Hot IT Jobs

Sr. SAP FI/CO Enterprise Specialist (III)

Developer

3rd shift Computer Operator

Ab Initio Consultant in Tampa, FL

Software Engineer

 

 

 


Features

September 2008

Cover Story

The Wisdom of Simple Security

DePaul University chooses an SSL VPN to connect students and staff seamlessly and easily to its wireless network.

 
Joe Salwach, associate vice president for information services at DePaul University, chose an SSL VPN for wireless access for students, staff and faculty.

When DePaul University in Chicago first made wireless connectivity available to students and staff, the wireless network used basic wired equivalent privacy (WEP) authentication as an extension of traditional hard-wired networking ports already available in offices, classrooms, labs, libraries and other areas. This Wi-Fi connectivity allowed faculty, students and staff with laptops to move around campus with ease while staying connected to the network. Security and information services (IS) management, however, became a nightmare.

"DePaul originally distributed complex WEP keys to end-users, which caused confusion, lost keys and lots of calls to the help desk," says Joe Salwach, associate vice president for information services.

As a security protocol for wireless networks, WEP solutions have also been prone to exposure to malicious threats due to inherent authentication vulnerabilities. Salwach noted emerging studies in which WEP had been broken within a few minutes of passive eavesdropping by an attacker. While DePaul is taking extra precautions beyond WEP, the use of secure applications, such as SSL, on top of the wireless network became imperative. DePaul decided it needed to phase out its existing wireless network deployed with WEP for a more secure wireless authentication solution.

"The turning point came when we decided to implement about 100 access points in a residence hall at our Lincoln Park campus," says Salwach. "We wanted to provide wireless coverage to the students living in our halls in addition to their existing wired connectivity.

"Since we're so geographically dispersed, we didn't want to manage distributed boxes. We wanted to centrally control it out of only one campus," says Salwach. After ruling out an IPSec VPN approach, because it would require hands-on installation and maintenance of clients on widely distributed and unmanaged student machines, DePaul chose to evaluate SSL VPN solutions that could enable users to easily set up and connect via the Web without IS intervention.

Founded in 1898 on the teachings of the 17th century French priest,
St. Vincent de Paul, DePaul University has grown to become one of America's top private universities, with a 2007 enrollment of 23,401 students, 1,790 full- and part-time professors, and more than 130,000 alumni worldwide-including Chicago Mayor Richard Daley. While DePaul's students reflect a broad range of ethnic, religious, geographic and economic backgrounds, they increasingly share a common demand for easy and secure wireless connectivity to university resources.

&"More and more students are just expecting easy-to-use Wi-Fi," says Salwach, "and more colleges are providing it."

EASE OF USE REQUIRED

DePaul needed a solution that could ensure that the network, data and the university applications would be secure. The size of its student body, as well as the physical size of its extensive campus, necessitated that DePaul find a wireless security solution that would be easy for students to use, and make it easy for IS to control centrally all access to the university-wide wireless network. "Improving ease-of-use and security were two key factors in our selection process," says Salwach.

"The purpose for the new secure wireless solution was to get 23,000 students on wireless easily, without needing much support," adds Salwach. "Our single most important criterion was ease of student use. We wanted a solution that provided self-remediation so that we wouldn't be bogged down with support calls."

The solution allows students and staff to access university resources from virtually any endpoint environment.

Another key factor was complexity. DePaul's Lincoln Park campus is a large urban campus with wireless network access throughout multiple buildings. DePaul's wireless network includes Cisco 1200 and 1240 Series wireless access points. The solution had to easily and cost-effectively integrate into
DePaul's existing network environment, so it could be quickly deployed in time for the fall term.

The solution also required transparent cross-platform support, so that DePaul IS would not have to support clients on multiple operating systems and unmanaged student endpoint devices. "It had to support clients that were compatible with Mac OS and Linux, as well as Windows," says Salwach. It also needed to provide DePaul's students, administrators and staff with easy-to-use, secure access to any authorized application using SSL VPN tunneling.

DePaul launched an exhaustive search for a solution that would authenticate and log all users that accessed the wireless network in multiple building locations across a large urban campus. Initially, all the wireless security vendors they looked at required them to use that vendor's proprietary access point hardware and other infrastructure, and did not necessarily integrate well into DePaul's existing complex network.

FORKLIFT CHANGE AVOIDED

DePaul's IS team did not want to have to rip out existing infrastructure and spend to replace it with a single vendor solution in order to provide a single, authenticated wireless access solution. "The vendor had to be willing to support us with our relatively unique deployment of securing Wi-Fi over SSL VPN tunneling," says Salwach. "We needed a wireless solution that would work for our environment, not the other way around.

"After researching a number of leading SSL VPN solutions for wireless security," says Salwach, "we chose to go with the SonicWALL Aventail E-Class SSL VPN." The decision also allowed DePaul to solve its wireless authentication problem, while at the same time providing more traditional VPN access from the same appliance.

Salwach deployed a pair of load-balanced SonicWALL Aventail E-Class EX-2500 appliances in high-availability mode, running SonicWALL Aventail's enhanced SSL VPN platform. The solution supports SSL VPN Wi-Fi authentication for roughly 350 Wi-Fi access points, including 180 wireless access points located in student residence halls.

