Some college campuses are using an appliance to safeguard their networks, reports Greg Masters.
Every fall, Central Michigan University (CMU) faces the daunting challenge of hooking up over 7,000 new computers to its network in a matter of a few days. The main objective is to allow its incoming students, professors and staff to connect to the network quickly. However, the network administrators also must make sure that the laptops, desktops, iPods and gaming systems attempting to plug in to the university network meet security requirements first before being granted full access. With all these devices logging on, the risk of contamination to the network from viruses, spyware and non-compliant software present on the local devices is ever present.
Ryan Laus, associate network manager at CMU, says his team looked at solutions on and off for several years. “It was not a very big issue until Blaster and Nachi were released [August 2003] and networks everywhere were scrambling to try and get a handle on network security. Prior to this event, the quarantining of systems on campus was a manual process.”
As his team observed the networks of larger universities being crippled with these viruses, they quickly assembled a team of students armed with over 1,600 CDs containing all the latest Windows patches, a site licensed anti-virus application and spyware removal tools. That fall term they documented over 850 viruses infected systems. And, Laus says, these were just the really bad ones. “One associate network manager did nothing but enable and disable ports for over three months, and that didn't count all the time spent by the other network managers and security administrators,” he says.
The team knew that this had to change and that started with system registration followed up with some form of system remediation. “We came across Bradford Network's solution the following spring and it was just what we had been looking for,” says Laus.
Campus Manager requires each device to register before being allowed access to the network. This identity management function -- which includes user owner information for each device, the ability to map the device and user to a physical location, and a log of the user's and the device's connection activity -- provides the information necessary in isolating unwanted activity and adhering to regulations and policies. The solution allowed Laus's team to very quickly associate a problem system with a specific user. What used to take them a few hours to do, they could now do in a matter of seconds.
“With the limited resources we have, it has allowed us to do a lot more with less. Because Campus Manager talks to all our residence hall switches, this gives us the ability to apply policies to users no matter where they connect.” For example, if he has to disable an infected machine and the user tries to move ports, Campus Manager will recognize this and take action on the client regardless of what port the user plugs into.
Joe Roth, network administrator, Binghamton University, agrees that it was the major outbreak of worms and exploits that really brought network security and end-user compliance to the forefront. It was time to begin to ensure that the machines brought into the network were clean and up to date before allowing them access to the network, he says.
“The basic thought process was that if we could bring them into the start of the semester clean and prepared to deal with a virus or worm outbreak, then maybe it would minimize the impact. Another benefit of the process was that our users were also receiving a certain amount of education in the endpoint security department. Having a user know what anti-virus software and patches are is crucial, and us checking for the presence of these types of things on their PC lets them know that it is important. It helps them take the initiative to keep their PC clean and up to date.”
Roth says that the Bradford Networks solution simplifies the idea of NAC on campus by providing a single point of interface for any web-based device, along with support for all three major operating systems and all major anti-virus vendors. In addition, he says the system remains vendor agnostic, so his team has no concerns about future support for any network equipment that they may deploy.