Campbell Union High School District uses NAC appliances to simplify network management and security.
The Campbell Union High School District (CUHSD) comprises seven schools serving 7500 students in grades 9-12, with a total faculty and staff of more than 650. A gigabit fiber network in a hub-and-spoke configuration links some 2500+ computers in the schools and district offices, with additional access provided by a fully saturated Wi-Fi network across all seven campuses.
Like many institutional networks, CUHSD's network had grown in a variable fashion that left it, five years ago, in a somewhat vulnerable state and subject to frequent virus infections. Users could bring laptops into the district and log on, and suddenly unsuspected viruses would start running across the network. One such incident took the district's IT staff three weeks to resolve completely.
The district has long been committed to enriching students' educational experiences and providing them with the learning resources and opportunities necessary to be competitive in college and beyond. To maintain that tradition, the district needed to restructure its network management, access control, and security. When district voters passed a $100 million bond measure, with explicit language enabling the CUHSD to upgrade its computers and other technology, the time was right.
The CUHSD had a five-year technology plan in place, but it was forced to act on a problem with its telephones sooner than anticipated.
"The plan was to phase in a new infrastructure over the course of a year," says district IT director Charlie Kanavel. "But our antiquated phone system was literally dying before our eyes. We had no choice but to undertake a `rip-and-replace' of all our old equipment, starting with the phones, and we had to get it all done in one summer."
Terry Peluso, who shared the district's IT director role at the time, sought Cisco's help. Thanks to Terry's efforts and Cisco's willingness to tackle the district's problems immediately, the project was underway.
The district installed an all-voice over IP (VoIP) phone system with 700 Cisco® IP phones integrated with the Cisco Unity® voice and unified messaging platform. IP cameras and Cisco WebEx™ were installed to enable videoconferencing among the administration and staff. And a WiFi network blanketed CUHSD`s seven campuses and district offices, with controllers at more than 250 points, providing access for students' and employees' laptops, PDAs, cell phones, and other devices.
Meanwhile, the network infrastructure was revamped and upgraded with:
• 450 new Cisco Catalyst® switches and the CiscoWorks LAN Management Solution (LMS) for ease of configuration, administration, monitoring, and troubleshooting
• Firewall, intrusion prevention, VPN, and communications and content security services provided by a Cisco ASA 5500 Series Adaptive Security Appliance
• A Cisco Security Monitoring, Analysis, and Response System (MARS) that provides security monitoring for network devices and host applications from both Cisco and other vendors
Not only for overall network security, but for the optimization of services for the district's students, teachers, and staff, Cisco Network Admission Control (NAC) was the unifying security measure for these vast IT improvements. Cisco NAC recognizes users, their devices, and their roles in the network at the point of authentication. It ascertains whether each device is equipped with the latest patches and virus protection, and, if not, the device is redirected to a separate VLAN, which acts as a quarantine area until the device can be made compliant with network policies. As a result, viruses and malware are eliminated before they can cause damage.
Cisco NAC allows the IT staff to manage user access and authorization remotely. Each student receives a username and password when he or she first matriculates at a district school. This unique login, integrated with the district network's Active Directory, stays with each student until graduation, as does a secure user folder. Network administrators authorize access to network resources (everything from assignments and study aids to applications, classroom discussion podcasts, and other content in a variety of media) according to each student's current schedule of classes.
Cisco NAC manages access rights for teachers, administrators, and other staff members in the same way. Once authenticated by their unique usernames and passwords, all users are authorized to use only the network resources that they need according to their unique profiles in the Active Directory.
"With Cisco NAC in place, I like to say that our users get to operate in their own `silos'," says George Bobias, the CUHSD network administrator. "By that, I mean they're presented only with the content, applications, and other resources they need, rather than a blizzard of choices to sort through."
"Every day we have 7500 student users, plus up to a thousand visitors, all with their own devices. Hundreds of teachers leading hundreds of classes, each with its own curriculum and associated content and resources. That makes for a lot of `stuff' on the network. Cisco NAC enables everyone to find and focus quickly on what they need and want."
- Charlie Kanavel, director of IT, Campbell Union High School District
Kanavel, the CUHSD director of IT, agrees that a key benefit of Cisco NAC is the better user experience that it delivers to everyone on the network.
"I came here from the private sector," he says. "There, most users need and use pretty much the same applications and content. But this school district is bigger and more complex than most private companies.
"Every day we have 7500 student users, plus up to a thousand visitors, all with their own devices. Hundreds of teachers leading hundreds of classes, each with its own curriculum and associated content and resources. That makes for a lot of `stuff' on the network. The NAC enables everyone to find and focus quickly on what they need and want."
Users can also access those resources from any device, anywhere. That's a crucial requirement, because more and more students, teachers, and staff use their personal laptops, and a majority of students have Internet access from home."
"We're just here to help," Kanavel says. "You can log on with any device you've got, as long as it's not going to compromise the network. Cisco NAC forces you to keep your virus software current and otherwise keep your device in `good health.'"
Of course, everyone benefits from the rock-solid reliability of the network. Since Cisco NAC has been in place, there have been no virus or malware problems.
"That's as big for our users as it is for us," says the IT director. "No more having your use of the network interfered with. Students love it. Teachers love it. `Now I can just do my job,' they say."
With a department of only six people, himself included, Kanavel has no trouble identifying the biggest business benefit of Cisco NAC: it reduces the burden on his limited IT resources. Instead of running around turning ports on and off or mopping up after viruses and intrusions, Kanavel, Bobias, and their staff technicians can focus on improving the network, expanding its capabilities, and helping users make the most of it.
"We have been thrilled with the results of this new system," says Dr. Rhonda Farber, superintendent of schools for the CUHSD. "The tremendous effort that Cisco and our staff put into this project has resulted in a safe, reliable, less costly, and considerably more efficient system for our district. And it has exponentially enhanced learning opportunities for our students and staff."
The focus now is on the future, and the secure access combined with availability and reliability provided by Cisco NAC is the foundation of that future. The district is currently building a new data center with redundant heating and cooling, 13 racks for its current array of 40 servers, and room to grow. On the services side, the district is migrating to a virtual infrastructure: thin clients at the user level, with all the "computing" done at the server level. Installation of a Citrix Systems virtual desktop solution is already under way.
"The virtual model means less network management for us," says Kanavel, "while it lets students access their educational services and resources, including their personal user folder, from any browser."
"Where and how kids learn is evolving," he continues. "For example, it's not unusual to see them watching podcasts of classroom discussions on their cell phones while they eat lunch. Our mission is to drive educational resources to all the points where learning happens. The power and versatility of the Cisco network makes that possible."