Microsoft Network Access Protection (NAP), a software-based network access control product, may be a natural fit
for Microsoft shops, given its integration with other Microsoft products and the fact that it comes as a feature of Windows Server 2008. But there are other reasons Ball State University went with NAP when looking for more network protection for its wired network.
In this third of a series on college campus NAC deployments, Alex Chalmers, lead enterprise systems and security architect at the university, describes some of the features of the NAP solution that make it work for the Muncie, Ind., campus. Cost is one. A Microsoft shop, Ball State saves about $75,000 per year in support and maintenance by using Microsoft NAP, and incurred only modest costs to set up five new servers.
A relative newcomer in the network access control market, Microsoft NAP is a descendant of the vendor's Quarantine Server from 2003. NAP received the top grade in Forrester Research Inc.'s 2008 analysis of the network access control market, getting kudos for its scalability, ability to leverage the vendor's Forefront security products and Active Directory for policy management, and interoperability with products from other vendors.
Replacing Cisco's Clean Access
Like all academic institutions, Ball State needed a way to enforce its security policies and check the health of the many unmanaged devices that connect to its network.
Though the university had successfully deployed Cisco Systems Inc.'s Clean Access tool for authenticating wireless connections, problems surfaced when Chalmers' team moved toward a wired deployment. The Ball State network, shared by some 2,100 faculty and staff and 18,000 students, is divided between the main campus and the residence halls and separated by a firewall. When school is in session, the network has about 20,000 nodes.
"Our network design is pretty large for a university of our size, and we decided that there were some problems getting software pushed out to end users in order to do computer validation checks and in making sure we had the appropriate components in the right locations," Chalmers recalled.
Drawn to Microsoft's use of enforcement standards in it new Network Access Protection offering -- in particular 802.1X -- Chalmers became a beta customer. "Doing 802.1X gave us a big win because it would allow us to do WPA ," Chalmers said, in turn allowing users to log in just once. (Wi-Fi Protected Access provides dynamic encryption keys for wireless sessions.)
The 802.1X protocol also made sense on the wired network, he said. "We're pretty much a fully switched network, so we can have multiple VLANs deployed and do quarantining very effectively without needing to have everybody truck back to a central router and bounce VLANs that way. We can do it all at a switchboard layer."
The model does present a challenge in the Ball State residence halls, where there are not enough ports to do 802.1X. His team is still working on a solution for the residence halls.
But the flexibility of the NAP platform provides a basis for a solution for the dorms, Chalmers said. That flexibility is also important given the school's hybrid Macintosh/PC environment (about 20% of the Ball State environment is Macintosh).
Unlike other network access control solutions, which provide security for Windows only or provide authentication for Macs only, "NAP gives us the option of doing security through third-party development and the addition of other authentication mechanisms that we could look at for our residence halls' networks," Chalmers said.
"There are definite options to NAP, rather than having one platform that says, 'You must do this.' That was very appealing to us," he said.
If you're a Microsoft shop, NAP really works well, Chalmers said. "If you're a Linux shop, or an Apple shop, you're going to have challenges, because it is really based on having Active Directory, having Windows servers and having that deployed. So, there may be better solutions for different architectures."
Another consideration is that 801.2X can be a difficult protocol, Chalmers said. And for organizations that do not have the networking in place to handle 802.1X, costs for deployment would be higher, he said.
Ball State's capital investment has been modest: Five new servers running Windows 2008 Enterprise Edition provide the authentication mechanism for NAP. Existing SQL servers handle the reporting. Any switches that needed replacing have been part of the normal hardware rollovers, he said.
And the progress report so far at Ball State? The university is in the initial deployment, still documenting the health of the network. At a university, keeping everybody working at full tilt is paramount, so new installments tend to go slowly. He said he hopes to go into enforcement mode by summer.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer