The Upper Canada District School Board decided it needed network access control to securely expand wireless access across the vast district, broaden the types of devices allowed access to its network and keep students out of sensitive servers.

When it started looking for NAC technology 18 months ago the options were limited, and CIO Jeremy Hobbs came across a story about Nevis Networks in a trade publication. He contacted the company and reached someone he had dealt with before at another vendor. They worked out an arrangement in which the district would be a test bed for the product.

The district also chose Nevis because it doesn't like to get locked into a single vendor, Hobbs says, which is why it decided against NAC schemes from the two industry heavyweights -- Cisco's Network Admission Control and Microsoft's Network Access Protection.

The school district sprawls over a large area of Ontario, including 35,000 students and 5000 staff. The schools use NAC to allow personal laptops onto the network as well as to expand wireless access, he says. At the same time, the Nevis gear helps keep unauthorised users out of the data centre, where human resources and student information are stored.

"We find the majority of threats come internally from kids who are aspiring to grow up to be hackers, or who are interested in tinkering," Hobb says.

Nevis gear was added to the district network without requiring reconfiguration of the network infrastructure. Hobbs put two Nevis 2026 devices between core switches and access switches serving the data centre at the district headquarters in Brockville, Ontario. They integrate with the district's Active Directory so users gain access when they log in from authorised machines. The experience is identical to what users experienced before the NAC equipment was installed, he says.

Users logging in with their own laptops are diverted by the Nevis appliance to a portal, and their devices are scanned for virus definitions, malware and spyware. The Nevis system does not require client software on devices seeking entry to the network.

Users attempting to connect via any of the Wi-Fi access points across the district also must authenticate via user name and password through the Nevis appliance. All of the district's 120 sites have at least one wireless access point, and Hobbs hopes within two years to have 100 percent wireless coverage in those buildings and to accommodate any wireless device. "We'd like to let the wireless network be wide open but let the network security layer take care of itself," he says.

Hobbs considers the gear pricey. "We probably peak out at 3500 concurrent users, and you're looking at US$60,000 for 1000 users. That's a fairly significant investment," he says. He also recognises that NAC is new and start-ups around today might not be here tomorrow. "If I wasn't experiencing a ton of pressure for these kinds of tools, I'm not sure I wouldn't just wait for a little while longer to let the industry evolve a little bit," he says.

In three years, as the technology matures and competition weeds out the weaker vendors, his thinking will likely change. "My guess is at that point we'll probably go with a fully formed product from a bigger player," he says.