University Business - March 2008 - (Page 56) situation when the network becomes unstable or too dangerous to use because infected machines are coming back on campus.” Hanna says the growing trend in the last few years toward using NAC on college and university campuses is partly related to the availability of more commercial products. Going back 10 years, NAC campus pioneers created their own tools. Today IT folks can purchase off-the-shelf products from vendors with support, which makes the deployment much easier from an administrative standpoint. One emerging trend in NAC for colleges, Hanna says, is integrating other security functions with NAC, which after all is a combination of technologies mixed together to increase the level of control. It’s not just a product to purchase. Rather than maintaining isolated silos for intrusion detection, firewalls, and such, the trend is integrating the security component by moving to open standards. Increased maturity and broader endpoint integration are two other trends affecting the future of NAC in education, Hanna says. NAC Decision-Making Tips Vendor representatives were asked to offer advice on making an NAC purchase decision. Here’s what they said. • Go for interoperability. The reality is, most higher education IT departments have limited funding. One significant factor in evaluating an NAC solution, say reps at ForeScout Technologies, is the amount of interoperability the system has with the existing infrastructure. A flexible NAC offering will allow the school to integrate the NAC functionality without any significant restructuring or infrastructure upgrades. • Don’t expect immediate implementation. Reps of StillSecure caution network administrators and IT directors not to think they can just throw a switch and turn on NAC. This NAC vendor recommends a best-practices phased approach to implementing NAC, which starts with passive endpoint testing, then moves to endpoint remediation, evolves into manual quarantining of unhealthy endpoints, and then finally results in a full-blown roll-out of automated quarantining. This process will keep help desk calls and administrative headaches to a minimum. Three Approaches to NAC Experts recommend that NAC deployment be used for the right reasons. Executives at Juniper Networks point out that institutional leaders must understand the problem and goals before deploying an access control solution. Is the goal to protect the network from malware, such as worms, viruses, Trojan horses, and spyware introduced by managed or unmanaged devices? To increase the flexibility of the network to safely allow access for a variety of user • Consider the user experience. Another consideration for higher education institutions is getting students to accept having any barrier on their connectivity to the network, say Nortel Networks representatives. This requires a solution that is as transparent as possible to end users, while still offering a good level of security and enforcement. Infrastructure-Based NAC at Bridgewater State College (Mass.) A PROGRAM REQUIRING ALL feature, says Patrick Cronin, incoming freshmen to bring associate vice president in wireless notebooks to school, the Technology, Systems, and launched in fall 2004, spurred the Networking group. This makes interest in an NAC solution among configuration a snap, says the IT folks at Bridgewater State Cronin. Students don’t have to College. They wanted to ensure go to the support counter to the integrity of the network at get on the network anymore; the campus, which has 10,000 instead, they use an easy students, without having to install wireless setup. administrative software, such as a Cronin believes the NAC VPN client. solution, which cost in the After evaluating products, $75,000 to $100,000 range, is the Technology, Systems, and a good investment, because the Maintaining a clean network is as important to officials at Networking group added Cisco Identity Engines piece provides Bridgewater State as maintaining a clean campus. Network Admission Control, a the campus the protection it gateway that requires all wireless needs and wants. users to authenticate through a “We’ve never had the box—a Linux server that acts as an inline gateway connected to wireless or administrative network go down due to viruses, the Cisco switch network in two locations. If the user’s credentials because we have the appropriate protection,” Cronin relates. are correct, the box interrogates the laptop to verify that it’s Bridgewater’s wireless campus is authenticated using the running a copy of a current virus program, that Windows firewall 802.1x access protocol that was designed specifically to enhance is enabled, and that updates are enabled. the security of wireless local area networks. It is easily configured In the first three years of Bridgewater State’s notebook and managed to enforce the college’s access policies. With the initiative, the Technology, Systems, and Networking group tried solution, the technology group reduced the time it took to bring several Remote Authentication Dial-In User Service (RADIUS) new students onto its secure network by up to 75 percent in some solutions. The recent addition of Identity Engines’ Ignition Server cases. It also eliminated virtually all calls to the help desk related provided a better RADIUS environment and an autoconfigure to wireless network access and network client configuration. 56 | March 2008 universitybusiness.com http://universitybusiness.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.