Reconstruction of the on-campus wireless LAN environment due to the rapid increase in the use of smart devices

Established in 1886 as the first law school in the Kansai region, Kansai University has 13 faculties, 12 graduate schools, 3 professional graduate schools, and 1 special course on four campuses in Osaka Prefecture. It has grown to become the largest private university in western Japan with approximately 30,000 students. It is popularly known as "Kandai".

The university, which prioritizes free learning opportunities and research activities, has a policy of providing an environment in which students and faculty members can freely use IT, while achieving a high level of security and safely maintaining and managing the network environment on campus. and

Therefore, in addition to installing an integrated firewall on layer 7 of the campus network, we have also installed area-specific firewalls for each school building to maintain a secure network environment through dual management.

Also, in the past, the wireless LAN was operated under the control of the on-campus network proxy, but with the rapid increase in the use of smart devices such as smartphones and tablet terminals, the operation mode was reviewed and a new on-campus wireless LAN environment was constructed. and separate it from the existing wired LAN.

However, by expanding wireless LAN to all campuses and promoting its use, the number of terminals connected to the campus system increased, and security risks increased, which became a major problem. If there is an increase in the number of connections from terminals that do not support antivirus, terminals that have not been updated with definition files, or highly vulnerable operating systems such as Android, there is concern about the spread of malware from wireless LAN networks to wired LANs. There was also concern about an increase in the use of applications that violate security policies, such as P2P.

Creating a system that protects security while respecting the autonomy of students and faculty

“Universities are propositioned to provide an open and free network environment, but on the other hand, it is not possible to force them to strengthen security uniformly like companies. Strengthening security governance at a level that does not require it has become a major issue.

That's what Mr. Nishiwaki of Kansai University's Academic Information Secretariat System Management Division said. University systems are burdened with various issues, such as shared use of servers inside and outside the university, a mixture of different systems such as administrative systems and research systems, and widening the bandwidth of networks as the size of data such as research data increases. On the other hand, since an atmosphere of freedom and independence with few restrictions is required, it is difficult to implement a strict security policy comparable to that of a company, and the reality is that it is difficult to impose restrictions.

Therefore, Kansai University pays attention to IPS (intrusion prevention system). We determined that a gateway-type IPS, which does not require changing settings on the terminal side, is the best way to create a system that protects security behind the scenes while respecting the autonomy of students and faculty. In addition, Mr. Nishiwaki insisted on being an appliance.
"Because the university's network is managed by a small number of staff in the system administration department, considering the 35,000 users, including students and faculty, it would be better to choose an appliance that requires less time and effort from installation to day-to-day operation. I thought it was wise." (Mr. Nishiwaki.

The ability to respond to the latest threats without delay determines the superiority of IPS

A project to build a new wireless LAN system started at the end of 2011. In parallel with this, the company compared and considered the IPS proposals from each vendor, and after considering the overall balance, it selected the IPS "McAfee Network Security Platform" provided by Macnica.

Mr. Kakimoto, Assistant Manager of the System Management Division, Academic Information Secretariat, Kansai University, analyzes the decision of McAfee Network Security Platform as follows. “When choosing an IPS, even if you compare the logic, behavior, response, etc., it seems that there is not much difference between the latest technologies. McAfee has the latest reputation database that collects threat information from all over the world and one of the world's largest research institutes. Detection technology is also advanced, so we judged it to be the most reliable." (Mr. Kakimoto.

In addition, since McAfee Network Security Platform is sized based on network communication volume rather than user licenses, the pricing system, which does not incur additional costs even if the number of users increases, was an important point for a university with many students.

On the other hand, Mr. Nishiwaki emphasizes that choosing McAfee Network SecurityPlatform was effective in shortening the introduction period and reducing the burden of operation management. “In general, many IPS products are difficult to use without customization, but you need a specialized team with skills to customize them in detail. It is helpful to be able to operate almost exactly according to the security policy without any changes.This kind of recommended setting is a merit unique to McAfee, a major vendor that has a wealth of introduction results in Japan and gathers a lot of information. (Mr. Nishiwaki.

Accurately detect unauthorized communications from terminals and detect them without omission

We started building a wireless LAN in the summer of 2012, and at the same time introduced McAfee Network Security Platform. Operation began in September 2012. According to the configuration of the network line, two units, an active unit and a standby unit, are redundant, and even if one unit crashes, failover can be performed quickly and safely without interrupting communication, and unauthorized communication can be detected without leaking. is.

According to Mr. Kakimoto, the use of McAfee Network Security Platform has made it possible to operate flexibly by stopping only unauthorized communications and continuing normal communications in accordance with security policies. In addition, since the hardware is specially designed for IPS, even if the number of users increases, the throughput will not drop even if the traffic starts to increase.

An opportunity to call attention to the seriousness of the problem without hindering convenience

Mr. Nishiwaki expects McAfee NetworkSecurity Platform to be useful in terms of improving user literacy. Current firewalls can only stop communication at layer 7, but users just wonder about disconnection and it does not lead to a fundamental solution. Therefore, McAfee Network Security Platform's "HostQuarantine" feature is an effective one.

Host Quarantine blocks all communications from the source host for a certain period of time from the time it detects illegal communications, and displays a pop-up on terminals infected with malware to alert users. It is a function that semi-automatically implements the application of the latest patches by guiding to the isolation relief site (fix portal) if necessary.
"It's effective not only if you're infected with malware, but also if you're using an application that violates security policies. Some students don't have any doubts about using P2P, so we needed a way to make them aware of it. By using Host Quarantine, it is possible to call attention without forcing it, and I think it will be a good opportunity to raise awareness of the seriousness of the problem and improve literacy.” (Mr. Nishiwaki.

In addition, Mr. Kakimoto talks about the future as follows. "Although no specific incidents have occurred yet, it will be important to accurately detect unauthorized communications from brought-in terminals and how McAfee NetworkSecurity Platform will be involved as a means to lead to a solution. , Now it's time for the real thing." (Mr. Kakimoto.

In the future, Kansai University is planning to expand the range of wireless LAN access points and to provide a communication service specializing in smart devices in order to inform all students of the notices. In the future, it is thought that smart devices will be widely used in classes and the like. In this way, it seems that there is also a desire to connect to the improvement of the educational site by improving the on-campus infrastructure.

Mr. Nishiwaki says that it is important to consider what kind of benefits wireless LAN can bring to education as the number of users using smart devices rapidly increases. We trust Macnica, and we look forward to its continued full support."

User Profile

*Information at the time of interview.