If you think your users are a problem, just imagine trying to stop more than 900 curious and intelligent schoolchildren, most with their own laptop machines, from bringing your network to a grinding halt.
That is the challenge facing Mark Gosden, network manager at Sutton Valence School in Kent, whose job it is to provide an efficient network service for school staff and pupils.
Founded in 1576, Sutton Valence is a co-educational independent day and boarding school for children aged 3 to 18. The school is split over two sites a mile apart, linked by a 100 megabytes per second (MBps) fibre optic link. Around 1000 devices may be attached to the wide area network at any one time. Many of these will be laptops brought in by pupils or guest speakers, which need to be checked before being allowed on to the network.
Up to recently, Gosden adopted what he admits was a "piecemeal approach" which relied on loading a small application on to everyone's machine to check that each had an up-to-date version of Sophos antivirus running.
This meant he had to buy enough Sophos AV licences not only for staff on the school network, but also for all the students' laptops, which was proving expensive. "The little piece of software was pretty crude," he said. "It just blocked drive access if Sophos was not present or up to date. That was just done on file, date and time – so it was easily circumvented, unfortunately."
Gosden decided that with the expense of the Sophos licences and the rather crude approach to device checking, he needed to adopt a more effective network access control method.
Having decided to go for an appliance, which would be easier to manage, he looked at two NAC products: one from Bradford Networks Inc., and the other from Forescout Technologies Inc.
Although Bradford Networks had a specialist NAC product for the education market, Gosden felt both companies would be able to deliver what he needed. "There was little to choose between the Forescout and Bradford devices, but to be brutal, Forescout's was cheaper. We didn't have a huge requirement -- we just wanted a device that would sit on the network and scan any machine that sat outside of our Active Directory domain and allow them network access as long as they had up-to-date antivirus software, and were not flooding the network with junk. Beyond that, everything else was a bonus," Gosden said.
In the summer of 2008, Gosden installed Forescout's CounterACT CT-1000 NAC appliance. "The support we had from Forescout was very good. They did the majority of the implementation and configuration. I have the admin console which I look at occasionally, but once you set the rules in the device, the device really looks after itself."
Since then, the system has needed very little management. Working against a list of known antivirus packages (not just Sophos as before), it checks any new device to make sure it has AV and that it is up to date.
"I only had to make a change when a couple of the kids were using AV software from F-Secure, which wasn't on the list of defined AV applications in the Forescout box. We just added those in, which Forescout showed me how to do. Once that was done, the users were allowed through," Gosden said.
The system either allows or blocks users, and does not attempt to carry out remediation work. "It works by mirroring all the network traffic through to itself from one of the ports on the switch. If it sees anything suspicious, it will block that person off completely with appropriate Web-based warnings," Gosden said.
He said he prefers the students to look after their own machines. "For the last couple of years we have been going through a programme of education rather than prevention with the kids. They are increasingly IT literate when they come to the school. So we are trying to put as much of the onus on them," he says.
"They are now quite capable of updating their own antivirus, for example, whereas three or four years ago, we would have had to do more of it for them."
That independence of spirit has a downside too, of course. For example, URL blocking is "an ongoing battle" as the kids find ways of bypassing the filtering system from Websense Inc., usually by the use of anonymous proxies. "Websense works pretty well, but the kids are adept at finding ways around it if they want. It takes 24 hours for Websense to update all the latest proxy sites. So it's a manual task for us to check the logs to see if a lot of kids are heading for a site that looks a bit odd. It's just something we live with at the moment."
However, the presence of the CounterACT appliance will at least ensure the network stays operational by analysing traffic flows and blocking anything that looks suspicious. "It analyses the packets as they pass through, and for example, if it sees traffic flooding from one device on the network to one of our servers, it would certainly stop that for us, and the user would lose his or her connection."