The chance discovery of a consultant plugging in a laptop on its network led Missouri insurance company GEHA to install NAC as a means for segregating visitors from the corporate LAN. Since installing Nevis Networks' LANenforcer devices on its network this fall, the company has used it to control unauthorised visitors, but has held off using other features except for monitoring purposes, says Justin Gerharter, systems engineer for the firm.

Eventually, the company will use the gear to scan endpoints to make sure they comply with security posture and to monitor behaviour of devices after they are on the network to make sure they behave according to policy.

The company saw a need for NAC in July when it caught an unauthorised user logging in. "One day the guy sitting next to me happened to be going through DHCP scopes and saw an unfamiliar network name associated with an IP address," says Gerharter. "Sure enough, it was a consultant who had plugged a laptop in. That was the incident that drove home the need for [NAC]."

The consultant wasn't up to mischief, but the incident set off a wave of concern. "The question was raised, how many times has this happened?" Gerharter says.

The desire was to make sure that every machine that got on the network at the very least was authorised to be there, he says. "If they were on, we wanted to make sure we had control over where they could get to," Gerharter says.

The company sought advice on which NAC vendor to use from its resellers and came back with Cisco and Nevis as options. The company tested Nevis gear at a VAR's demonstration site. It tried but could not schedule a test of the Cisco gear, so Gerharter chose Nevis.

He liked that the Nevis device is in-line and plugs into access switches, becoming an enforcement point for the NAC policies. The company has about 25 Cisco access switches that feed into a Cisco core. The company required one LANenforcer 2024 at each site plus a LANsight management platform.

To put the device in place, he unplugged the connections between the access and core switches and plugged them into the LANenforcer instead. The device is set up with port pairs, one port taking the connection from the access switch, one taking the connection to the core switch. "You plug the edge switch into the top port and the core switch into the bottom port of the same port pair," he says.

Setting up NAC policies took very little training, he says. Guests have only one option, which is Internet access. That access for guests could be expanded if the need arose, he says. For company users and wired desktops, GEHA is running in monitoring mode only to gather logs of network behaviour. The plan is to implement access policies for them next year.

GEHA ran across one glitch that temporarily stalled out its Avaya IP phones, Gerharter says.
When Avaya phones boot, they boot first into the data VLAN to receive its IP options, then reboot into the VoIP VLAN, Gerharter says.

GEHA configured the Nevis box so it inadvertently restricted this process. The Nevis policy that was set identified the phones by MAC address and allowed access only to the VoIP VLAN. That effectively locked the phones off the network because they had no way to go through the first half of their booting process, he says.

"We were making the network more secure than we needed to, and for these phones it created a problem," he says. He says Nortel phones boot in a similar way; Cisco's don't.

In addition to restricting guests to the Internet, the Nevis gear provides logs that reveal more detail about network traffic than Gerharter could get before. "We discovered things we never thought about as far as what people are doing and where they're going. There's been many unplanned benefits," he says.

They had no idea their virus scan was using a certain service account to authenticate to the virus-scan server, and these authentications showed up in the log. It was never a security issue, but the IT staff looked at the log and eventually figured out what was going on. "It's allowed us to understand some of our applications and processes a little better," he says.

GEHA is using Nevis NAC endpoint scanning on one of its access switches that services the company network operations centre. That switch is used only by the company network services department and is essentially trailing the capability.

At some point, devices wired into the LAN may be scanned, but for now Gerharter says they are considered safe enough. Other virus scanning software and patch-updating software keep them in compliance, he says. "There's no reason for Nevis to be reporting on this when we have other tools reporting as well," he adds.

The Nevis device can restrict access to servers that must be kept secure under HIPAA regulations, he says, and while it hasn't done so yet, GEHA has plans to use that as well. It has no specific time table for implementing it. Meanwhile, the NAC gear is doing what it was purchased to do, he says. Last week a company employee brought her personal laptop in to work because she was having trouble getting it to connect remotely using Citrix's browser-based Web access, he says. She was unauthorised to plug it into the corporate network directly.

"She brought her laptop in and plugged it in," Gerharter says. "How would we know how often that's happening without a very watchful eye and constantly looking at this stuff?" The company's IT staff is too small to monitor this type of incident manually, he says.