Proper cybersecurity can be a tough challenge for institutions of higher education. They have to juggle providing relatively open Internet access to students and guests while simultaneously protecting research, financial, and other sensitive data. Many colleges and universities do not have the visibility necessary to understand what is happening on the network, let alone identify threat activity.
That is precisely the challenge Central Michigan University (CMU) was struggling with. CMU is the fourth largest public university in Michigan, with nearly 64,000 total user accounts and a campus supporting modern technology and state-of-the-art facilities. The network consisted of 100-percent Cisco equipment and spanned 19 remote locations and included 26 residence halls.
The campus network is divided into three logical zones, including:
- Academic/administrative
- Residence halls and campus apartments
- SmartZone supporting CMU research center
The Challenges
Each year, CMU saw a steady 125-percent increase in the number of mobile devices connected to its network, which resulted in a growing demand for wireless support on its already open network. In addition, the proliferation of file sharing applications led to high bandwidth consumption, and the university had received several pre-litigation notices due to students illegally sharing or downloading music files. The security and network teams needed a way to gain pervasive visibility of traffic entering and leaving the network as well as traffic between internal hosts, and they needed an automated way to research RIAA copyright notices.
The university’s IDS/IPS solution was only able to monitor activity in the academic/administrative zone and quickly succumbed to the high volume when traffic from the residence halls was added. They already had a custom-built NetFlow analysis system that was designed to monitor user traffic and throttle it to a manageable level, but students had figured out ways to circumvent the system. CMU needed a way to not only monitor network traffic but also the ability to quickly elevate security concerns from the noise of day-to-day network usage, including detecting traffic spikes and anomalous behavior.
The Cisco Stealthwatch Solution
CMU deployed Cisco Stealthwatch, which gathers NetFlow data from multiple routers throughout the network to provide critical visibility into internal traffic. Stealthwatch delivers:
- Faster time to detect security incidents
- Visibility into CMU’s Internet gateway traffic and high speed internal network
- Intelligence to prioritize critical events
- Automated mitigation
- Network forensics
With Stealthwatch, the CMU network and security teams could easily view details of network traffic spikes, security events, and anomalies, providing the valuable intelligence needed to help make more informed decisions. This drastically reduced the time needed to detect and investigate an event.
In addition, Stealthwatch was configured to monitor user behavior for signs of excessive P2P file sharing. When a user who is violating the policy is detected, Stealthwatch automatically sends an email to network administrators and a SNMP trap to CMU’s network access control (NAC) solution. The user in question is then placed in an isolated VLAN and required to re-read and acknowledge the P2P file sharing policy before regaining broader network access.
This allowed CMU to educate and discipline users for network policy violations, while also highlighting repeat offenders, in which case a tech could be dispatched to look at the machine.
Learn more
To learn more about how Central Michigan University improves security with Stealthwatch, watch the testimonial video or read the full case study.
Kevin Ransom is an SLED Security Account Manager at Cisco.
Ashley Harper is an SLED Security Account Manager at Cisco.
© 2017 Cisco. This article was sponsored by Cisco and not written or edited by the EDUCAUSE editorial staff.