May 12, 2008, 2:15 PM — When the University of North Carolina at Chapel Hill implemented network
access control campus-wide last spring, it was as much a natural progression
of the school's network
management strategy as it was a security
project.
"We view good management as equal to security and security as equal to
good management," said Mike Hawkins, associate director of networking for
UNC Chapel Hill, during his talk at the recent Network World IT Roadmap Conference
& Expo in Dallas.
To many, NAC implies solutions that interrogate end devices to ensure they
have proper security controls in place before they are allowed on the network.
At UNC, it's more about automating the implementation of acceptable-use policies
that the school has had in place for years. And while tales abound of NAC rollouts
that require wholesale network infrastructure upgrades, UNC has NAC working
on switches that are as many as 7 years old and come from multiple vendors.
Of course it helped that UNC was in on the ground floor with its NAC vendor,
enabling it to help shape what the product looked like. (Because of university
policy against endorsing vendors, UNC declined to name vendors for this story.)
Background
UNC Chapel Hill, the second-oldest public university in the United States, has
some 28,000 students, 3,100 faculty and 7,500 staff. Altogether, some 35,000
users of traditional computing devices connect to its network each day along
with about 50,000 other types of devices, ranging from soda machines to parking
gates and water meters.
For years the university has been applying acceptable-use policies to its switch
ports to dictate what each type of device can and cannot do when it connects
to the network. While that worked well enough, it was a manual, static process
to assign an acceptable-use policy each time a new device wanted to connect.
The university's NAC implementation brings a new level of automation to the
table, said Jim Gogan, director of networking at UNC Chapel Hill. "The
issue is how to provide the appropriate policies for whatever class of device
wants to connect," he says. If a utility group connects a steam meter,
the network should immediately recognize the device is a steam meter and apply
the appropriate policy. That saves the network group from having to get involved
every time some specialized device needs to connect.
"This is precise, granular edge control over what goes on in the network,"
Hawkins said. "I see very few NAC solutions that are actually doing this."
The term NAC typically conjures images of solutions that interrogate end devices
to ensure they have proper security controls in place before they are allowed
on the network. But UNC Chapel Hill is sensitive to being quite that intrusive
given its network lives to serve an environment meant to foster research and
teaching. So it takes a slightly different tack, using other security measures
to catch dangerous traffic and then using NAC to shut down the offending port
or IP address.
For example, the school uses intrusion-prevention appliances to block virus
infections from spreading. When it detects an infected machine, the appliance
will kick off a trouble ticket detailing which IP address the virus is coming
from. "I got three of those this morning between 10 and 11 a.m.,"
Hawkins said. "Within minutes, I applied a policy to each of those hardware
addresses and forced them off the network. No matter where they plug in, they
will not be allowed on."
Users of infected machines are then allowed access only to a Web page explaining
why they've been denied access and pointing them to remediation resources. That
redirect happens automatically, driven by the NAC implementation.
NAC evolution
UNC chose to go with its NAC vendor for a number of reasons, not least of which
is the fact that about 90% of switches on campus come from the vendor. But UNC
also liked the idea of policy enforcement taking place on the switch, near the
network edge. Likewise, all the work the school had put into developing its
acceptable-use policies would be immediately applicable. The team was also impressed
with how easy it was to deliver policies to its switches, with the ability to
update any number of switches with the press of a button -- an important capability
given that the university has more than 3,700 switches on campus.
