College learns lessons in choosing the right NAC appliance

After deciding to open up the wireless network to students, Tim Hanks of Stroud College realized he would need to install a NAC appliance to make sure the network stayed secure. Find out what he chose and why he chose his particular NAC appliance.

Late last year, Tim Hanks, IT services manager at Stroud College in Gloucestershire, decided to open up the school's wireless network to students who wanted to use their own computers on campus.

The campus-wide network, consisting of 22 access points, had previously been reserved for staff and got limited usage, so it made sense to make it available to more users.

But that immediately raised the question of how to manage a bunch of guest computers, when there was no way of knowing what security, if any, they were running. The machines could contain all sorts of viruses, their antivirus software might be out of date, or completely absent, and their configurations would be completely out of the control of the college.

More on NAC appliances
Understand the differences in network access control solutions

What should happen to users and devices that fail NAC policies?

NAC and endpoint security: The hard questions
Hanks wanted to encourage students to make use of the new network access capabilities, but he needed to ensure that no infected devices would be able to use the Wi-Fi network to pass on malware to the rest of the college.

"Students are very challenging individuals who will come up with ways of doing things. We have always had to be quite careful," Hanks said. "But we wanted to open up our wireless network so that students could bring in their own kit. We don't have a huge IT department, so we wanted a low administrative overhead."

The college is housed in a modern building, with a site-wide wired network that serves staff and students, but the wireless network was used only by staff with computers that had been configured and protected by the college.

Hanks realised that if he was going to turn this protected environment into one that could support any type of client machine, he would need to build in some extra defences. "I knew that I'd need some kind of network access control (NAC) system, but at that time I had not identified any products that could do the job," he said.

He also knew that in order to justify any expense, any product would need to protect not only the wireless network but also the college's wired network as well. "We had to make sure the investment paid for itself so anything we chose had to cover the corporate wired network as well," he said.

But finding an appropriate NAC product proved difficult. "There are some fantastic solutions on the market," Hanks said, "but with each product, we would always find one reason why it wouldn't work for us."

For instance, some products required certificate servers, backup servers and an array of other controls to operate effectively. With limited budget and resources, Hanks felt such elaborate implementations would be impractical. "That was all very good in theory, but in a college that's just not going to happen."

He scoured the market, looking at contenders such as Hewlett-Packard Co., Cisco Systems Inc. and Bradford Networks Inc., which specialises in network security products for the educational market. "We looked at everything from traditional RADIUS servers upwards, including open source products such as Packet Fence," he said, but none of them seemed quite to fit the bill.

Then, while attending an educational group meeting, he was introduced to Forescout Technologies Inc. and decided to see a demonstration of the company's CounterACT NAC appliance.

He liked what he saw. "It fit into our infrastructure really well, which was a nice surprise, and it has some nice intrusion detection features," he said.

The key advantage for Hanks was that CounterACT continues to scan devices even after they have been admitted on to the network. By contrast, some other NAC products scan connected devices at logon, and then do no further checking once the device is connected.

With his small IT team, Hanks wanted to avoid installing software on users' computers or devices. "We don't want to be their IT support department," he said. "We don't want a high level of control over the students' own machines. We just want to be able to disable them if they do something they shouldn't."

The CounterACT appliance allows Hanks to apply different policies to the college-owned computers and as well as guest machines.

The PCs owned by the college are checked at logon to make sure their Kaspersky antivirus (AV) software is up to date, and they are properly configured. In addition, the system remediates any problems by automatically updating the AV.

"It means we have control of Linux, Mac and Windows machines, and they are all controlled from one monitor," Hanks said. "For our domain-connected computers, we can also send out browser pop-ups to drive home any messages to users. We can also double-check that WSUS (Windows Server Update Services) patches have been successfully applied."

For guest machines, instead of checking their configuration upon sign-on -- looking for features such as up-to-date AV software, or a working firewall -- the system monitors the behaviour of the device. At logon, the user and the (MAC) address of the computer are authenticated against the central Active Directory, and they are then allowed on to the network, provided no problems are found.

"This is where we use the IDS functionality of the Forescout device," Hanks said. "It looks for any malicious activity and this is registered through the main console and alerts us. We can then firewall it off and disable the machine."

The Stroud College experience illustrates how NAC products have developed in the space of just a few years. As Jeff Wilson, a principal analyst at Kent-based Infonetics Research Inc. explained in a recent white paper on the subject: "Network access control has changed a lot in the last six years, and many companies are missing out on what NAC can do for them because they're thinking of 2003 NAC instead of 2009 NAC. Today's NAC solutions gather more data, provide more information, and fit more use cases. Advances in the intelligence of NAC solutions have transformed NAC from a simple tool for preventing the spread of malware to a rich source of knowledge and a powerful security policy enforcement engine."

So far, around 20 students have signed up to use the network, and Hanks has been surprised by the range of devices. "We've had Windows laptops, of course, but also a few Macs, plus some iPhones and smartphones running the Android operating system," he said.

None of them have caused any problems so far, so he is pleased with the results. "The appliance was easy to install -- a lot easier than the documentation led us to believe -- and it integrated easily with our Active Directory," he said.

The device was configured initially in listening mode, allowing Hanks and his team to examine the traffic running on the network. "It was a scary moment turning it from listen-only to active, but it was not a problem," he said. "As we start to turn up some of the more draconian measures, we can do that without bringing the whole system to its knees.

"There are so many [configuration] options; you can spend a lot of time fine-tuning."

The only installation small hiccup came when the CounterACT product was trawling the network to find attached devices, and it mistook a Kyocera multifunction printer for a VoIP phone; the fault was quickly fixed.

Hanks next big challenge, he said, will be to support a new mobile learning programme using gaming consoles, which may need to connect to the network. But for the moment, he said, the network is ready for any strange device the students have to offer.

Read more on Network security management