For network access control, this shop chose Microsoft NAP; here's why

By Linda Tucci, Senior News Writer 11 Feb 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

More NAC resources Network access control: Evaluation tips for CIOs Network access control: A hybrid approach Appliance-based network access control keeps university network secure

In this third of a series on college campus NAC deployments, Alex Chalmers, lead enterprise systems and security architect at the university, describes some of the features of the NAP solution that make it work for the Muncie, Ind., campus. Cost is one. A Microsoft shop, Ball State saves about $75,000 per year in support and maintenance by using Microsoft NAP, and incurred only modest costs to set up five new servers.

A relative newcomer in the network access control market, Microsoft NAP is a descendant of the vendor's Quarantine Server from 2003. NAP received the top grade in Forrester Research Inc.'s 2008 analysis of the network access control market, getting kudos for its scalability, ability to leverage the vendor's Forefront security products and Active Directory for policy management, and interoperability with products from other vendors.

Replacing Cisco's Clean Access

Like all academic institutions, Ball State needed a way to enforce its security policies and check the health of the many unmanaged devices that connect to its network.

Though the university had successfully deployed Cisco Systems Inc.'s Clean Access tool for authenticating wireless connections, problems surfaced when Chalmers' team moved toward a wired deployment. The Ball State network, shared by some 2,100 faculty and staff and 18,000 students, is divided between the main campus and the residence halls and separated by a firewall. When school is in session, the network has about 20,000 nodes.

"Our network design is pretty large for a university of our size, and we decided that there were some problems getting software pushed out to end users in order to do computer validation checks and in making sure we had the appropriate components in the right locations," Chalmers recalled.

Drawn to Microsoft's use of enforcement standards in it new Network Access Protection offering -- in particular 802.1X -- Chalmers became a beta customer. "Doing 802.1X gave us a big win because it would allow us to do WPA," Chalmers said, in turn allowing users to log in just once. (Wi-Fi Protected Access provides dynamic encryption keys for wireless sessions.)

The 802.1X protocol also made sense on the wired network, he said. "We're pretty much a fully switched network, so we can have multiple VLANs deployed and do quarantining very effectively without needing to have everybody truck back to a central router and bounce VLANs that way. We can do it all at a switchboard layer."

The model does present a challenge in the Ball State residence halls, where there are not enough ports to do 802.1X. His team is still working on a solution for the residence halls.

But the flexibility of the NAP platform provides a basis for a solution for the dorms, Chalmers said. That flexibility is also important given the school's hybrid Macintosh/PC environment (about 20% of the Ball State environment is Macintosh).

Unlike other network access control solutions, which provide security for Windows only or provide authentication for Macs only, "NAP gives us the option of doing security through third-party development and the addition of other authentication mechanisms that we could look at for our residence halls' networks," Chalmers said.

There are definite options to NAP, rather than having one platform that says, 'You must do this.' That was very appealing to us. Alex Chalmers enterprise systems and security architect, Ball State University

"There are definite options to NAP, rather than having one platform that says, 'You must do this.' That was very appealing to us," he said.

If you're a Microsoft shop, NAP really works well, Chalmers said. "If you're a Linux shop, or an Apple shop, you're going to have challenges, because it is really based on having Active Directory, having Windows servers and having that deployed. So, there may be better solutions for different architectures."

Another consideration is that 801.2X can be a difficult protocol, Chalmers said. And for organizations that do not have the networking in place to handle 802.1X, costs for deployment would be higher, he said.

Ball State's capital investment has been modest: Five new servers running Windows 2008 Enterprise Edition provide the authentication mechanism for NAP. Existing SQL servers handle the reporting. Any switches that needed replacing have been part of the normal hardware rollovers, he said.

And the progress report so far at Ball State? The university is in the initial deployment, still documenting the health of the network. At a university, keeping everybody working at full tilt is paramount, so new installments tend to go slowly. He said he hopes to go into enforcement mode by summer.

Tags: Enterprise information security management,  Enterprise network management,  Cost-cutting strategies for CIOs,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs Enterprise network management Data recovery solutions must address a range of concerns Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Network access control now addresses multiple needs Network access control case studies show varied options Network access control: A hybrid approach Appliance-based network access control keeps university network secure Network access control evaluation tips: NAC systems insights for CIOs More CIOs consider IT managed services to deal with new technologies Survey: Economy puts nonessential IT projects on back burner Cost-cutting strategies for CIOs Investigating public cloud could inspire overdue housecleaning The real cost of cloud computing services Proven IT ROI strategies in an economic downturn Get the most out of your lean BPM solution Key to customer service satisfaction: Simplify complexity CIOs take business intelligence applications, strategy to next level PPM software helps university prioritize wide-ranging portfolios James Champy: IT innovation in a time of economic crisis Economic recession driving desktop replacements? Managing IT spending cuts: Don't take the easy way out, CIO advises

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary