The trouble with talking about network access control (NAC) is that it's a complicated, evolving and controversial technology. Depending on who you listen to, it's a must-have: Gartner Inc. has been pushing NAC for three years; Forrester
Research Inc. says it's a "key component of good network security architecture." Just as likely, you'll hear it's a shape shifter, with no dominant standard, better left to hardy souls with big wallets.
To provide some clarity, we interviewed three users who have deployed network access control. Each has chosen a different approach. In this first profile in courage, the method is an NAC appliance, and the primary motive keeping out-of-security-compliance devices off a university network. Or, as the IT people at Central Michigan University (CMU) prefer to put it, keeping the network accessible for the majority by excluding the few.
It began with a worm (or two)
This moderately large university had a really localized pain point when it considered a network access control system in 2003 for its campus of more than 27,000 students. It didn't want to end up like Michigan State, where the Blaster and Nachi worms had taken down the network. Nor was it practical to keep up its own line of defense against this nasty worm, which relied on a phalanx of volunteers.
"We shut down Internet access for all the residence halls, gathered an army of students and sent them out to patch student systems one at a time, by hand. We have 26 residence halls and apartments," said Ryan Laus, network manager at CMU's main campus in Mount Pleasant, Mich.
To head off infection, networking, help desk and residence hall staff members burned more than 1,600 CDs with the latest Windows patches and the school's licensed antivirus package. In less than three days, roughly 6,000 users with unpatched systems and out-of-date antivirus programs showed up. Another 800 virus-related incidences came to light. IT shut down entire dorm rooms because it had no idea whose system was infected, fomenting some mass resentment.
The university wanted an automated process that could authenticate students' devices before they connected to the CMU network and kick them off if they became contaminated. An appliance-based, or "out-of-band," NAC solution from Bradford Networks answered the call -- and then some. The Concord, N.H.-based provider made its bones with its Campus Manager solution designed for university campuses, but for CMU the "huge plus" was that the appliance did not have to be put inline.
"We had an intrusion prevention system and I believe we also had [WAN optimization] Packeteer systems in line, so to add another inline appliance was scary," Laus said. "We didn't want to add one more link to the chain on our network." If the out-of-band system died, it would affect only the people who were registering their computers at the time. Users already in the university's production network would not be affected.
Campus Manager manages, secures and controls the approximately 17,000 devices accessing the CMU network when school is in session, enforcing the university's network authentication and registration policies. This includes quickly identifying, locating and tracking network clients, and isolating at-risk users and devices in a quarantine area. You can read Bradford's account of CMU's NAC appliance deployment among the case studies on the provider's website.
"It was an easy sell. A network that actually stays up and is secure? Oh yeah, here's a blank check," Laus recalled. The initial outlay was about $100,000; the university uses four appliances and supports 22,000 licenses.
NAC installation details and lessons learned
NAC implementations get a bad rap. They take longer than expected, cost more than anticipated. A 20-something network engineer in 2004, Laus was given the task of rolling out the Bradford NAC appliance to the residence halls, CMU's biggest "bandwidth hogs." Laus began in June, updating the switches in the residence halls one building at a time, and he was done by August.
"Once we added the switches to the system, we could use the system to push out configuration changes, as opposed to making those changes by hand. That made the job much easier," Laus said.
The implementation was not without problems. Some older switching equipment did not behave as expected with the system, "causing some confusion among users," Laus said. That was solved the following summer when the university upgraded with equipment that worked better with the NAC.
Communication was the most critical component of the rollout, Laus said. CMU aims to get the majority of machines registered before the start of school, and gave the students advance notice that registration would require some extra steps. The network team notified the help desk, which needed to be prepared for the inevitable calls from students when "self-help" measures failed. It also kept the security people in the loop, and treated the tech people who work outside of the centralized IT department in the academic and administrative buildings with kid gloves. Many are faculty members.
"Our users hate to have something shoved down their throats, especially faculty," Laus said.
Added functionality: Policing bandwidth
CMU's NAC system has evolved with the technology. Students must now download an agent that scans machines for security policy compliance, for example, while IT uses Campus Manager in the residence halls to enforce a bandwidth quota (5 GB total traffic or 2 GB upload traffic per week) as a way to monitor file sharing.
Clients that exceed the limit are moved to an isolated virtual LAN where they have access to systems on campus but not to the outside world. The system can be used to pass along warnings from the Recording Industry Association of America with a note from IT "to cut this crap out."
In one sense, the politics that often accompany NAC deployments -- top executives in a tizzy over being kicked off because they didn't download a patch in time -- are moot issues for CMU. If students want to be connected to the network, NAC compliance is the prerequisite. And indeed, on the administrative and faculty side of the campus, CMU has implemented a watered-down, agentless version of NAC, precisely because it is too complex to enforce.
"We have no real way to deal with guests and corporate speakers who come in. In order to do it, you would have to say that anybody who comes anywhere on campus and cannot register would call the help desk, and we don't have the resources to support something like that," Laus said.
If somebody on the faculty side fires up a server that does virtualization, a departmental tech will notify Laus and "I will take the port out of the system and make an exception."
The two-tiered system at CMU extends to keeping machines current. Students are forced to re-register every semester. Not so faculty and administration, Laus said. "That could be another 30-minute conversation, persuading people to do it and finding a way to do it in a way that does not interrupt the user." Now if a faculty machine falls out of compliance, it just gets kicked out of school.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer