Project Charter Prepared by: Stephen A. Vieira Date issued: January 27, 2010



Download 28.19 Kb.
Date conversion28.01.2017
Size28.19 Kb.

Project Charter


Prepared by: Stephen A. Vieira

Date issued: January 27, 2010

Revised by: Manny Correia

Date Revised March 15, 2010

Project Name: Network Access Control

Project Number: 200910 –Infrastructure-P1
Project Overview:

The CCRI Network Infrastructure is a complex collection of servers, storage, switches and routers that would be incredibly difficult to rebuild. Such a project would take days of recovery and many hours of resource allocation. As a result, the protection of that infrastructure and the security model that must be applied should be significant and as bullet-proof as possible. That being said the clients connecting to the CCRI Network Infrastructure should be as up to date and as secure as possible. Network Access Control is a means of ensuring all client devices are up to date.


Network Access Control (NAC) is a system that provides authentication, scanning, remediation and accountability of devices and users connected to a network. When a user, either plugs into a data jack for the first time or connects to the CCRI wireless network, the process begins. The first step is registration, during this step the user will be asked for credentials. This is the authentication piece. In the authentication piece the user’s role is determined from the user database and the type of PC is determined by MAC address. These are important because they will be factors in what client the device gets and which policy is applied to that device. The machine then gets scanned for updates and AV. If the user passes the scan the user is then let onto the appropriate network and allowed to use the resources allowed to that network. This is all recorded in the NAC system for accountability.
During registration there are a number of processes that will be used to determine the varying users and devices that will be connecting to the network. Let’s begin with authentication. Right now our NAC system authenticates to the LDAP directory in the Luminous system. This is ok for now but I think it would be better to use the AD for this implementation. AD has many more fields we can use and our system has redundancy in case of failure. When a user puts their credentials in the appropriate window the NAC system then checks AD to see what role the user belongs to. Once the role is determined the device is then checked for the appropriate type ie.. PC, Apple, Linux, Mobile device, then the security client agent is downloaded to the device. Different devices will have different agents or some will not have one. Currently there is no agent for Linux or portable devices. PC’s and Apples have either a dissolvable or persistent agent. We should use the persistent agent everywhere possible because there are many more benefits than not. We can run a scan anytime there is a virus out-break, also we can send a message to any machine anytime, with the persistent agent on it for emergency notification.

NAC Policy will be set by role/group. Currently there are 4 roles Student, Faculty/Staff, Cart, Guest. Part of this project will be to determine if the current roles are sufficient for the college needs or do we need to create new roles. Then we need to determine the Policies assigned to these roles. These policies should check for updates that are recent but not too recent. If they are too recent then many users will be sent to the remediation network and this will mean a bigger support issue than we have the resources. The NAC committee will develop the policies and the Security committee will approve them. The policies will include what to scan for and what resources the user networks will be allowed to use. These policies will be important in determining the support levels the college will give to users. The Guest user policy is another issue which will have to be refined as there is a new Guest user administration in the new version of software.


The Scanning of each device/user is checked against a policy set in place for the role that user belongs to. These policies are configurable and can be as granular as the CCRI administration wants. The scan can be as simple as find the Anti-Virus software installed or as in depth to find an individual registry key value. If the user passes this scan then the user gets on the network with all the security settings assigned to the user’s group/role in place. If the user fails then the user gets put into a Remediation network. In the Remediation network the only resources the user’s device is allowed access to, is what CCRI determines is enough for that user to self remediate the device. All users in remediation will be steered to a website with links to AV software or Microsoft updates, etc, etc. Once the user has self remediated then the user can choose to rescan. Once the user has passed a scan/rescan only then will that user be allowed on to a network.
NAC also provides a means of identifying which user is on what PC at a particular time. NAC also provides a means of tracking when a PC/device connects to a particular port on a particular switch on the network. The system keeps a database with all this information. There are many varying reports that can be generated on a regular basis to keep track of what is going on.
CCRI will be using the Bradford Campus Manager Network Access Control system. The Network Sentry 1200 (Network Control Server), the Network Sentry 8200 (Network Application Server) and the Client all make up the NAC system from Bradford. When we first wanted to incorporate the some wired network into our current NAC system we thought we could just add licenses. This project, for a full blown wired and wireless NAC solution, will not run on the current hardware we have. An upgrade is needed to the existing system to handle the load. The eventual project will look into the redundancy issue involved and the acquiring of a second set of the above stated equipment for the Lincoln campus to be fully redundant. Currently we are using about 3500 Licenses with peek times of around 500 – 600 concurrent users. This is only our wireless network. This project will add approximately 2500 wired PC’s. Also we have to add any device connected to the network so we are adding around 200 printers and 120 VOIP phones. When done with this implementation any printer can be moved to any active jack and the network will know what it is and what network to put it in, the same will go for VOIP phones. This project will put us in a great place for future VOIP implementations.

