Taking Command of the Campus Network

In an attempt to protect its computer network, Dominican University spent years looking for the right security solution. The Illinois university's new approach, spurred by a virus outbreak originating in the residence halls, validates all computers attempting to connect to the network and requires students to view an approve the school's computer security policy.

• By Bridget McCrea
• 01/06/11

Dominican University's IT security woes started about seven years ago, when a virus outbreak compromised its computer network. In the throes of student move-in that year, several viruses breached the River Forest, IL university's firewall via infected equipment that was brought on campus by students.

"Everything was fine until move-in weekend, when several residents physically 'walked around' our firewall and introduced viruses to the network," said Jill Albin-Hill, CIO. "At the time, we had no networking protection in place for non-university-owned equipment." Students were allowed to plug into the network in their dorms, obtain an IP address, and begin using their computers.

The IT team's first response to the outbreak involved updating individual machines with any missing software patches and running the repair tools for the specific viruses. "It was a significant effort," said Albin-Hill. "In fact, it's hard to think about how long we spent that semester fixing machines and teaching students how to update their own computers against the newest viruses."

Once the virus outbreak was under control, the university's IT team began thinking ahead to the upcoming move-in date, hoping to ward off another infiltration of the university's computer network. The solution it came up with was not only time-consuming, but also ineffective over the long term.

"We thought we could get in front of it by having students check their machines in with our department as they moved in," said Albin-Hill. "We had this brilliant idea to work through move-in weekend--and at other times--to verify every one of those machines to make sure they were updated and protected." Once those checks were performed satisfactorily, the students' in-room network connections were enabled.

Albin-Hill said eight IT team members worked overtime on move-in weekend, only to have the strategy fail on them about two weeks later when new viruses were introduced to the machines. "We were having problems by the middle of the semester," she recalled. "Even with all the checking in the world at the start of the school year, the students weren't keeping their machines up to date."

Back at square one, Dominican University's IT team sought out a better way to protect its network, while still allowing students the freedom to use their own computers and devices in the residence halls. After shopping around, it selected Cisco's Clean Access Agent to provide the networking authentication that the school required.

"We spent quite a bit of money on that solution, and on training for our technicians, but it was still just a stopgap for us," said Albin-Hill. "It fixing the machines upon the students themselves; we soon realized that the exercise was pretty complicated for them."

Those complications inevitably ended up on the shoulders of the IT department, which from 2005-2008 spent much time working on individual laptops and computers, both at the beginning of each semester and throughout the school year. On a positive note, the automated system helped the IT department reduce the number of hours spent working on such issues from 320 per month to 150 every month.

When it came time to upgrade the authentication system in 2008, Albin-Hill decided to look for an alternative. Three options were evaluated by her IT team, which chose the Safe Connect network access control system for what would hopefully end the school's 7-year-long struggle with network security.

The inline device was installed on the school's network, which includes defined, "public" areas and the WiFi that's available in its residence halls. To access the network with non-university-owned equipment requires authentication by the access control system, which intercepts and monitors all traffic. "You either get an IP address, or a message saying your computer needs to be checked," said Albin-Hill.

The first time a student attempts to connect to the network, the system spends several minutes checking the machine to ensure that its antivirus software is up to date, signature files are updated, and Windows updates are installed. Students then view and approve a copy of the school's IT security policy, and obtain an IP address to access the network. To avoid delays during the initial checks, the system can also issue "temporary" IP addresses, which expire after a certain period of time.

As an added measure, the university's student handbook and IT policy were updated to reflect the fact that students must have the appropriate antivirus software and updates installed on their equipment. "It's now part of our student code of conduct," said Albin-Hill. "We have judicial procedures to follow if someone is in violation."

So far, the network security solution is working well for Dominican University, whose IT team spent just 60 total hours working with residents to set up their computers on campus (compared to 320 per month in 2005). Drop-in appointments average about five to 10 minutes each (compared with 20 minutes or higher in prior years), with much of the work handled in a self-service lab set up in the IT department.

"Students have become more responsible overall for their own machines, which further reiterates the educational component," said Albin-Hill, "and helps everyone be good computer users."