Centralized Control
- By Wendy Chretien
- 06/01/08
As IP connectivity becomes the norm, end-user devices such as projectors, telephones, and laptops are an increasingly critical part of managing and protecting the campus network.
MOST HIGHER ED IT SHOPS have the management of their network infrastructure under control (with the possible exception of departmental servers distributed across the campus). The real headaches are end-user devices, whether they be laptops, handhelds, wireless access points, projectors, or phones. You may wonder how projectors and phones snuck into this group: It's because many are now network-connected, complete with IP addresses, thus becoming end devices on the network. In years past, these devices were not a concern for IT, because such systems were either outsourced or managed by a different department (such as Academic Technology or A/V Services). However, as IP connectivity becomes the norm, management of these devices is moving into the IT domain.
When it comes to managing these devices and the network they reside on, core concerns include prevention of the spread of malware (viruses, worms, Trojans, and the like), protection of confidential information, keeping software current, and maintaining hardware. With hundreds or thousands of end-user devices all over the campus (and frequently off campus as well), these tasks can seem insurmountable. While there's no magic-bullet solution, with the right tools, campuses can meet the challenge.
Keeping Projectors Running
Let's start with projectors. Simply having them connected via IP doesn't automatically achieve desired goals of minimizing downtime and lowering the total cost of ownership (TCO). To proactively manage projectors with these objectives in mind, the devices need to be equipped to monitor their own systems and report when there is a need for intervention by support staff. Another need is remote access and control, to perform routine, time-consuming, and costly tasks such as troubleshooting and shutting down projectors throughout a building, or even campuswide.
Today's projector models often come with networking capability as a standard feature, but this is not yet the default on lower-priced models, which may or may not offer networking as an extra-cost add-on. It's also important to note that since each manufacturer provides its own software package to manage its projector modes, projector management on many campuses means juggling multiple software programs. Still, the net result of any centralized projector control effort is reduced classroom downtime and greater faculty user satisfaction, when compared to a reactive management/ maintenance situation.
Many manufacturers support the Simple Network Management Protocol (SNMP) for management, including Barco, Dukane, Epson, Hitachi, Sanyo, and Sony. The Projector & Display Management Working Group, a program of the IEEE Industry Standards and Technology Organization, is developing an SNMP management information base (MIB) that would allow any SNMP network management package to communicate directly with projectors from all compliant manufacturers. This would allow personnel responsible for the maintenance of these devices to query them for inventory information (such as model number, serial number, and consumables part numbers), and to determine when parts need to be replaced. As of April 2008, the first draft was nearly ready to be compiled, but an expected date for release of the MIB was not yet published.
Another key part of the projector management equation: people. At most institutions, IT doesn't necessarily control the acquisition of all classroom technology. For example, if a campus has a separate classroom technology (A/V) department, IT should work with those staffers to select projector systems with built-in management functions. Any department that is responsible for projector maintenance will immediately understand the benefits of centralized IP-based management. However, due to little or no experience with centralized management of devices, that department may want help from IT to put projector management into practice.
Protecting Telephone Systems
As IP telephones become the norm, concerns are arising that these devices may also be vulnerable to malware, or could become "attack vectors" (an open door for hackers to get into the network). Previous generations of telephone systems were completely standalone and ran highly proprietary operating system software. Now, most back-end telecommunications equipment consists of servers running ubiquitous operating systems such as Microsoft Windows or Linux, leaving those servers subject to many of the same vulnerabilities as regular network servers. So, a potential virus "injected" by a desktop IP phone is now an all-too-valid concern. As with projectors, the various IP telephone manufacturers each provide their own software to manage and control their systems. Fortunately, most manufacturers of IP telephone systems either are network systems companies like Cisco Systems; telephone companies that have purchased network firms, such as Alcatel-Lucent and Nortel; or independent phone manufacturers that have aligned themselves with network companies, e.g., Mitel, which partners with Hewlett-Packard. Thanks to those companies' network expertise, their IP telephone systems can be managed via the campus network, and sometimes even via the same software package used to manage network switches.
Then there are the smart phones. At some higher ed institutions, IT is responsible for faculty and staff members' smart phones, so protecting those devices is something that must be considered. After all, they run operating systems such as Windows Mobile, Palm, and Symbian-- and, of course, operating systems can be hacked. SMobile Systems, Symantec, Airscanner, and F-Secure are all examples of companies that supply antivirus software for smart phones and in some cases, the ability to trace and disable the device if it is lost or stolen. In most cases, updates for these packages can be automated, but someone must initially load the software, configure the devices to use it, and ensure the software licenses are kept current. This is no trivial matter. Still, the effort is worthwhile, to be sure that an institution's confidential data won't fall into the wrong hands.
Controlling Wireless Access
The ability to centrally control and manage wireless access points is still mostly proprietary by manufacturer, but highly useful all the same. Early versions of wireless access points needed to be configured and managed as individual devices; with scores or hundreds of these devices scattered across a campus, the management burden became enormous. The trend toward centralized control began with startup companies that saw this problem as an opportunity, and won over many higher ed institutions by providing effective solutions. Examples include Aruba Networks, Meru Networks, and Trapeze Networks, all of which have had success in the higher ed market. Johnson & Wales University (RI) and Olivet Nazarene University (IL) both employ Aruba wireless systems. Meru customers include the University of Illinois and The University of Texas at Dallas. Big wins for Trapeze include The University of Utah and the University of Minnesota. Through these solutions, software updates and configuration changes to all of the access points (or selected subsets of them) can be made at one time, rather than needing to be made at each access point individually. This universal configuration capability results in potentially enormous time savings. By now, nearly all manufacturers of WLAN equipment have jumped on the centralized control bandwagon (including the undisputed market leader Cisco Systems), but some of the smaller firms still lead the way.
The One-Two Punch
Finally, we come to the greatest challenge: laptop and desktop computers. How do we keep them safe and up-to-date, without making life harder for users? Here, a two-pronged approach is most effective: Combine remote control/support and network access control.
The key reasons to invest in remote control/support packages are the abilities to a) push out new software updates automatically, and b) allow support technicians to troubleshoot and fix end-user computers remotely, without leaving their desks. Available options for remote control and support include NetSupport Manager; LogMeIn IT Reach, a web-based service; and the original remote-control software, Symantec pcAnywhere. The latter two products work on computers running Macintosh and Linux, as well as Windows operating systems. This is a wellestablished market; implementing remote control is not a risk-taking endeavor. But like any new initiative, it's important to provide training to IT staffers, or it may be a less-than-total success.
Network access control tackles centralized management from a different perspective. NAC prevents the spread of malware and secures data by requiring users to log in to a centralized server or appliance that checks each device (such as a laptop computer), to ensure it meets current campus standards for antivirus and other required protective software. At the same time, the central system can authenticate the user of that computer before he or she is allowed to access networked/shared resources. These systems are often tied into the network directory service, enabling the maintenance of just a single repository of user permissions and privileges.
Network access control has become such a sweeping topic that it can't be done justice here, but be aware there are three overarching NAC frameworks: Cisco's Network Admission Control (CNAC), Microsoft's Network Access Protection (NAP), and the Trusted Computing Group's Trusted Network Connect (TCG/TNC). When considering an NAC solution, check with vendors as to which of these frameworks they support and why. This technology is still new enough that there is a lot of positioning going on among vendors, so it's a good idea to exercise some caution in making an NAC vendor selection. Or, it may be advisable to first put into place some of the other centralized control techniques discussed previously, and then revisit NAC when that technology is more settled.