As part of this project a new team must be created within IT. We will call it the NAC team. In the beginning the team should meet at least bi monthly to go over what the project will entail, who will effect, what are going to be the support issues, policy creation, etc. etc.. The team members should comprise of the networking group and other key IT group members that support desktop machines. This team should start meeting in April 2010 to get a head start on the project.


Also as an off shoot there should be a security committee for the whole college. NAC plays very important role of the college’s security preparedness. The college community should know more about NAC and security in general. I think the committee should start meeting right away to start preparing the departments for what is coming and to start teaching them about security. This committee will go far beyond the scope of this project but it should exist for this project so it is a good time to get it started.
Project Requirements:

The NAC project requires appropriate new hardware as well upgrading the licensing of the Bradford Campus Manager software for all wired and wireless devices.

Policy’s need to be in place before Campus Manager can be configured to enforce them. Policy needs to be backed by upper management of college. This is to include what software does the college support and what is to be scanned for.

Pilot group needs to be identified, configured and a time frame needs to be set.

Phased roll out plan needs to be setup so appropriate support can be given.

Wireless has already been using this system but the scanning has not been implemented. I think the wireless users will be scanned starting Fall-2010 semester.

Assigned Project Manager, Authority and Responsibility:

Manny Correia – Project Manager
Organization, Authority and Stakeholders:

Coordination Areas

Primary Duties

Network Group IT

Setting up New Campus Manager System, configure Network devices to be managed by CM, Support Pilot, Chair NAC team, Begin Security Committee,

User Support

Help Desk support

NAC Team

Policy statement establishment, documentation

Security Committee

Policy approval








Constraints:

Support issues

Scanning tolerance set to high will put too many user in remediation at first

Each switch port to be managed must be configured for CM to work, high hands on by Network staff to get working

Using AD will be determined by the students in AD project. If it gets done in time. We can use the Luminous LDAP for now and switch at a later date.

Portable device and Linux Client there is none.

NAC awareness campus wide

Security awareness campus wide

Assumptions:

Easy install

Easy support

Will solve all security problems



Summary resources, Budget and Milestone Schedule Estimates:


Milestone

Assumed Target Date or Number of

From Approval



Security Committee Creation

April 2010

NAC Team creation

April 2010

Policy Creation

May 2010

Bradford Campus Manager Order gets assigned equipment arrives

May 2010

Pilot group established

June 2010

Pilot testing completed

July 1, 2010

Phased Rollout begin

August 2010


Initial Risk Assessment:

The major risk areas identified to date are given below along with a comment on a possible mitigation strategy (to be expanded in more detail during the detailed project planning).




Major Risk

Possible Mitigation

User adoption

Educate users before implementation

User testing failure

Provide support staff protection first; transition to labs and public areas later

VPN NAC

VPN will be the last area to be implemented largest issues with compatibility and support



Project Charter Approval and Acceptance:

The signatures below indicate the undersigned have read and agreed to the contents of this Project Charter and have thus given approval and acceptance for this project to be initiated.












Approval: Project Sponsor/Owner

Robert Shea






Date










Acceptance: Project Manager

Manny Correia






Date




Page

Confidential




The database is protected by copyright ©ininet.org 2016
send message

    Main page