Network Access Control That Users Won't Hate

Even as schools strive to keep their networks and school data secure, they also want students to have a carefree, Starbucks-style wireless experience. NAC can help.

This story appears in the July 2013 digital edition of Campus Technology. Click here for a free subscription to the magazine.

Controlling access to a college network is like being the parent of a teenager. If you're too strict and enforce a ton of rules, your teenager will hate you and run off with the pizza-delivery guy. Too lenient, on the other hand, and she will wrap the family sedan around a tree at 2 a.m. Schools, like parents, need to find the sweet spot where everyone is both happy and safe.

Increasingly, schools are utilizing network access control systems to help them establish that sweet spot. NAC has been around for a decade, but it only became an IT buzzword with the proliferation of BYOD. Gartner anticipates a NAC market growth of approximately 63 percent in 2013 alone.

NAC is a security solution that authenticates users and determines what they can see and do on a university network. It's a vital control to protect sensitive information. But make no mistake, NAC won't do the parenting for you--it simply makes it easy for you to set the boundaries of what's permissible. And like parents, campus administrators often disagree about how strict to make the rules.

Control: Less Is More
"We still encounter IT technicians who think it's appropriate to have the same control as a bank or a hospital," says Kim Cary, chief information security officer at Pepperdine University (CA). "This just isn't so." In Cary's view, faculty and students are going to use whatever devices they want, so the question becomes: How much are you willing to support?

"With three times as many devices and three times the load of three years ago, it all comes down to pushing security back," explains Cary, who believes schools have to be flexible with new types of devices, such as tablets, smartphones, game consoles, and even multifunction copier-printers.

A more permissive approach like Cary's appears to be prevailing over Victorian attitudes of strict control. Many schools, focused on giving their students and faculty a better user experience, are looking for fewer--but smarter--security controls.

A case in point is the State University of New York's Fashion Institute of Technology (FIT). Before the school implemented Aruba ClearPass, it was "tortured" by its previous NAC solution, according to Gregg Chottiner, vice president for IT and CIO. "It would interrogate students" to confirm they had the required service packs (updates, fixes, and enhancements), he recalls. "It became a customer-service nightmare."

Now the institute registers each device just once, and doesn't check for A/V or service packs. "Nine times out of 10, the student is just trying to get to the internet," Chottiner explains, "so we created a policy that everybody registers but we don't interrogate them. Our current NAC wraps everybody to the internet."

For many schools, the goal is to give students a wireless experience akin to what they get at the local coffeehouse. "Our students don't need to put in a password after they're registered," says Chottiner of the new NAC system. "They just open up and they're on, like at Starbucks. The system knows the device, and knows where they are on campus."

It's a similar story at Pepperdine, where an information security team selected Bradford Networks as the school's NAC solution. "We know who is accessing the network and what kind of device they're using," notes Cary. "For users, it should be as easy to get on as when they're at Starbucks or McDonald's."

In the event that students don't have a seamless Starbucks-style experience, NAC can help IT resolve the problem fast. Prior to installing ForeScout's CounterACT, for example, New York Law School struggled to pinpoint network issues. "If a trouble ticket was issued, our desktop team had difficulty in quickly identifying the system, the location, and the potential security issue," recalls technical director Peter Trimarchi. The result was a heavy workload for the help desk, staff redundancy, and student complaints about access.

But NYLS didn't rely solely on ForeScout to resolve the problem. In fact, it coupled its NAC solution with a decidedly low-tech strategy: It launched an orientation program for students to teach them the ins and outs of technology use on campus. "Now that we've instituted the first-week technology orientation, we often don't hear from students after the first week of school," says Trimarchi, adding that NYLS has experienced a "huge drop" in the number of complaints about wireless issues.

The NAC Wish List

In shopping for a NAC solution, New York Law School specified the following features:

  • A system that's easy to administer and deploy
  • Multifactored, role-based device authentication and seamless integration with existing wired and wireless infrastructure
  • Network access and endpoint compliance capabilities integrated into one appliance
  • Full visibility and control of all devices on the network
  • Flexible enforcement, with the means to easily monitor, control, and inventory systems
  • The ability to thwart zero-day threats (attacks that take advantage of previously unknown vulnerabilities)

Role-Based Access
Giving students an easy on-ramp to the internet is nice, but it's certainly not the whole story. University networks are also the gateway to sensitive information that some users need to access--but most users don't. "We didn't want a guest scanning the president's computer," says Cary, "but we wanted guest registration to be smooth and easy, with appropriate but limited information."

FIT's Aruba ClearPass solution provides role-based authentication and application-based management. "We give [students] only the access they need," Chottiner explains. "We can say that Facebook won't be available during school hours. We can turn it off, then turn it on again. In other words, we can drill down to the actual application. We can also turn applications on and off based on role. Our students and faculty have different access, but the experience is as seamless as possible for both."

While role-based access is a key security component, it handles only one aspect of the threat faced by colleges and universities. IT systems must also be able to identify vulnerabilities and quarantine devices that are not secure. In addition to role-based device authentication, for example, NYLS established a virtual private network policy for its faculty and staff. "This allows us to know if a device has a secure connector installed, along with antivirus and Windows updates," says Trimarchi. "If it does not, access is immediately relegated to a separate mitigation VLAN [virtual local area network]."

Simply kicking a device off the network may eliminate a security risk, but it's unlikely to win IT any friends among its customers. "With our old system," recalls Cary, "we had a way to block people with infected devices, but we had no way to inform the violator immediately and tell them what to do. Now, after network access control, the system puts up a page to say that the computer is infected and tells users to 'click here' for tech central." In terms of customer satisfaction, he adds, "this is a huge thing."

It's a similar story at FIT, where the school's new NAC can differentiate between an Xbox and an iPhone, and can manage all devices. "They all have unique signatures," notes Chottiner. "If a mobile device is infected...we can segment the device and get it off the network, then have that person come in for triage and remediation."

NYLS uses an automated e-mail notification to alert students and faculty if their devices contain malware, along with the steps needed to fix the problem. "We'll soon be taking advantage of more advanced self-remediation and auto-remediation techniques," adds Trimarchi.

Related Reading

The New Varsity Letters: BYOD = NAC + MDM
To protect sensitive data in the BYOD era, schools must take a more closed, corporate approach, blending network access control and mobile device management.

Top IT Security Worries
It's a dangerous world out there, with IT shops hard-pressed to protect their institutions and users. CT looks at the 4 biggest security worries--and how IT can fight back.

Increasing ROI by Putting NAC to Work
Marquette University
's (WI) security analyst found that the network access control tool already in place could deliver much more value with just a bit more effort.

Featured