SCCC Nets & Tele: NAC Project Requirements
SuffolkCountyCommunity College
Department of
Networking & Telecommunications
NETWORK ADMISSION CONTROL
Project Requirements
Networks & Telecommunications
Suffolk County Community College
533 College Road, Selden NY 11784
<Intentionally left blank>
Network Admission Control (NAC) Project
Executive Summary:
1. Title of Request
Network Admission Control (NAC) Project
2.Brief Description of Proposal
This project will provide the systems (software and hardware) necessary to implement a College-wide authentication mechanism for access to the wireless network, academic computers and for open-use computers. Authentication is a requirement in providing security and audit capability within the network. This request includes the cost proposal of configuration, installation and five-year maintenance of the equipment to implement this project.
3.Anticipated ProjectSchedule (*)
July 1, 2009Project Commencement
August 31, 2009Delivery of Materials
October 1, 2009Installation and Configuration Completion
November 1, 2009Completion of Pilot Testing
December 31, 2009Completion of Policy Implementation
January 18, 2010Spring 2010 Semester Starts (Full Activation)
(*) These dates are based upon fixed dates of events or target dates based upon typical timelines from prior projects. The College reserves the right to change these dates.
4.Implementation Team Committee Members
Gary Ris, Associate Dean of Computer Information Systems
Richard Johnston, Director of Networks & Telecommunications
Steve Clark, Coordinator for Instructional Technology
Drew Rabinowitz, Associate Director of Desktop Computing Services
Paul Basileo, Ammerman Coordinator of Educational Technology Unit
Peter DiGregorio, Grant Coordinator of Educational Technology Unit
Ed Hassildine, East Campus Specialist of Educational Technology Unit
Kevin McCoy, Associate Dean of Library Technical Services
<Intentionally left blank>
T A B L E o f C O N T E N T S
Master Contract Authority......
Project Overview and Goals......
Current Network......
College WAN......
Ammerman Campus......
Grant Campus......
East Campus......
Wireless Network......
Professional Services Requirements......
Project Management......
Pre-Installation Phase......
Equipment Installation......
Network Configuration......
Pilot Network Test/Acceptance......
Technical Training......
Annual Maintenance......
Post-Install Annual Meeting......
Submission Requirements......
Overview of Submission......
Disclosure Request......
Project Management and Personnel......
Documentation and Schedule......
Materials Revision/Versions......
Professional Task Assignments......
NYS OGS Contract Use Requirements......
Schedule of Cost......
NONDISCLOSURE STATEMENT......
<Intentionally left blank>
Master Contract Authority
This NAC Project procurement specification’s issuance is being made pursuant to agreements by New York State Office of General Services (NYS OGS) under awards for Telecommunications Equipment: Cisco (Group 77503, Award 02070) with product contract PT59009 and services contract PS59010; and award Lease Purchasing Services (Group 79033, Award 3530). All proposed solutions must meet the Terms and Conditions stated within these contracts.
Project Overview and Goals
Suffolk County Community College is seeking a Network Admission Control (NAC) system for the college’s network. The NAC system’s principle function will be to authenticate legitimate faculty, students and guests users on the wireless network and portions of the wired network. Users will be connecting to the network with college-owned or personal computing equipment and the NAC will have to differentiate services and policies based upon configured information.The NAC system will have to collect, store and provide retrieval tools of the current and historic records containing information about usage by individuals, computers, locations and policies.A secondary function of the NAC system is to support the usage rights and security policies of the college for multiple user groups based upon who the individual is connecting, the location within the college and device being used, the destination services provided and current network performance levels.
The NAC system must be adistributedredundant solution that will operate throughout the five college locations over the existing network architecture. Access to the management tools and report servers of the NAC must be available via local administrative stations and via secured VPN connections. The solution must support the entire network user population (including students, faculty, staff and guests) and network devices (including desktop systems, telephones, WLAN AP’s, security devices, HVAC, and laptops) with capability to scale to account for growth.
The college operates with classes and activities throughout the week and throughout the year. The solution must provide a highly reliable and redundant design that will operate 24x7x365, with minimal annual downtime for maintenance or failure and have appropriate fallback parameters in the event of a device failure.A NAC controller device that fails on a campus must have its processing taken up by another device even if located elsewhere in the College. Lastly, for multiple points of failure, a clearly defined and tested default policy that will allow the College to continue to operate mission critical applications without disturbance.
The solution must have operations to generate basic reports, such as current users/devices connected or the number of devices in a particular building or location. The solution must be able to log individual user access and an individual device use throughout the college and provide detail and summary information over ad-hoc defined periods of time. The NAC solution must generate historical reports reflectingthe usage of the system based upon location, membership in a group and summary reports such as: average number of users or devicesin use over a period of time (day, week, month, etc). Hard disk storage, appropriate to store the database of the current information period is required. External DVD/CD writable storage is required for archiving or retrieving information from prior periods.
