Connecting Devices to a Computer Network -
Why It's Not Simple Anymore
Computer networks, especially on college campuses, took root in days before spam, viruses, phishing, and malware. Frankly, computers and printers were connected to networks without knowing much of anything about the devices. Major problems were infrequent and the implications of these issues were not disastrous for most functions of the college. However, that simplistic world no longer exists, and as a result change has been necessary in this arena. While our actions will not limit access for valid members of the Skidmore community, we now must take precautions for your safety and mine. We must ensure that the only devices connecting to the Skidmore network are those that are associated with a valid member of our community.
A recent legal change is one of the major factors forcing us to take action. CALEA, the Communications Assistance for Law Enforcement Act, was originally passed in 1994 to aid law enforcement in its effort to conduct criminal investigations requiring wiretapping of telephone networks. It was recently expanded to include any communications that use the Internet. The language is vague and in some instances appears to contradict itself. However, there are two provisions within the law that would allow an entity's network to become exempt from the CALEA change. If an organization owns the infrastructure connecting itself to the Internet then it falls under CALEA. We do not - we lease a connection and bandwidth from an Internet Service Provider so we pass the first exemption criteria. The second provision is a little vague. It states that if we are considered a private network we meet the second criteria for exemption. The vagueness comes from the definition of private network. Our belief, and that of most peers, is that if we know who is using our network and when and where they are connected, then we are a private network. The monetary consequences of not being a private network would be huge. The necessary equipment upgrades and replacements could cost Skidmore over $1 million. This act has become one of the driving forces behind a team within IT that is examining our options and determining the best network authentication system and process.
In addition to being a private network in the eyes of CALEA, we also need to know more about the devices connected to the network. This is especially critical with the recent proliferation of harmful viruses, worms and malware spreading across the Internet. It can be a time consuming effort to find an infected computer and remove the malicious software. If IT knows who to contact when we learn of an infected device, it can reduce this effort significantly, which in turn reduces the amount of time the device can attempt to infect others on campus.
Taking into account the implications of CALEA, and the importance of everyone's information safety, we must further secure our wired network connections. While it is still early in our planning and implementation process, we have established several goals: to minimize the impact on users, to create a plan that accommodates every special circumstance we know of, and to accept that there may be some circumstances where the solution would be so complicated that we may have to accept the security risks. The preliminary plan includes utilizing a network appliance designed to register devices attached to the network. This registration includes the name of the device, the name of the person to contact if the device is having any problems, and the network address of the device.
At present, we are expecting to implement the chosen solution during the 2008-09 academic year, but will be vigilant in any decisions to make changes mid-semester. Due to the nature of the possible solutions a phased approach is likely. We will not apply the solution for everyone all at once, but instead we will go building-by-building, or possibly even department-by-department. One of our guiding principles in this project is to keep the Skidmore Community informed as we move forward from our preliminary discussions and planning, to the actual implementation of the best solution.
and Justin Sipher, Chief Technology Officer