University Business - March 2008 - (Page 57) Endpoint Software-Based NAC at Temple University (Pa.) ANOTHER BENEFIT OF USING NAC security policy program. The solutions is the ability to control server provides a quarantinewhat kind of information is only address that directs being moved across the network. students to just one place The systems can be set to scan where they authenticate with information packets for telltale a user ID and password. As signs of digital music or movie part of registration, they files, and can be “dialed down” download an executable that to limit the flow of that kind rolls up Symantec Anti-Virus of data. Since 2005 at Temple 10 and Symantec Sygate University in Philadelphia, a NAC Enterprise Protection 5.16. solution dramatically changed the The system is then scanned. If security landscape for its 34,000 everything is up to date, they students. Administrators did not register with an NAC address. get charged with a single peer-to- Computers such as those at Temple’s TECH (Teaching, Education, Once students agree to the peer (P2P) copyright violation in Collaboration and Help) Center are equipped with antivirus protection. security policies, they will the fall 2007 semester, when past be allowed network access. semesters averaged several hundred. Just one “zero day outbreak” If they fail, the solution will remediate whatever is missing. This virus—which can be vicious, since antivirus protection doesn’t streamlined process helps students safely and easily connect to exist yet for these types of threats—has happened in the past the internet and the campus network. two years. “We adopted it, rolled it out, and were very successful with it, Temple officials began exploring an NAC solution in 2005 after which is why we continue along the same path,” Shestack states. unprotected personal computers in residence halls started getting In fall 2007, the information security group added 2,500 virus outbreaks due to the advent of adware and spyware. Machines additional workstations in campus computer labs. The next slowed to a crawl because of the infections, and students tried stage is migrating and updating to Symantec’s latest product, to fix them through a rebuild, neglecting to use the anti-virus Sygate Enterprise Protection 11, which offers new features and software mandated by the university in 2004. In the process, these functionality. By the end of May 2008, all campus computers will computers emerged as unsecure, unpatched systems. have the new NAC upgrade. “The biggest threats we have are people who shut down The technology folks have experienced tremendous labor their anti-virus or don’t upgrade,” says Seth Shestack, assistant savings with the NAC solution by reducing virus outbreaks to one director of information security at Temple. “We have an automatic in two years. A major virus attack at Temple required a SWAT team patching system for university-owned machines, but we can’t do staff of 30—two weeks, full time—to mitigate and erase the that for personal machines.” virus. And these crisis modes used to happen several times a year. Shestack formed a project team that explored five different “This is a tremendous increase in efficiency, because people NAC solutions. The Symantec Sygate Enterprise Protection fit the don’t have to be taken off other tasks to do SWAT team missions, university’s environment the best, he says. pulling viruses off computers,” Shestack says. “We had our entire The NAC solution was rolled out on 5,600 computers on the cost recouped in a year from our initial implementation, which residence hall network. Students downloaded the NAC solution includes reduction of time to investigate peer-to-peer complaints as part of their registration process through the “Get Connected” and time saved to mitigate virus outbreaks.” types? To restrict access to specific data and applications based on user roles? To gain visibility into network activity and correlate to specific users? All of these needs can require unique solutions and approaches to deploy NAC tools. Technology research and advisory firm Gartner defines three NAC common approaches as infrastructure-based, endpoint software-based, and network security appliance-based. tive way to reduce maintenance expenses and system upgrades. • Disadvantages: This solution requires users to upgrade their hardware and/or operating system, which can be a major expense, especially when legacy systems or those by other vendors must be replaced. Endpoint Software-Based NAC This NAC approach focuses on protecting the client through posture checks and malware containment before signing on the network. This typically involves installing an agent on the endpoint to accomplish this. A few players in this space are Symantec Sygate Enterprise Protection and Sophos. • Advantages: This method is the least intrusive when an unauthenticated user tries to access the network. It operates in the background to gather and provide updated client information to the policy server. Often it is easier to enforce policies as they evolve and new threats arise. March 2008 | 57 Infrastructure-Based NAC Infrastructure-based NAC focuses on upgrading the network or operating system infrastructure to garner integrated NAC functionality. Microsoft and Cisco are big players in this approach. Homogeneous campus environments—those that support just one network vendor—are a good fit for this solution. • Advantages: A single-vendor approach avoids the problems caused by incompatible systems and network switches. It’s also a cost-effecuniversitybusiness.com http://universitybusiness.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.