Keeping an Eye on the Network
UNLIKE CORPORATIONS, HIGHER EDUCATION institutions face unique challenges with IT security. As students arrive each semester with their own computers, many times their security devices are off, their anti-virus software is gone or simply outdated, and odd configurations abound.
"The challenge has always been how to take student laptops and bring them to a certain minimum level of health," says Steve Hanna, distinguished engineer at Juniper Networks and co-chair of the Trusted Network Connect Work Group, part of the nonprofit industry standards organization Trusted Computing Group. "It's important to identify machines whose defenses aren't up to snuff and get them fixed so you can have a stable network." Not to mention, the open information-sharing environment of a university encourages all kinds of people outside the campus to access the network as well. The business driver for Network Access (or Admission) Control (NAC) focuses on protecting information resources on the network, which face growing security risks. It involves policies such as pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network. NAC in the education world primarily focuses on dealing with student-owned assets and access control issues on an open network. Hanna says NAC relieves the "first-week phenomenon" when students move in by automating the health check and remediation process. The NAC approach aims to keep student laptops healthy and maintained throughout the year. For that reason, Hanna believes it's easy to justify the purchase of an NAC tool in a campus environment.
"The burden placed on the IT staff in the first week of school-it's just impossible to meet successfully," Hanna says. "You can't take thousands of students through a manual process checking their machines ... but yet you also can't feasibly deal with the situation when the network becomes unstable or too dangerous to use because infected machines are coming back on campus."
Hanna says the growing trend in the last few years toward using NAC on college and university campuses is partly related to the availability of more commercial products. Going back 10 years, NAC campus pioneers created their own tools. Today IT folks can purchase off-the-shelf products from vendors with support, which makes the deployment much easier from an administrative standpoint.
One emerging trend in NAC for colleges, Hanna says, is integrating other security functions with NAC, which after all is a combination of technologies mixed together to increase the level of control. It's not just a product to purchase. Rather than maintaining isolated silos for intrusion detection, firewalls, and such, the trend is integrating the security component by moving to open standards. Increased maturity and broader endpoint integration are two other trends affecting the future of NAC in education, Hanna says.
Experts recommend that NAC deployment be used for the right reasons. Executives at Juniper Networks point out that institutional leaders must understand the problem and goals before deploying an access control solution. Is the goal to protect the network from malware, such as worms, viruses, Trojan horses, and spyware introduced by managed or unmanaged devices? To increase the flexibility of the network to safely allow access for a variety of user types? To restrict access to specific data and applications based on user roles? To gain visibility into network activity and correlate to specific users? All of these needs can require unique solutions and approaches to deploy NAC tools. Technology research and advisory firm Gartner defines three NAC common approaches as infrastructure-based, endpoint software-based, and network security appliance-based.
Infrastructure-based NAC focuses on upgrading the network or operating system infrastructure to garner integrated NAC functionality. Microsoft and Cisco are big players in this approach. Homogeneous campus environments-those that support just one network vendor-are a good fit for this solution.
Advantages: A single-vendor approach avoids the problems caused by incompatible systems and network switches. It's also a cost-effective way to reduce maintenance expenses and system upgrades.
Disadvantages: This solution requires users to upgrade their hardware and/or operating system, which can be a major expense, especially when legacy systems or those by other vendors must be replaced.
A PROGRAM REQUIRING ALL incoming freshmen to bring wireless notebooks to school, launched in fall 2004, spurred the interest in an NAC solution among the IT folks at Bridgewater State College. They wanted to ensure the integrity of the network at the campus, which has 10,000 students, without having to install administrative software, such as a VPN client.
After evaluating products, the Technology, Systems, and Networking group added Cisco Network Admission Control, a gateway that requires all wireless users to authenticate through a box-a Linux server that acts as an inline gateway connected to the Cisco switch network in two locations. If the user's credentials are correct, the box interrogates the laptop verify that it's running a copy of a current virus program, that Windows firewall is enabled, and that updates are enabled.
In the first three years of Bridgewater State's notebook initiative, the Technology, Systems, and Networking group tried several Remote Authentication Dial-In User Service (RADIUS) solutions. The recent addition of Identity Engines' Ignition Server provided a better RADIUS environment and an autoconfigure feature, says Patrick Cronin, associate vice president in the Technology, Systems, and Networking group. This makes configuration a snap, says Cronin. Students don't have to go to the support counter to get on the network anymore; instead, they use an easy wireless setup.
Cronin believes the NAC solution, which cost in the $75,000 to $100,000 range, is a good investment, because the Identity Engines piece provides the campus the protection it needs and wants.
"We've never had the wireless or administrative network go down due to viruses, because we have the appropriate protection," Cronin relates.
Bridgewater's wireless campus is authenticated using the 802.1x access protocol that was designed specifically to enhance the security of wireless local area networks. It is easily configured and managed to enforce the college's access policies. With the solution, the technology group reduced the time it took to bring new students onto its secure network by up to 75 percent in some cases. It also eliminated virtually all calls to the help desk related to wireless network access and network client configuration.
This NAC approach focuses on protecting the client through posture checks and malware containment before signing on the network. This typically involves installing an agent on the endpoint to accomplish this. A few players in this space are Symantec and Sophos.
Advantages: This method is the least intrusive when an unauthenticated user tries to access the network. It operates in the background to gather and provide updated client information to the policy server. Often it is easier to enforce policies as they evolve and new threats arise.
Disadvantages: This approach adds the additional cost and complexity of installing software and adding another management console, according to Gartner.
