Network Access Control Is No Longer a Luxury on Campus

Today's bring-your-own-device phenomenon is nothing new for most campus IT professionals.

But the ability to protect systems and networks in the face of more mobile devices on campuses has improved. Integrating Network Access Control to ensure personal devices meet a college's security policies is a popular fix, and NAC capabilities have evolved significantly over the past several years.

Many organizations use NAC as part of a layered approach to providing network access and security, which makes sense. Users must first meet NAC security policy requirements before gaining network ­access. ­Mobile device management then takes over to further control a device's access privileges.

Early NAC solutions (circa 2002–2004) focused solely on tying a specific device, identified by the ­Media Access Control address, to a user. Administrators could easily see a ­device's owner and where that device was connected on the network, typically with the switch and port information. It was a huge step forward, and remains a core component of modern NAC systems today.

Security and policy enforcement came next (2004–2006). New devices are required to download and run a piece of software as part of the device registration process. The software checks a device's security posture for items such as an up-to-date A/V scanner and definitions, OS version enforcement and critical patches.

If a device does not meet ­policy, the NAC ­solution places the device on a limited access network, often with only enough access to remediate the system to ­ensure it meets security policies.

Smart Adoption

NAC can provide greater security controls around access to systems that house sensitive information, and can control whether a specific device should be placed on a privileged network. The policy can be applied dynamically so that no matter where the device connects, NAC will ensure the client is placed on the proper network.

A more recent NAC feature enables provisions for guest access, a must in almost every environment. Most treat their guest networks as untrusted, meaning traffic flows through the same firewall rules as traffic originating from outside networks (such as the general Internet). Some go so far as to limit the services or ports guests can use — for example, perhaps just HTTP and HTTPS.

Many NAC solutions provide ­automated, self-service guest portals that make the process of connecting quite simple. Automated guest portals often allow basic Internet access after a simple user information form and/or acceptance of an acceptable-use policy is completed. Automation makes the process easy for users and eliminates calls to the help desk.

Many organizations have specific hardware and security measures for users who require access to systems with sensitive information, such as tablets or notebooks with full-disk encryption. Some leverage virtual desktop infrastructure as an alternative to the daunting task of securing and controlling each mobile device.

A VDI instance can be a locked-down desktop environment, with ­access to sensitive information. ­Users can log in with a personal device to access and manipulate data through the VDI, eliminating the need for many of the most stringent scans and security programs on the user's personal device because the data resides on the VDI server instead.

The benefits are clear, but there's a human element needed too. Successful NAC implementations provide common-sense instructions on how to connect a device, stating whether any modifications will be made to a user's system.They also should state whom to call for help when problems arise.

With NAC, campuses can continue to take BYOD in stride.