The networking team at London South Bank University (LSBU) made finding a Network Access Control (NAC) solution a priority after a student laptop brought in a virus that caused serious network outage.
The massive virus outbreak was brought in by an unpatched laptop that became infected when someone took it home. Making matters worse, the outbreak occurred during university clearing when final student places are awarded.
“We had days of whole sections in the university down right at the start of clearing, which is a busy time of year for practically everybody in the university sector. It took us weeks to recover," said Phillip Wright, network team leader at LSBU, which has about 23,500 students and 2,500 staff.
“We had absolutely no control over what was going on our network. A student with an infected laptop could walk into a computer lab or an office, plug in, highjack an IP address and away they could go. We were in a position where we needed some sort of network access control.”
Before a NAC solution, complete network redesign
LSBU underwent a complete refresh of its network equipment, redesigning everything from the core right through to the edge, and implemented a NAC solution as part of that process.
As part of the redesign, the university installed Extreme Networks’ BlackDiamond 10K switches in the core and Summit 200 switches at the edge. “We took out our cobbled together Unix DHCP and DNFs. We were running access control lists on our core routers, so they went; and we put in some firewalls. We put in redundancy with a second link out to JANET [the UK’s education and research network]. We now have two core routers and two data centres,” said Wright.
LSBU experimented with a couple of NAC solutions, but finally implemented Forescout CounterACT. CounterACT runs on the segments of the network that students can access with their laptops and continually performs host checking: “We can keep an eye on whose antivirus is out of date; we have policies for potential malicious hosts. The desktop support team is very happy because they can kill P2P applications running anywhere on the network.”
The NAC solution also earned its keep during the Conficker outbreak of 2010. “CounterACT ran a report which showed us a list of suspect machines. Our IT team could focus their efforts and quickly investigate these suspicious devices. We were able to contain and resolve that in a day as opposed to days of outage and weeks to recover from it,” said Wright.
What’s more, since the university upgraded the network it has been able to reduce the network team from six people to three-and-a-half network engineers. A portion of this reduction can be attributed to the automation of security processes possible through the NAC system, according to Wright.
So far, there have been very few drawbacks. “Forescout has a lot of capabilities and is very powerful. My manager gets a little bit twitchy about it because he can consider it too powerful. He worries that we will do the wrong configuration and kill half the network, for example,” he said.
Wright is now looking at the possibility of expanding the NAC solution campus-wide: “The sheer scale of it and the amount of exceptions may mean we could just decide it is something we can live without, but we are looking into it.”
--Tracey Caldwell is a professional freelance business technology writer.