University Business - March 2008 - (Page 58) Network Security Appliance-Based NAC at The University of North Carolina at Chapel Hill THE IT FOLKS AT UNC DESCRIBE NAC AS which provides centralized a logical extension of many things they administration of Trusted Access were already doing—not something Gateways, all switches, all users, they added to solve a certain problem. and all things pushed out to “We’ve been heading toward NAC and control traffic. UNC purchased understood its implications long before 20 Enterasys NAC Trusted Access it ever hit the market,” says Mike Gateway appliances that can talk Hawkins, UNC’s associate director of to 400 to 500 switches on campus. networking. “It’s really identity more The program was deployed in the than anything else—who are you, what late spring and early summer of are you doing nasty, and how can we 2007 across 4,000 switches, which keep you out of the network.” took about three months. UNC’s As a large campus with 28,000 network access control solution Big savings: IT leaders at UNC estimate saving millions of students and 10,000 faculty and dollars with NAC tools, since keeping a network of its size safe cost around $120,000, which staff members, everything runs on covered the Trusted Access Gateway would normally require a much larger staff. the network—door locks, medical appliances. equipment, power devices, vending machines—not just users who Once the hardware was installed, the challenge was touching log in to the network. As a result, the networking group selected every switch and configuring every port a user would be on, Media Access Control (MAC)-based authentication versus 802.1x says Hawkins. Many of UNC’s older generation switches are not authentication because it’s a richer way to get a handle on who is scriptable, so that required manually setting them up rather than on the network. running a script. One component that differentiates access control technologies The results to date have proven extremely successful. Networking is where that control takes place. Different vendors have different folks in the university can pinpoint the exact location of users and types and different places. UNC has NAC at the edge of the network their connection history in less than two minutes, which enables on all switches that users are attached to. UNC to ensure compliance and accelerate the mean time to repair. “If you don’t check at the edge in a big network like ours, They can script and isolate hundreds of users off the network in you risk it getting out of control,” Hawkins says. “It’s actually a less than five minutes, which used to take half a day for the entire design philosophy we had before NAC. I think that’s an important staff in the past. Hawkins believes UNC is way ahead of the curve in criterion if you’re talking about a big network—and one of the big identifying threats on campus and handling them quickly. motivating factors we had for getting network access control.” “I can find devices on my network—at the very edge of my The institution was one of the first beta testers of the hardware network,” Hawkins says. “When I can find devices, I can control and software that make up Enterasys’ NAC solution. The beta and what these devices are doing. Our security folks love this. And by pilot in production led to deployment of NAC Manager Software, the way, I do sleep well at night!” • Disadvantages: This approach adds the additional cost and complexity of installing software and adding another management console, according to Gartner. Resources Bradford Networks, www.bradfordnetworks.com Cisco, www.cisco.com Enterasys, www.enterasys.com ForeScout, www.forescout.com Identity Engines, www.idengines.com Juniper Networks, www.juniper.net Lockdown Networks, www.lockdownnetworks.com Microsoft, www.microsoft.com Mirage Networks, www.miragenetworks.com Nortel Networks, www.nortel.com StillSecure, www.stillsecure.com Sophos, www.sophos.com Symantec, www.symantec.com Trusted Computing Group, www.trustedcomputinggroup.org Vernier Networks, www.verniernetworks.com Network Security Appliance-Based NAC According to the October 2006 Gartner report “Network Access Control Decision Framework,” appliance-based solutions are often the best choice for universities and other “loosely-managed, highly distributed, heterogeneous, budget-constrained environments.” Guest machine access tends to drive the short-term need for NAC in these institutions, and these products can limit exposure with a low-level of investment. A few of the players in this space include ForeScout, Bradford Networks, StillSecure, Mirage Networks, Enterasys, and Lockdown Networks. • Advantages: Appliance-based NAC products offer ease of deployment and potential cost savings over infrastructure-based deployment. • Disadvantages: These solutions can be the least robust and don’t offer as many features, according to industry experts. Vicki Powers is a freelance writer based in Houston who often covers technology issues. 58 | March 2008 Links to additional companies that offer network access control products can be found in the online version of this article. universitybusiness.com http://www.miragenetworks.com http://www.bradfordnetworks.com http://www.cisco.com http://www.nortel.com http://www.enterasys.com http://www.stillsecure.com http://www.forescout.com http://www.sophos.com http://www.idengines.com http://www.symantec.com http://www.juniper.net http://www.trustedcomputinggroup.org http://www.lockdownnetworks.com http://www.verniernetworks.com http://www.microsoft.com http://universitybusiness.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.