This is the second of three network access control (NAC) case studies of organizations taking different approaches to NAC. The first case study involved appliance-based network access control from Bradford Networks; this installment features a user who deployed a hybrid in-line/out-of-band solution from Cisco Systems Inc.
One semester into using an upgraded NAC solution from Cisco, Leo Pereira, director of IT at the University of San Francisco (USF), is still drooling. "I don't usually say this," he prefaced, duly noting that Cisco does "irritating things with their products which still irk me." And duly noting he receives no money or special deals from the San Jose, Calif.-based networking powerhouse.
"But good grief, this stuff just works," said Pereira, a former director of IT Web and security architecture at Oracle Corp. He joined USF about a year ago. "We have deployed it and it has been sitting around, humming. Talk about ready for prime time."
Every semester, students arrive on campus with computers already infected. USF needed a tool to understand the state of its students' computers and help make systems more secure.
Eighteen months ago, USF deployed an in-line NAC solution from Cisco for its dorms. It worked so well that last summer Pereira's team expanded the network access control system. USF deployed an out-of-band system for its dorms -- the locus of its highest network traffic and potentially most infected computers and used the original in-line system on its wireless network.
"Realistically, you never want the NAC in line," Pereira said. "It means that everything that attempts to travel between the upstream Internet and all of your user computers has to go through this appliance. And it is a chokepoint, regardless of how fast they build it."
The dorm upgrade required "lots of work on the part of my engineers" to configure all the switches to be able to negotiate with the NAC system. But except for a few "minor hiccups," the migration was uneventful. "There were many people who were quite surprised it went as smoothly as it did. I wasn't, because of the product."
Pereira said the primary motive for deploying network access control was to create a safe network for students. The Jesuit university, which traces it start to 1855, takes the physical safety of its some 8,000 students seriously, deploying its own police patrol. Similarly, IT must protect the school's virtual environment. The university's "crown jewels" -- its server farms and production systems -- were guarded by firewalls.
"But our primary customers are our students. We wanted to make sure the network for the students' computers was being treated with the same degree of respect," Pereira said.
With the current NAC solution, the first time a new student tries to connect to the campus network, the NAC system determines if the machine has the network access control client. If it doesn't, the student is put into a virtual LAN (VLAN) by himself and basically told he's new and is not up to university security requirements. He's then sent to download the appropriate antivirus software. Once the software is running on the system, the NAC is informed the machine is clean and the student is popped into a new VLAN that gives him access to the rest of the campus network, as well as the Internet.
This process is critical, because viruses have proliferated at an alarming rate in the 18 months since the first NAC solution was implemented, Pereira said. "If you asked me today to take away the NAC, the desktop engineering team would revolt."
During the testing phase of the deployment, Pereira's engineers would load computers with certain tools to test what was happening. "We would say, 'OK, I am now on this IP address -- how big is this address space?' And it was a sum net of two, just me and the upstream gateway, the NAC systems. You can't talk to anybody else. If you try to attack, your packets will not reach anybody else. Once you are authenticated, you can see it flip; you can actually watch the network interface flip, as it comes down, because it is having its DHCP address taken away and being given a new DHCP address," he said.
Indeed, the veteran computer engineer can't quite get over how well it works. "The first thought is, it is not going to work," he said.
USF has six NAC appliances: two management appliances, where all the configuration happens; two in-band servers and two out-of-band servers. Next, he hopes to expand NAC again to cover the university's faculty and staff. What can he tell other CIOs interested in deploying a NAC solution?
NAC gives him "much greater control over the security" of the campus's individual devices. Pereira ran IT security at Oracle for about six years in the late 1990s. "Our borders were secure; we had firewalls and no one could come in that way." The only time the company had a virus outbreak was when someone physically took a computer off campus, got infected and brought it back.
"With the NAC, you can make that at most a zero possibility, because as soon as they come back, and you have NAC deployed on your switches, once they plug in, the NAC server will say, 'Hey, you have been gone awhile and are you clean?'" he said.
We have deployed it and it has been sitting around, humming.
Leo Pereira, director of IT, University of San Francisco
The tool functions as a compliance tool, as policies can be set, for example, to have antivirus software refreshed every five days. The administrator can build in some flexibility, giving people whose computers are not infected the option of a little extra time to do the download.
The grace period is important in a university environment, where people balk at being told what to do. In fact, the Big Brother aspect of NAC is the biggest hurdle CIOs will likely encounter, in his view. "This is something that takes a bit of getting used to," he said. The initial deployment of NAC was "intense," with students having to bring in badly infected computers to a help desk.
Eventually, users accept the NAC check-in as part of their login, he said. As for the "never underestimate the complexity of a NAC deployment" refrain from industry experts, Pereira blamed aggressive vendor marketing for the bad rap.
"They sell you the be-all and the end-all," he said. The granularity potential is so great he could configure NAC to limit access to the departmental printers to a handful of people, if he wanted.
"I could put together a plan that would take two and a half years to implement, and the end result is that everything is controlled within an inch of its life," he said. "But that question you have to ask is, do you truly want to do it? For most organizations that is not going to be necessary."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.