Higher education these days is big business and colleges and universities have some of the most complex, diverse, and conflicting set of network requirements around. They must support retail operations, protect student personal information, limit access to other sensitive data, provide a high level of connectivity, significant bandwidth, and support large numbers of people.
Gone are the days where the campus network was run by a group of computer science or engineering students. Today’s higher education networks are a significant asset that influences admissions as well as regular business operations. By incorporating a process of Audit, Analysis, and Automation, colleges and universities are able to operate large networks with small teams.
Audit, Connectivity & Capacity
A typical campus will encompass several buildings at a minimum. Many colleges and universities also have remote teaching facilities, so the network will also include a rather significant WAN component. A good network audit will identify the network infrastructure devices, their connectivity, and the clients and servers connected to the network. This is the first step of a smoothly running network.
The LAN environment is typically a large switched network, hopefully following vendor design guides to increase reliability and efficiency. When problems occur in a switched environment, they can be difficult to track down, so tools that show connectivity of end stations and the operational configuration of spanning trees are very useful.
Students and faculty are taking advantage of online collaboration, performing research for papers, sharing files, creating web sites, and making phone calls. This puts a tremendous load on the network. The network staff must keep a close eye on what the network is doing and making sure that important services are not starved of network bandwidth due to lower priority applications.
Even with high speed LAN interfaces, a lot of campus network teams are finding that the Internet connections are a major bottleneck. Open source packages like MRTG and Cricket have been the staple of watching link utilization. But the configuration of QoS across a network makes these tools a lot less useful (Cisco’s Class-Based QoS MIB – CBQOSMIB is one of the most complex MIBs we’ve seen and is difficult to monitor with these tools). Just monitoring link utilization isn’t sufficient in modern networks.
The network is a big system and must be monitored and analyzed as such. The challenge is finding tools that provide a system level view of the network.
Analysis & System-Level Views
In any large network, there are many operational parameters that should be checked on a regular basis. Many parameters interact with one another in one way or another. A simple example is that HSRP may be properly configured on two routers, but because of a cabling problem, only one is operational. Quite often, a failure that shouldn’t have happened was the result of redundancy failure that was not identified. More complex examples involve the interaction between QoS settings and application performance.
Both examples are configuration and operational characteristics that go beyond device level management and into system-level management like IT services Calgary. It is looking at collections of devices that are providing a service on the network and whether that service is configured and operating correctly.
University network staffs that take advantage of tools that perform automatic analysis of the operational data that’s collected from the network have an advantage here. They get to spend more time implementing corrections ahead of time instead of after a failure (pro-active vs reactive) and also have more time to work on new designs that significantly improve the network. The data collection and system-level analysis performed by such tools is the functionality that enables this approach.
Automation & Security
Network security is a big problem in campus networks. Portable computers that have been infected are attached to the network every day. Even one mis-configured subnet could allow a virus into the campus network, creating a major slow-down and a lot of work for the network staff. Making sure that the network is properly configured to isolate, scan, and remediate infected systems is a big challenge, probably on par with that for compliance, as noted below.
Automated tools are required to check network device configurations daily. The best method for doing this verification is to verify that device configurations reflect the security policies designed into configuration templates. Any configuration change should result in a new copy of the configuration being archived and making sure that the change is compliant with the network’s policies.
Automation & Compliance
Today’s compliance regulations affect much of the operation of a university network. There are retail operations for the bookstore, cafeterias, and other student functions. These must comply with the Payment Card Industry Data Security Standard (PCI) to protect credit card data from theft and fraud. Student grades, billing records, and financial aid information access and modification should be treated the same as public corporation’s financial data, which is subject to Sarbanes-Oxley Act compliance regulations.
Student health records are certainly subject to the Health Insurance Portability and Accountability Act (HIPAA). Some universities perform sensitive research for federal organizations and this data must also be protected from unauthorized access and modification.
Making sure that a large university network is secure from unauthorized modification and that the defined policies are properly implemented is a big task. Manually checking hundreds of routers and switches is not feasible. Automated processes are required.
The normal method of implementing network configuration policies is to define the policy, then create templates for each class of device, and finally install the device-specific configurations in the network equipment (see diagram).
By checking the templates against the installed configurations, the installed network policies can be regularly validated. There are at least three places where this mechanism pays for itself. One is when new devices are installed in the network. The policy check makes sure that the installed configuration matches the approved policies. Another is to detect any unauthorized changes made to the network. Finally, one that isn’t often considered ahead of time, is to track which devices need to have their configurations updated when the policy changes.
Audit: the big, complex networks used by higher education requires a complete audit to know what’s on the network and how it is connected.
Analyze: collect configuration and operational data and analyze it from a system-level perspective to identify current and potential problems that should be corrected.
Automate: the repetitive process of auditing and collecting data and doing the analysis must be automated to the greatest degree possible. Provide mechanisms to allow the network staff to automate the tasks that consume large amounts of staff time.