The NAC solution must be able to interface with a wireless network to mediate devices such as laptops (Windows, MAC, and Linux), PDA’s with browsers, smart phones with browsersand unattended devices with wireless network interfaces (projectors, cameras, a/v systems). The NAC solution must operate with a “clientless” interface when accessing non-college owned equipment and have the capability of activating a “client-based software scan” for select users. The NAC Solution must co-exist with desktop management systems for college owned equipment. The NAC solution must operate on the wired network and differentiate the services allocated for different groups; such as faculty, students, administrators and guests.
The NAC Solution must allow its user interfaces to be branded with the College’s logo and at the College’s discretion have the screens match the graphic layout of typical college web pages. The NAC Solution must present the College’s “Appropriate Network Usage Policy” with “user acceptance” at every logon and record this transaction in the user’s historic log.
The NAC Solution must have a dynamically activated capability to scan selected devices for conformance to software operations prior to being permitted access to network services. Examples of such operations are but not limited to: operating system versions, patch level installed, presence and version of anti-virus software and activation of user device firewalls.
The NAC Solution must use the college’s assigned user-id and password for accessing college services via LDAP communications. Authentication information is stored on multiple servers that must be queried for proper identification of the group that the user is assigned to.
Current Network
College WAN
Suffolk CC’s Wide Area Network is built upon campus links to the Internet and between the “corenetwork” switches located on each campus. Each of the three multi-building campuses has an independent circuit to the Internet via fiber optic connections. Each circuit subscribes to a bandwidth that provides the campus with its Internet access needs and has the ability to burst to support traffic from the other campuses in the event of a circuit failure.
College-wide WAN communications are supported on the Selden (Ammerman) Campus with connections to SUNYNet and Suffolk County MIS via dedicated circuits or VPN services. Traffic throughout the College is routed to these circuits via the intra-college circuits (1000Mbps fiber optic circuits from Verizon [TLS]). These circuits are attached directly to the L3 Core Switches.
The Sayville Education Center and Riverhead Culinary Center are connected to the nearest campus via 100Mbps fiber optic circuits from Verizon (TLS). All of the intra-college WAN circuits support voice, video, and data for both academic and administrative needs.
Protecting the College’s network are Intrusion Protection Systems and Firewall Systems that are inserted between the core networks and the WAN routers. These devices analyze inbound and outbound traffic for compliance with College policies and protection from Internet attacks.
In the event of a failure of an intra-college link, a self-managed VPN circuit will be established to allow prioritized administrative and voice traffic to flow between the involved campuses.
The switch traffic within the college’s network is divided into seven broad categories; Internet bound, SUNYNet/County bound, ADM or Administrative, EDU or Educational, VoIP for the telephone network, WLAN or Wireless, and OTH for other services (HVAC, door access, power control). VLANs for specific networks are assigned IP Address ranges corresponding to these categories and buildings. The core switches, routers and security devices are responsible for separation of the logical traffic. The inclusive of NAC equipment will maintain this separation to the access port level (Layer 2 port control).
Ammerman Campus
The Ammerman Campus (Selden) network interconnects 17 buildings (academic and administrative) to the campus core switch via fiber optic connections operating at 1000Mbps. The building MDF traffic traverses fiber optic links that terminate in the Riverhead Building’s Computer Data Center (A/R105). The core network switch is a Cisco 6506E supporting the fiber optic switching between buildings. Another Cisco 6506E supports the local server connections for data, voice and support services.
The Sayville Center is a single building with ADM, EDU, WLAN and VoIP connectivity.
Grant Campus
The Grant Campus (Brentwood) is logically a star network but its construction separates the network into three physical star nodes located in the Sagtikos, Caumsett, and HSE Buildings. The core network equipment is located in the Sagtikos building and fiber optic trunks inter-connect the secondary buildings. There are 18 buildings on the campus with the major academic and administrative buildings directly connected to the core network and minor buildings connected through a major building. The HSE is considered five buildings due to the size of each of the wings.
An additional building, Workforce Development and Technology Building will open in the Fall 2009 and be connected through the Ashroken Communication Arts Building.
East Campus
The East Campus (Riverhead) has three main buildings and several additional support buildings. All academic and administrative network applications are supported. The Campus has seven buildings supported by the core network.
In addition to supporting the onsite buildings, the East Campus network is connected via 100Mbps TLS circuit to the Riverhead Downtown Culinary Center. This facility supports multiple programs in addition to the culinary program. The building has a retail space, presentation spaces, cooking labs plus classrooms and offices. The East Campus will have a large addition in the Fall of 2010 with the opening of the Library Resource Center. This building will be directly connected to the campus core network.
