Network security case study: College’s NAC virtual appliance makes grade

For more than 150 years, Wellington College in Berkshire has been educating young men, and more recently women, to a high standard. Recently, however, its information security team educated itself on how innovative virtual security appliance technology can scale to protect students on campus and around the globe. 

Like many schools, Wellington’s pupils have all the latest equipment, including laptops, smartphones, games consoles and tablets. This creates a challenge for Wellington’s Director of IT Services and Development Tony Whelton, who needs to support the whole range of devices on his network while guarding against malware.

“We are a boarding school and we like to have an open-door policy with regards to allowing pupils to bring in whatever devices they wish,” he said. “We want to make it easy and flexible for them.” Connectivity for these wireless devices is now supported through a new campus-wide wireless network using a cloud-based Wi-Fi system from Meraki.

However, two years ago, a pupil returned from a weekend visit home, where his laptop was infected with the Conficker worm. At the time, the school ran a network access control (NAC) system, but because it was slow and cumbersome to manage, it only carried out checks on users’ devices every two weeks.

The infected machine was last checked the previous week, and when the student returned to school Monday morning, it was immediately allowed back on to the network. Soon after, in Whelton’s words, it was “bombarding the LAN with Conficker.”

After dealing with Conficker, which by conservative estimates has infected more than 3.5 million computers worldwide, Whelton went looking for a NAC product that would be easier to use and would constantly monitor device traffic rather than just carry out a posture check at login time. He eventually discovered the CounterACT product from Forescout.

“I evaluated it along with another couple of products, but we were able to get the CounterACT product up and running so quickly that it was a clear winner,” Whelton said. “Some other NAC solutions are incredibly cumbersome and time-consuming to deploy. I have only a small team here, so I didn’t have the resources to spend weeks getting other products configured.”

Whelton also liked CounterACT’s GUI, which he said was intuitive enough to allow his team to create policies without training or outside support; some other products he tested used a command-line interface and required outside specialists to help build policies.

Using an NAC virtual applicance
Wellington initially installed a hardware appliance to monitor devices, but within a year, it became swamped by the sheer number of devices logging on to the network. The school has almost 1,000 students, and many of them have three or more devices they want to use.

In addition, out of term the school plays host to some large conferences, during which many delegates not only bring a swell of new devices on the network, but also expect to get a good wireless Internet connection.

He has therefore just recently upgraded to a NAC virtual appliance version of CounterACT, which runs on a VMWare-based server farm, providing the flexibility to grow to meet increased demand when needed. The number of clients coming on to the network is going to increase as well with the opening of the new college in China. “By moving to a virtual appliance, I can give it the processing power and resources it needs,” he said.

Agents and endpoints
The Forescout product works primarily without agents, and therefore is able to handle the full range of devices brought into Wellington’s environment, including the game consoles and a growing population of Android smartphones and Apple iPads.

However, for the school’s population of nearly 1,000 Windows laptops, Whelton has opted to place agents on them because agents offer more granular control. As agents for other devices come available, as promised in the Forescout roadmap, he will use them too.

Now that the CounterACT system is deployed, its main benefit is its speed of operation. If any device is found to be unsafe, the user is informed and can be helped with remediation; for instance, being allowed to access the websites of key security vendors to download updates,

“We get devices online much faster. The posture checking is more streamlined,” Whelton said. “New devices are sent off into a registration VLAN, where they meet a homepage to log on. That kicks off the agent that puts them on the right VLAN according to who they are -- staff, pupils or guests.”