"We targeted primarily spots where students congregate, such as libraries and cafeterias, and overlaid the wireless deployment," says Salwach. "Our law school has it deployed in the classroom. We also have targeted classroom coverage as requested by academic departments."

DePaul's IS team designs, installs and manages all wireless standards and equipment on campus. To prevent wireless users from unintentionally connecting to rogue access points, or using devices that are not secured and managed in compliance with IS standards, policy prohibits any other group within the university to install, attach or deploy wireless hardware or software.

The deployment went live over the summer break at the same time for all the campuses. "The deployment itself went very smoothly," says Salwach. "It took about 20 minutes to configure the whole thing. Initially, it was a very simple deployment as far as policy. Everyone logs into the same place and gets the same rules."

When the students came back, however, the implementation did go through some growing pains. "Given our unique use and capacity, we weren't surprised to experience some minor stability issues."

AUTHENTICATION AND ENCRYPTION

The solution functions as a wireless network access control (NAC) gateway to enable secure remote access for all users across the university's campus-wide wireless network. "All you need is a wireless card that supports the IEEE 802.11b or g standard, and a device to connect to the network with all current security updates and patches installed," says Salwach.

The EX-2500s provided DePaul with SSL VPN authentication and encryption capability without having to redesign the existing wireless network. All wireless users on the DePaul campus first connect to a segregated network with no access to any internal or external (public Internet) resources. Similar to the way users access the Internet using commercial hot spots, when DePaul users launch a browser to access a URL they are redirected to an access portal. Rather than entering an Internet service provider account or credit card number to proceed to the Internet, DePaul users must instead provide their valid DePaul login information to obtain Web access.

"We gave the Aventail its own SSID code and created its own network to sit on," says Salwach. "The network has its own VLAN, with its own range of IP addresses. The access points serve up the wireless network and Aventail secures the traffic. If you get on the network, until you log in through the SSL VPN and connect your session, you can only get to the instruction pages. We do a RADIUS authentication through a home-grown mid-tier server to the university's central authentication source."

DePaul University's administrators, staff and students can now securely and remotely access internal or external applications and files based on their login credentials, as well as the identity and integrity of their connecting desktop, laptop or mobile device. To further reduce help-desk calls, the solution lets users connect seamlessly across IS-managed or unmanaged device platforms, whether they connect over SSL VPN tunneling from Windows, Macintosh or Linux endpoint devices.

By applying Layer 3 network connectivity over SSL, the solution allows students and staff to access university resources from virtually any endpoint environment. The SSL VPNs offer a closed tunnel by default, providing DePaul with better security than other solutions IS staff had considered.

"We require a minimum specified Windows patch level to protect against remotely exploitable network attacks," says Salwach. SonicWALL Aventail End Point Control allows DePaul to detect granularly the identity and integrity of a wide range of endpoints. DePaul leveraged this feature along with SonicWALL Aventail Unified Policy Zones to create quarantine zones that prevent user access from devices with out-of-date operating systems, ensuring an increased level of security and control, while reducing user support demands on IS.

"If the solution doesn't see the patch during its End Point Control scan, the user is denied remote access, and gets a remediation screen explaining why they got dropped and telling them to contact the help desk for assistance in getting the patches updated," explains Salwach. "We had originally hoped to proxy them to the Windows update service, but that proved difficult to proxy directly.

"Rarely do people call information services to give us praise," says Salwach. "But given the large number of users that go through this thing-on an average week, we see about 3,000 unique logins on the SSL VPN-the complaints are not major. Most of the problem is that we have a wide range of client bases. You can be coming in with a machine that has XP with no service packs on it. The problems are caused by the large client base rather than with the SSL VPN itself.

DePaul also decided to extend SSL VPN to provide remote access for its staff Web engineers working from home. "We purchased a second EX-2500 pair and are using them to secure remote access to our services in our data center behind our firewall," says Salwach. "Whether you run a Web server and want to update the university Web site or need to access a database behind the firewall, you have to log in over the SSL VPN to gain access to those services based on user credentials and group membership to determine what servers you have access to."

Currently, IS will continue to deploy 802.11b/g and skip the 802.11a deployment. "Our future goal to make all campuses completely wirelessly accessible," says Salwach.

About SonicWALL

 
Matt Medeiros

Founded in 1991, Sunnyvale, Calif.-based SonicWALL designs, develops and manufactures comprehensive network security, e-mail security, secure remote access and continuous data protection solutions. The company has developed and acquired enterprise best-of-breed solutions over the last few years to compete against the leading enterprise security players. More than one million SonicWALL appliances have been shipped through its global network of 10,000 channel partners.

Prior to joining SonicWALL, Matt Medeiros served as president and CEO of Philips Components. As the chief architect of the liquid crystal display (LCD) joint venture between Philips Electronics and LG Electronics, Medeiros established Philips as a leader in flat displays. Medeiros also has extensive background in PC manufacturing, operations and materials management following executive positions at Radius, NeXT Computer and Apple Computer. He graduated from the University of San Francisco with a bachelor's degree in business administration.

For more information from SonicWALL, (click here)