Increasing ROI by Putting NAC to Use

Marquette University's security analyst found that the network access control tool already in place could deliver much more value with just a bit more effort.

The best approach to increasing return on investment is often to stick with the resources you already have and to get more value out of them. Marquette University is an example. The Milwaukee school had been using a particular network access control (NAC) system for many years, but it wasn't until Security Analyst Justin Webb joined the staff about two years ago that the university decided to put its NAC to work in multiple new ways. In addition to helping the institution keep tabs on copyright infringement, the NAC is occasionally helping to recover stolen or misplaced computers, and informing IT leadership about trends in student computing devices.

Marquette maintains a network specifically for student use, which follows, according to Webb, a "very flat structure." With 11,000 students and 14,000 client devices on that student network, the university needed to monitor it rigorously, he said, "to make sure nothing's happening over there that would be a threat to [network resources] that are critical to the university as a whole."

When Webb started, he was given "carte blanche" as the sole member of the cyber-security team to decide whether or not ForeScout Technology's CounterACT was sufficient to help him keep up with his job. He checked out alternatives such as PacketFence to replace CounterACT, but in the end, the amount of automation offered by ForeScout's product won him over. What he discovered was that while his predecessor followed a "set it and forget it" philosophy, the NAC had many additional features that could deliver many additional benefits to the university, cranking up that ROI.

How CounterACT Works
According to Webb, when CounterACT sees threats on the student network coming from specific infected devices, the program shifts those users to a separate virtual LAN and delivers a page with downloads of antivirus software and instructions for getting the computer cleaned up. Previously, the security person and the help desk would receive an automated email with details, but other than reviewing what had happened, the security office didn't play much of a role in the process.

While Webb relies on that that auto-remediation, he also uses the data being collected passively by CounterACT for more active purposes--monitoring for rogue access points, tracking compliance, and watching for infections. As soon as a user hops on the network, the software obtains the MAC address and tries to decide what type of host device it is, what operating system is being run, and what browser is in use. Armed with that information, he can develop metrics to guide usage.

"If I had a thing against Android phones that were using a particular browser, I could set an alert so that [the system] would send me an email when somebody showed up on the network like that," Webb explained. Likewise, he added, "If we decided to make a policy about iPads, but there were only two of them on the network, then it's useless to do that. But if we found out there were 400 or 2,000 or some number that's significant, then maybe we'd need to develop those policies and make that a security priority."

And, in fact, he added, overall that's become the case. Mobile device usage has grown significantly on campus, as has the number of multi-device users. Students may have a desktop computer, a laptop, and a smartphone. "We see an increase in the number of devices, which makes it harder to track who's on the network," Webb said. "Previously it had been one connection per one person. Now it's three connections per person." That in turn taxes network bandwidth significantly.

P2P Practices
The increased load on the network makes identification of illegal file sharing through peer-to-peer sites more urgent, since the university would rather use that bandwidth for educational purposes. CounterACT can identify peer-to-peer (P2P) traffic, and the university could choose to block that type of traffic or redirect the user to a landing page that states, "We know you're using peer-to-peer software. You need to uninstall it, and the traffic needs to stop." Noted Webb, "We have a campus policy that we don't block peer-to-peer. We just throttle it using a packet shaper." At the same time, he keeps statistics on that type of traffic. If the network starts having performance issues, he and the network people can sort out whether the P2P activity is the reason for the problems.

The university also gets Digital Millennium Copyright Act take-down notices when an organization believes it has suffered a copyright infringement. The takedown notice includes an IP address, so Webb can look at the address translation in CounterACT to get the MAC address of the offending PC. University procedure is to send a warning to the accused student after the first offense to remove the offending files and cease the activity. The second time it happens, the student gets a second notice. If the student receives a third notice, Internet is turned off for the device with that MAC address.

But Webb doesn't want to make the decision to cut off Internet access to students lightly. "We're a university. Students have to learn. They need to use the Internet. The last thing I want to do--the absolutely last thing--is take away their Internet access." At the same time, he added, "We have to respond to crime that happens on our campus, because that's what it is. If we were to continue to let them do that, it would look like we were acting negligently. Sometimes the only way to prevent them is to kick them off the network."

In cases where the student denies doing what he or she is accused of, using CounterACT, Webb matches the MAC address to the PC and the PC to the person who owns it, which is, he noted, "a little more conclusive evidence."