Wireless Network
The College’s wireless network is comprised of equipment from multiple vendorsand organized based on campus. The Grant and Ammerman Campuses have a wireless network built from Symbol/Motorola products with most Access Points supporting 802.11b and some 802.11b/g. The AP’s are forwarded back to multiple Symbol WLAN Switches (5000 and 5100). The East Campus has Cisco products (all 802.11b/g) in the same configuration.Wireless signal coverage on each campusis complete (overlapping differentiated channels with strong signal strength) for all academic buildings, public spaces (library and student centers) and for select administrative locations. The network has over 280 access points and is supported by 12 WLAN switches. Each WLAN network is isolated from the administrative and academic network and each campus WLAN has its own router connected to the WAN via a firewall interface. College-based services must pass through all network security devices prior to be allowed access to college servers.
Students and faculty are permitted to “register” devices for accessing the network via the college’s intranet portal. The portal requests the MAC Address of the device to be registered and enters it along with the requestor’s information. The WLAN switches perform MAC Address filtering to identify “registered” devices. The portal registration process is a custom interface that is part of the college’s portal. An active account on the portal provides recognition that the owner is a current student or faculty member. Registered devices can be laptops, PDA’s, smart phones, or other authorized equipment. Registered devices may access the Internet but do not have direct access to college servers nor can communicate with other devices within the college. This is to enforce the wireless network’s policy that it be used for “academic research and education”. The registration process requires that the requestor read and acknowledge the appropriate usage policies for wireless access.
The college owns laptops that are either permanently or temporarily assigned to administrators or faculty. The MAC Addresses for these devices are uniquely identified and have specific capabilities based on the intended usage on the wireless network.
Professional Services Requirements
Project Management
The vendor is required to supply a project manager for the project, who will be the “single point of contact” representing the vendor in all matters relating to project scheduling, technical matters and fulfillment of deliverables. The project manager will be responsible for periodic reporting of progress and completion of major milestones, participation in status meetings and maintaining the overall project schedule. The schedule for the project must not directly or indirectly cause any interference with normal operations of the College.
Pre-Installation Phase
The vendor’s managerial and technical staffs are required to meet with the College’s managerial and technical staff at the commencement of the project. The agenda will be to review the project schedule, technical details of the project, college policies and project goals and any outstanding issues. Internal configurations of the college’s network will be presented and reviewed. The vendor will be responsible for documenting the information necessary for the proper configuration of the NAC equipment with approvals of the policies by the college. The vendor must provide a design document that includes the target configurations, installation solutions, initially implemented policies, and test plan.
Equipment Installation
All equipment delivered under this project must be the latest hardware and/or software revision as released on the date of purchase. No used equipment or refurbished equipment is acceptable. Equipment purchased under this project can be “pre-positioned” off-site (vendor’s offices) to perform initial setup and testing. All configurations must be presented to and explained to SCCC technical staff for review and approval prior to implementation. The installed equipment will be “racked and stacked” at the appropriate sites within the college but will not be attached to the operational network until given permission by the college. Rack space, electrical feeds and network configurations for the equipment will be based upon specifications supplied by the vendor and presented to the college with appropriate lead times. All equipment must be installed as per manufacturer’s specifications and in compliance with all electrical codes having jurisdiction. The vendor will install the equipment during standard business hours according to the College’s calendar and the vendor must be prepared to perform the installation concurrently (e.g. perform the installation on all three campuses simultaneously with three teams). This is due to the limited schedule of days when the college’s network can be exposed to service outages due to power interruptions or moving of equipment to accommodate new devices.
Network Configuration
The vendor is required to perform an onsite review of the College’s facilities where NAC equipment’s hardware will be installed and identify any installation issues. The hardware and software configuration will be reviewed with the college’s networking staff prior to installation or initiating active processing of the equipment. The NAC equipment network configuration must adhere to college’s network operations and security policies. The NAC Equipment will be installed and attached to the college’s network as per schedule but must not interfere with normal operations of the college’s network during the installation and test periods. It is the vendor’s responsibility to insure compliance with these stipulations prior to acceptance of the project by the college.Elements of the configurations that are discovered during any phase of the project will be the responsibility of the vendor to propose solutions. Mutually agreeable solutions will be implemented without additional cost to the College.
Pilot Network Test/Acceptance
A group of stations (mix of desktop and laptop computers) will be identified by the collegeon each campus to be used for testing of the NAC equipment operation. Additional devices will be included to insure that proper identification of devices that are not to be under the jurisdiction of the NAC Equipment (telephones, HVAC systems, & power equipment). The number and location of the equipment is the responsibility of the college. The vendor is responsible for authoring a comprehensive test plan that will demonstrate the functions of the NAC equipment operating correctly on the college’s network while using college stations pre-configured to represent various groups. Tests will include demonstration of all policy groupsthat permit or deny access to the network. Additional tests will include demonstration of the ability to isolate a device’s admission to the network by restrictionof the address and/or protocol. Additional tests will verify the operation of policy activation by Time-of-day, day-of-week, event trigger activations and global commands. Initial activation of the NAC Solution must support a promiscuous mode to verify its operations on a college-wide basis without enforcement of policies.