Oct 08 2008

Who Are You?

Universities use NAC to pinpoint identities and strengthen security.

The University of North Carolina at Chapel Hill realized it was only a matter of time before it got hit with a very bad bug. The next attack wouldn't afford the luxury of response time. The school had to act.

“In the past, we dealt very effectively with large-scale virus outbreaks,” says Mike Hawkins, associate director of networking. However, the university hasn't coped with a major malware outbreak since the pre-Windows XP SP2 days. A lot has changed since then. “Going forward, we knew that we would have to respond almost instantly to contain attacks,” Hawkins says.

Pinpointing the source of infection slows the mitigation process. With legacy security solutions, users are either in or out of the network. Once someone logs in successfully, even with weak protection provided by user names and passwords, security can lose track of them, putting the entire network at risk.

While most universities have some sort of traffic inspection in place, they aren't thorough in monitoring users already inside the network. When an infection occurs, a number of questions need to be answered to find and contain it: Which user is responsible? What network privileges does that person have? Which device was compromised? Does that device have its own security up and running? Where on the campus, physically, is the machine located?

Traditional network security can't answer these questions precisely, because stopping an infection with such technology involves either a blunt blocking process or a long, slow, laborious search.

Network Access Control (NAC), an emerging security technology, aims to correct that problem. Colleges and universities that want to make their networks more secure from a growing number of external and even internal threats see the technology as a way to better manage security.

Simply defined, NAC trusts neither users nor end-points. It doesn't accept individual user identification alone, requiring both users and end-points to do more to prove they are who or what they say they are.

Beyond those basics, defining NAC becomes more complicated, with diverse manufacturers such as Cisco, Enterasys, Hewlett-Packard, Juniper and Microsoft deploying different architectural strategies, authentication methodologies, levels of policy granularity and client-side software requirements.

NAC solutions, depending on their sophistication, can enable IT to perform a range of tasks, from scanning notebooks as they enter the network to verifying users' credentials with authentication servers. NAC applies preadmission policies based on role and device status or post-admission policies based on such factors as a user's physical location or what time of day the network is accessed.

What About Devices That Don't Log In?

“What gets lost in all the talk about authentication is that many devices besides computers get hacked,” Hawkins says. “Printers are a favorite target of hackers because people don't keep up with the firmware. Printers don't authenticate anywhere, yet we need to be able to locate and react to those kinds of threats.”

Most large networks have more nodes that don't log in than nodes that do. If a printer starts to behave like a mail server at UNC Chapel Hill, its NAC will quarantine it.

According to Robert Whiteley, principal analyst and research director for Forrester Research, some NAC solutions take a shortcut when it comes to nonauthenticating devices. “Pre-admission NAC architectures often require IT to white-list devices like faxes and printers. That approach is not sufficient,” he says.

White-lists usually rely solely on spoofable MAC and IP addresses. Whiteley advocates NAC solutions with post-admission policy engines that look for aberrant behaviors.

“Behavior-based enforcement says that if a device is a printer, it shouldn't be making a thousand connections per second. A printer wouldn't act like that,” he says.

Soft Savings

Post University in Waterbury, Conn., soon discovered it could recover initial costs because NAC shields IT from labor-intensive chores. The fall 2008 semester will be the first time that the university's four-person IT staff won't have to manually verify each and every student notebook before granting access.

In the past, Post's IT staff would spend move-in days in residence halls. They had to manually check that patches were current, configure Windows to update automatically, install antivirus protection and make sure the subscription would last through the year.

To complicate matters, as students realized later in the semester that the antivirus protection slowed their computers, many were tempted to turn it off. Not only did this nullify the labor involved in installing the security, it also meant that IT had no way of knowing which student computers were at risk for infection.

Post University ran a NAC pilot program with summer school students and visitors. It worked flawlessly. “While we can't concretely pin down ROI, starting this fall we'll save at minimum those two days where the staff did nothing but verify student computers,” says Chris Medeiros, Post University's ICT infrastructure manager.

Medeiros and Michael Statmore, director of university IT, point to additional “soft savings.” When a device is not in compliance, for example, NAC directs students to a remediation page where they can solve many problems – such as turning antivirus security back on or extending a subscription – without calling the help desk. For more complicated problems, such as removing malware, students can at least determine what's wrong before calling for help, and in the meantime, the device is quarantined.

For a school with an IT staff of four that serves a user base of 1,200 students, faculty and staff, the choice is obvious: Use NAC tech­nology to automate cumbersome security processes or risk falling hopelessly behind in the fight against sophisticated hackers and new types of malware.

“What people don't realize before they deploy NAC is that it enforces good computing habits,” Medeiros says. You can't put a dollar amount on that, but for many universities it's the benefit that's worth the most.

Four Steps to a Successful NAC Deployment

  1. Build a business case based on securing both student/faculty and guest access.
  2. Identify and prioritize all the scenarios that warrant access control.
  3. Kick off a phased deployment with escalating enforcement actions.
  4. Avoid common implementation mistakes, such as choosing products that lack rich identity capabilities. SOURCE: Robert Whiteley, Forrester Research

In Need of Some Restraint

Dormitories (and students who live in them) present particularly tough security problems, especially with peer-to-peer transmissions. Network access controls can block such traffic from students' computers.

“When you're dealing with students in residence halls, one of the main challenges is expectations,” said Dr. William H. Doyle, vice president for IT Services at Bethel University in St. Paul, Minn.

“In a business setting, the equipment belongs to the employer, so employees expect a certain level of control. With students, on the other hand, they own the equipment. The residence hall is where they live, and it is difficult for them to accept any kind of monitoring or restraint.”

One of the most necessary restraints is on copyrighted material. Pending legislation could require universities to take steps to prevent the unlawful duplication of copyrighted music, movies and other media.

Bethel University's NAC solution blocks peer-to-peer traffic based on roles and settings. That lets the university stop students from pirating songs without blocking legitimate academic peer-to-peer applications. “We're able to stop pirating without hurting scholarship,” Doyle says.