The Case of the Stolen Laptop
CounterACT metrics have also come in handy to help recover missing laptops. Dealing with stolen machines may not occur often, Webb noted, but "it does happen at any campus." Because CounterACT collects that MAC address, a unique identifier stored in the network interface card in every device, Webb can set up a policy in the software to alert him and others should the MAC number for that missing device show up on the network.

In fact, that's exactly what happened not long after Webb joined the university. A student reported that his computer had been stolen. Since he had the MAC address written down, Webb loaded it into the ForeScout system and set a policy: "If this MAC address shows up anywhere on the network, send an email, 'STOLEN COMPUTER' with multiple exclamation points." It showed up on the network two days later, Webb recalls. "I was like, I can't believe it actually worked!" But then the device disappeared from the network before it could be located.

That points out a challenge with wireless networking that didn't exist in the wired days. Previously, the student would have a network cable plugged into a network jack. When that person came onto the network, network administrators could tell where he or she was physically located. It doesn't work that way with wireless. The data pulled into CounterACT has to be triangulated with data pulled in through the wireless management software to identify which access point is being used by the device, which in turn, can help identify the user's location.

So Webb tweaked the policy to notify him as well as the main network person. The next time it showed on the network, both of them received the message. Armed with the ForeScout details from Webb, the network administrator figured out where the person was located. The university sent a public safety officer to that building and found the individual who had that computer.

The case wasn't entirely satisfying, however. The person who had the computer wasn't the thief. Recalled Webb, "It turned out to be a student whose father had bought the computer online from a personal seller. So somebody stole it from a student here and sold it to the father of another student. The father thought he was getting a good deal."

Staying Up on Group Trends
Metrics collected through CounterACT have also been useful to the university in understanding what devices are in use by students each fall as they come to campus. That information is used to determine where help desk and technical support needs to focus. "If there are 75 percent Macs for the students and only 25 percent PCs, then, hypothetically, you'd need to [move your] support more toward Macs," said Webb.

Currently, the university has 10 CounterACT appliances, which Webb monitors from a console on one of his four displays using CounterACT Enterprise Manager. (The company also offers its NAC software as a virtual appliance.) Eight residence halls have an appliance. "We have each one of those in a dorm," he noted. "Then we have two ForeScout boxes that split our wireless load."

He can shift his view within CounterACT to check out activities among specific groupings of users--wireless, wired, a specific dorm's students, a specific room in the dorm for wired users, or a specific access point for wireless users.

Webb uses CounterACT without relying on client agents. As he explained, that's the best route to go in his particular academic environment. "It's very hard for us to say to a student, 'Before you use our Internet, we need you to install this software.' People aren't too keen on that unless you say it's anti-virus [software]. There tends to be a 'Big Brother is watching' [mentality] in academic settings. We're not monitoring anybody. We only monitor if there's illicit activity going on. We want this to be a free open educational environment."

Marquette doesn't monitor the faculty and staff network with CounterACT, preferring Active Directory for setting up appropriate access for those users. But if it did, Webb said, the agent approach--which is pricier--would be a better fit. "There are university assets that we want to protect, so we would want to make sure their virus software is up to date and that they don't have viruses on their computers. So the agent would be way better to do all of those checks of the registry and things like that."

Tackling that implementation would open up complexities that Webb would prefer not dealing with. "You get into the question of, are we impinging on their academic freedom? Are we offering the impression that we're interested in what they're doing on the Internet more than just trying to protect ourselves from threats? It's easier to put that to the side and focus on what we really think is the high threat area, the open, wireless student network."

Conserving Energy (and Staff Positions)
As a one-person operation, Webb said he prefers to conserve his energy and that's where CounterACT really shines. "I think it's silly to attempt to kill yourself trying to figure out everything that's going on. It's nice to know that my network is doing things automatically and that I'm not irritating the network people with constant request for information. This is a passive approach. I'm not asking the network administrators to change anything on switches or modify routers or let my ForeScout boxes have control of the network. You can do all of this passively.

"The main thing for any institution is to know who's on your network and what they're doing. A lot of places can't really say yes to that, either because their network is so disparate or they don't have the correct monitoring, or if they're doing the monitoring, they don't have the staff to actually watch the monitoring. It's easy for me to say, if we had to do what ForeScout [software] does without ForeScout, this would be a two-person office."

Featured