Proactive Computer Management in Residence Halls

1
Proactive Computer Management in Residence Halls

• Mark Castner, Canisius College
• Lisa Mastropaolo, Canisius College
• Michael Craig, Rockhurst University
• Matt Heinrich, Rockhurst University

2
About the Schools

• Canisius College
• - Buffalo, NY
• - IT Staff of 30
• - 3019 full time students
• - 2029 part time students
• - 1250 resident students
• - Wireless access on 70 of campus

• Rockhurst University
• - Kansas City, Missouri
• - IT Staff of 15
• - 1500 full time students
• - 1500 part time students
• - 800 resident students
• - Wireless access over entire campus

3
Flashback

• Think about what the computer world was like when
  you first provided Ethernet services to resident
  students.
• Canisius College provided data services starting
  in Fall 1996.
• The entire computer registration process was done
  via The Green Sheet.

4
(No Transcript)
5
Along came Blaster and Sasser

• August 2003 As soon as students arrived on
  campus and plugged their un-patched, unprotected
  computers into the network, they were infected
  within minutes.
• Nachi followed shortly after, and nearly made the
  network stand still.
• Cleanup took all semester
• Canisius RAs and RCCs with CDs to every room
• Rockhurst IT staff went to every room with
  Virus scanning CDs.

6
The Students

• Students did not know of the importance of
  installing Windows critical updates and running
  Anti-Virus software
• Students expect their computers to clean
  themselves
• Students expect complete and unrestricted network
  access
• Students dont care how it works as long as it
  works

7
Goals for a new system

• Ensure minimum desktop security standards are met
  on computers that are not managed by us but still
  need to connect to the campus network
• Enforce standards without adding additional IT
  staff
• Find a versatile, scalable, and complete solution
• Protect the campus network

8
Previous Registration Systems

• Canisius College
• SWUs NetReg since Fall 2000
• Spring 2004 (after Blaster outbreak), put
  Symantec AntiVirus web installer in front of
  registration page

• Rockhurst University
• No registration

9
Network Topology

• Canisius College
• Residents and Administrators share the same
  network
• With Novell client installed, residence halls can
  access Novell server

• Rockhurst University
• Physically separate residence and core networks.
• Residence halls have Internet access only

10
Possible Contenders

• Canisius College
• - Perfigo
• - Bradford Campus Manager
• - Still Secure Safe Access

• Rockhurst University
• - Perfigo
• - NetReg (too much overhead to develop a
  complete solution)

11
Bradford Campus Manager

• Decided on Bradford late May 2004
• Purchased both the Registration box and the
  Remediation box
• Classic Networking (one of Bradfords resellers)
  did the install the last week of July 2004
• Do the homework that Bradford gives you
  beforehand

12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
Bradford Campus Manager

• Client software not delivered as promised
• We chose not to use Nessus scans
• Nessus scan could generate false-positives if the
  firewall was enabled
• Did not want students disabling the firewall so
  that we can run the scans
• Fall 2004 We opted for Registration Only

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
Fall Semester 2004

• Network infested with viruses and worms
• Disabled approximately 70-90 students throughout
  the fall semester
• Easy to search for and disable computers in the
  Campus Manager interface
• Disable by MAC address, so the student cant just
  plug into their roommates jack
• We knew we had to scan computers in some way
• We started looking at CAT

20
What is CAT?

• Client Assessment Tool from Classic Networking,
  Inc.
• ActiveX Control used to scan Windows computers
• All you need to run it is a web server
• Can interface with NetReg or other home-grown
  registration system
• Does not require a client installed on the
  students computer

21
Various Features of CAT

• Scan for AntiVirus software/current definition
  files
• Scan for Service Pack Level
• Enable Windows automatic updates
• Scan for registry keys
• Import/Delete registry keys
• Disable network bridging
• Enable DHCP on network cards

22
Late Fall 2004

• Decided to go with CAT for the spring semester
• Sent message in December to all resident students
• Require SP2
• Require Symantec Corporate Edition
• Require current definition files
• Setup web page with details
• Advised students to work on their computers over
  break

23
Contingency Plan

• Had plans A, B, C, and D
• Plan A Full requirements of SP2 and SAV with
  current definition files
• Plan B Still require SP2 make more use of SP2
  CDs distributed through the library
• Plan C Remove the SP2 requirement
• Plan D Back out of CAT altogether and just go
  with Registration again
• Luckily, we were able to stay with Plan A

24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
Challenges

• Adware/Spyware/Viruses not allowing install of
  SP2 or SAV
• Invalid Windows product keys
• Symantec error messages
• Trouble loading ActiveX control
• Odd-ball error messages from CAT all stemmed
  back to Spyware/Viruses
• High call volume at the beginning of the semester

30
(No Transcript)
31
Why were things better?

• Students with infested machines could not get
  through CAT
• Got a chance to get our hands on these machines
  and get them cleaned up
• SP2 requirement
• SP2 automatically enables the firewall
• Symantec Corporate Edition requirement
• Enabling of Windows Automatic Updates
• Only disabled about 7 students

32
Cisco Clean Access (CCA) formerly known as Perfigo
33
Before allowing users onto the network

• Recognizes
• Who is connecting and what they are connecting
  with.
• Evaluates
• Identifies vulnerabilities on devices based on
  the policies you create.
• Enforces
• Makes sure policies are met before allowing
  network access.

RECOGNIZES
ENFORCES
EVALUATES
34
What can it do?

• Authentication (Works with LDAP authentication)
• Verify that all Microsoft patches have been
  installed.
• Verify Anti-virus software is running and
  up-to-date.
• Enforce firewall rules based on role-mapping.
• Nessus scanning of non-Microsoft operating
  systems.
• Deny access to machines based on processes
  running on computer. (for example P2P programs
  running).
• Deny access based on Mac-Address to manually
  remove known infected computers.

35
Largest Issues with Deployment

• Most student owned computers were infested with
  Spyware.
• Microsoft released XP Service Pack 2 and a new
  version of windows update around the same time
  students were moving in.
• Removing home versions of anti-virus and getting
  Enterprise McAfee installed.
• Students still running Windows 95/98/ME added
  more overhead for policy creation.

36
Cisco Clean Access Components

• Cisco Clean Access Server (formerly Smart Server)
• Serves as an inline or out-of-band device to
  enforce network access control
• Cisco Clean Access Manager (formerly smart
  manager)
• Centralizes management for administrators,
  support personnel, and operators to view status,
  deny access, grant access and create policies.
• Cisco Clean Access Agent (formerly smart
  enforcer)
• Client for windows-based scans

37
Rockhurst Network
38
Network Admission Process
39
(No Transcript)
40
Why choose one over the other?

• Cisco Clean Access
• All in one solution.
• Highly scalable
• Wireless Ready

• Campus Manager w/CAT
• Can manage switch ports.
• Works together with Packeteer.
• Manually rescan clients at any time.

41
Questions?