chalmers. “Instead of a special update or brand new executable, updates now come as part of the normal monthly update cycle. That’s a lot less work for IT administrators and less hassle for end users.”
One of the features of Forefront Client Security that Ball State particularly appreciates is the ability for server administrators to apply certain exclusions and overrides on a per-client basis. That capability has made it possible for the university’s IT team to reduce six different server configurations to one because it no longer has to create and apply separate configurations on the management server on behalf of an individual user or user group. “We have a very small IT team that has to manage a lot of applications and technologies. Finding efficiencies, such as being able to push out standard configurations and just exclude specific servers, helps lessen the burden and redirects our attention to strategic, game-changing projects,” says Chalmers.
Cost savings of $75,000
The university anticipates that the amount of calls to the help desk will decrease with the implementation of NAP and Forefront Client Security on its computers and that it will be able to reduce its overall maintenance and management of network security. “Anytime we can reduce the level of necessary maintenance, it produces significant time and cost savings. Because we’re being more proactive in our network management—reducing the likelihood of problems and helping users help themselves through NAP functionality—we think that we’ll see considerable savings,” says Chalmers.
For the current budget year, Ball State saved approximately U.S.$75,000 in support and maintenance costs by moving to NAP and taking advantage of its existing contracts with Microsoft. “Eventually, we’ll have no recurring costs for these capabilities—everything will fall under our support and licensing suite costs,” says Chalmers. “And there are additional long-term cost savings by moving to NAP, such as server hardware refresh costs, which will be lower due to the much smaller number of systems needed by the NAP/NPS solution.”
Windows Server 2008
Windows Server 2008, with built-in Web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, Web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized datacenter. Powerful new tools like IIS 7.0, Server Manager, and Windows PowerShell™, allow you to have more control over your servers and streamline Web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller option for Active Directory Domain Services harden the operating system and help protect your server environment to ensure you have a solid foundation on which to build your business.
For more information, go to:
www.microsoft.com/windowsserver2008
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com
For more information about Ball State University products and services, visit the Web site at:
www.bsu.edu
