Until Carroll College bought into NAC technology, it took six weeks of work by a dozen full-time IT staff and student volunteers to clean up student PCs, stemming infections they brought to the network.
The effort has gotten a lot simpler. Since putting Tipping Point gear in place in 2005, keeping the network clean has required just three people and three days at the start of the semester.
"This year we couldn't believe we got done in three days with no major network issues, no major looming security threats, no incidents after those three days - nothing," says John Arechavala, director of infrastructure services at the Wisconsin college. "We're pinching ourselves."
With 1,300 students living in dorms and another 1,700 commuting, Carroll had a big chore. The network let students bring whatever PCs they had at home and attach them to the network. "Consequently you expose yourself to all the evils of the world that happen to be installed on those computers," Arechavala says.
When he started looking at NAC gear three years ago, there weren't that many options. The college is primarily a Nortel shop for its wired infrastructure, and a combination of Cisco and Xirrus for wireless. Nortel wasn't ready with NAC then, but Arechavala had heard of the start-up Roving Planet that had success in other universities. Roving Planet was later bought by Tipping Point.
He says he knew the NAC software could control admission by machine and user as well as perform a basic scan without using client software on each machine. He took the opportunity of implementing NAC to streamline the definition of acceptable PCs that the college would allow on its network. "We don't own these devices, we don't know where they come from, we don't see them before they come in," he says.
First, the student computers had to have either Mac OS, Linux or Windows XP operating systems. Before NAC, he allowed several other flavours of Windows, but he learned that that required too much help-desk knowledge.
The only other requirement for the machines was that each PC have an acceptable antivirus client that was updated and running. If the machines could meet those requirements, they could gain access, he says.
With NAC in place to make sure these two criteria are met, as students plug in for the first time and attempt to access network resources, their traffic is intercepted and they are diverted to an untrusted VLAN where their machines are scanned.
They are diverted to a site where they can download antivirus software if their machines are found lacking, he says. Since the school provides enterprise-grade Norton antivirus from Symantec to students for free, many of them adopt that, he says. Those with unsupported operating systems receive a notice that they must switch to a supported operating system, he says.
Adopting NAC two years ago was daring for the college. It was a significant investment - about $56,000 - and the name Roving Planet wasn't well known. But because it could reference satisfied customers at other colleges, Carroll trustees approved the expenditure, Arechavala says. At the time, the alternative being considered was issuing standard-configuration computers to each student. "Obviously this was cheaper," he says.
The NAC software is deployed on five hardened Linux-based Dell servers attached to core switches, and they are managed by a Tipping Point Network Commander management platform. The NAC servers are attached to core switches, plugged into VLANs designated as trusted and untrusted. Each device can handle hundreds of users, he says.
The technology worked well from the outset, but getting students used to the idea took some work. "The biggest adjustment we had to make was with the students themselves, because they were running into something that was a completely foreign concept to them," he says.
He learned a lesson from that, and if he had it to do over Arechavala says he would set aside more time to bring them up to speed. "During that two weeks, maybe we could have been better communicating to them how it worked," he says. "It was no longer just plug and go for them. It was plug in and, oh, what's this question?"
In addition to their computers, students bring network gaming devices that the NAC software quarantines until the owners register their MAC addresses with the IT department. The devices are then white listed so they can use the network, he says.
So far, only student gear is subject to NAC; administrative and faculty machines are not. This is because through use of Altiris asset-management software he keeps these machines updated and protected, he says.
He relies on NAC and antivirus software to clean up student computers, and figures that will keep them clean for about a month. So NAC scans them when they arrive, then once they are compliant, lets them on the network for 30 days without a scan. So far, that has worked to keep out malware, Arechavala says.
Tipping Point is coming out with an appliance version of its NAC gear that the college plans to buy because it will use 802.1x capabilities of recently upgraded switches to enforce policies, he says. Rather than using the NAC servers to enforce VLAN assignments, the appliance will enlist the switches to do so.
That not only ingrains enforcement in the network, it also reduces the number of NAC devices he will need from five to one plus the management server, simplifying the maintenance required to keep the technology running.
In upgrading the gear, Arechavala says he did not consider switching NAC vendors. "I think it would cost me more to switch vendors than it would cost to upgrade," he says. "And we're not having an experience here that makes me want to re-evaluate necessarily."