ANOTHER BENEFIT OF USING NAC solutions is the ability to control what kind of information is being moved across the network. The systems can be set to scan information packets for telltale signs of digital music or movie files, and can be "dialed down" to limit the flow of that kind of data. Since 2005 at Temple University in Philadelphia, a NAC solution dramatically changed the security landscape for its 34,000 students. Administrators did not get charged with a single peer-to-peer (P2P) copyright violation in the fall 2007 semester, when past semesters averaged several hundred. Just one "zero day outbreak" virus-which can be vicious, since antivirus protection doesn't exist yet for these types of threats-has happened in the past two years.
Temple officials began exploring an NAC solution in 2005 after unprotected personal computers in residence halls started getting virus outbreaks due to the advent of adware and spyware. Machines slowed to a crawl because of the infections, and students tried to fix them through a rebuild, neglecting to use the anti-virus software mandated by the university in 2004. In the process, these computers emerged as unsecure, unpatched systems.
"The biggest threats we have are people who shut down their anti-virus or don't upgrade," says Seth Shestack, assistant director of information security at Temple. "We have an automatic patching system for university-owned machines, but we can't do that for personal machines."
Shestack formed a project team that explored five different NAC solutions. The Symantec Sygate Enterprise Protection fit the university's environment the best, he says.
The NAC solution was rolled out on 5,600 computers on the residence hall network. Students downloaded the NAC solution as part of their registration process through the "Get Connected" security policy program. The server provides a quarantine-only address that directs students to just one place where they authenticate with a user ID and password. As part of registration, they download an executable that rolls up Symantec Anti-Virus 10 and Symantec Sygate Enterprise Protection 5.16. The system is then scanned. If everything is up to date, they register with an NAC address. Once students agree to the security policies, they will be allowed network access. If they fail, the solution will remediate whatever is missing. This streamlined process helps students safely and easily connect to the internet and the campus network.
"We adopted it, rolled it out, and were very successful with it, which is why we continue along the same path," Shestack states.
In fall 2007, the information security group added 2,500 additional workstations in campus computer labs. The next stage is migrating and updating to Symantec's latest product, Symantec Endpoint Protection 11.0, which offers new features and functionality. By the end of May 2008, all campus computers will have the new NAC upgrade.
The technology folks have experienced tremendous labor savings with the NAC solution by reducing virus outbreaks to one in two years. A major virus attack at Temple required a SWAT team staff of 30-two weeks, full time-to mitigate and erase the virus. And these crisis modes used to happen several times a year.
"This is a tremendous increase in efficiency, because people don't have to be taken off other tasks to do SWAT team missions, pulling viruses off computers," Shestack says. "We had our entire cost recouped in a year from our initial implementation, which includes reduction of time to investigate peer-to-peer complaints and time saved to mitigate virus outbreaks."
According to the October 2006 Gartner report "Network Access Control Decision Framework," appliance-based solutions are often the best choice for universities and other "loosely-managed, highly distributed, heterogeneous, budget-constrained environments." Guest machine access tends to drive the short-term need for NAC in these institutions, and these products can limit exposure with a low-level of investment. A few of the players in this space include ForeScout, Bradford Networks, StillSecure, Mirage Networks, Enterasys, and Lockdown Networks.
Advantages: Appliance-based NAC products offer ease of deployment and potential cost savings over infrastructure-based deployment.
Disadvantages: These solutions can be the least robust and don't off er as many features, according to industry experts.
THE IT FOLKS AT UNC DESCRIBE NAC AS a logical extension of many things they were already doing-not something they added to solve a certain problem. "We've been heading toward NAC and understood its implications long before it ever hit the market," says Mike Hawkins, UNC's associate director of networking. "It's really identity more than anything else-who are you, what are you doing nasty, and how can we keep you out of the network."
As a large campus with 28,000 students and 10,000 faculty and staff members, everything runs on the network-door locks, medical equipment, power devices, vending machines-not just users who log in to the network. As a result, the networking group selected Media Access Control (MAC)-based authentication versus 802.1x authentication because it's a richer way to get a handle on who is on the network.
One component that differentiates access control technologies is where that control takes place. Different vendors have different types and different places. UNC has NAC at the edge of the network on all switches that users are attached to.
"If you don't check at the edge in a big network like ours, you risk it getting out of control," Hawkins says. "It's actually a design philosophy we had before NAC. I think that's an important criterion if you're talking about a big network-and one of the big motivating factors we had for getting network access control."
The institution was one of the first beta testers of the hardware and software that make up Enterasys' NAC solution. The beta and pilot in production led to deployment of NAC Manager Software, which provides centralized administration of Trusted Access Gateways, all switches, all users, and all things pushed out to control traffic. UNC purchased 20 Enterasys NAC Trusted Access Gateway appliances that can talk to 400 to 500 switches on campus. The program was deployed in the late spring and early summer of 2007 across 4,000 switches, which took about three months. UNC's network access control solution cost around $120,000, which covered the Trusted Access Gateway appliances.
Once the hardware was installed, the challenge was touching every switch and configuring every port a user would be on, says Hawkins. Many of UNC's older generation switches are not scriptable, so that required manually setting them up rather than running a script.
The results to date have proven extremely successful. Networking folks in the university can pinpoint the exact location of users and their connection history in less than two minutes, which enables UNC to ensure compliance and accelerate the mean time to repair. They can script and isolate hundreds of users off the network in less than five minutes, which used to take half a day for the entire staff in the past. Hawkins believes UNC is way ahead of the curve in identifying threats on campus and handling them quickly.
"I can find devices on my network-at the very edge of my network," Hawkins says. "When I can find devices, I can control what these devices are doing. Our security folks love this. And by the way, I do sleep well at night!"
<em>Vicki Powers is a freelance writer based in Houston who often covers technology issues.</em>