NAC Kicks Sick Devices Off Medical Center`s Network

Sure, plenty of students at Columbia University Medical Center can give flu shots, but up until a recent network access control rollout, they were dragging some sick and sorry devices onto the network.

"It was a real eye-opener to see the … lack of anti-spyware, of anti-virus, of patching," said Dean De Beer, information security manager at CUMC, a New York medical center with a 2006 enrollment of 3,377 and a faculty of 2,172.

In fact, prior to the pilot NAC rollout in spring 2007, when students logged onto the campus network, 53 percent of those enrolling in the summer program lacked up-to-date anti-virus protection.

Fast-forward seven months to January 2008. De Beer is in the midst of expanding deployment of the NAC setup campuswide. At the heart of the rollout is Campus Manager, an out-of-band device from Bradford Networks that provides automated device registration, security policy checks, and quarantining and automated remediation of devices that fail the security health check.

Campuses form the classic NAC usage scenario—lots of people visiting, bringing their potentially security-challenged devices onto a network—thus making Campus Manager the typical pick for educational organizations. But Bradford Networks also markets NAC Director, a product that gives the same functionality but that is marketed at a different audience and that midmarket organizations are more likely to purchase.

If all goes according to plan, CUMC is looking to put some 2,500 students on the network with Campus Manager full-time, regardless of their movements around the 20-acre campus, through all residences and all student dorms, whether they're connecting through a wired access point or wirelessly.

Return on investment isn't going to be hard to find. NAC is already making a lot of people happy on the IT side: De Beer said the help desk has seen a 66 percent drop in help desk calls and trouble tickets, mostly from a drastic drop-off in calls related to viruses, anti-virus software, spam and the like.

"It's been interesting to see the amount of help desk calls drop, [along with the] response time from quarantining an infected machine to the process [of remediation]," De Beer said, such as the time that used to pass between seeing a security alert, hunting down the problematic machine, blocking the port and asking the help desk to remediate the machine.

"We removed half those steps," he said.

Students, for their part, are no longer complaining about a painful process of device registration that, pre-NAC, could take up to 72 hours. To wit: When trying to access the network with a device, students were sent to a Web page, the NAC address was manually entered and the IP address was dynamically returned.

"Students complained about this," De Beer said. "They want access to coursework immediately. … [Campus Manager] removed four to five steps [by providing automatic device registration], and the process went from being a 48-hour, on average, ordeal, to becoming an instantaneous process."

IT staff who used to have to slog through manual device registration can now turn their attention to other, more productive tasks on campus, he said, not only because of the automatic registration but also thanks to the self-remediation for PCs that don't match security policies and the reduction in help desk calls.

Here are some of the things that De Beer said were on his requirements list for a NAC solution, as gleaned from departments including the notebook and hardware team, the networking department and, of course, the help desk:

Nonpersistent agent. Campus Manager has both a persistent agent and a dissolvable agent. The scan can be done in 20-60 seconds, usually, and either allows users onto the network or quarantines the device and directs users to a remediation site with instructions for how to fix their problems and get back onto the network. De Beer said the nonpersistent agent was a requirement because a lot of devices logging onto the network belong to students, and as such, there's "a big push for as little interference as possible with student device or traffic," he said.

Clean integration. CUMC has a highly diverse group when it comes to back-end authentication systems or mechanisms: it deals with RADIUS, LDAP, Active Directory, Kerberos and more, and the NAC solution had to work with all of them.

Remote registration. The help desk wanted to see remote registration of both devices and NAC addresses, without requiring a user to come to campus.

Minimal environmental impact. The network group needed something to scale well and to give them access at both Layers 2 and 3 so that they could provide action on user IDs, NAC addresses and user addresses. "We didn't want to be intrusive; we just wanted to do it at the switching level," De Beer said.

Out of band. If the NAC device fails for some reason, including power failure, there should be no negative impact on the network.

As far as what he's going to do with the time that Campus Manager is saving him, De Beer said he can now turn his attention more fully to his preferred focus: malware analysis. He currently works on reverse-engineering, although it's been hard to write a signature for the Storm worm, for example, at the network level, given that it looks like peer-to-peer traffic and is thus difficult to distinguish from other, legitimate traffic.

Campus Manager may help in that department as well, however, given that it's easy to detect an infected device at the host level, De Beer said. Using Storm as an example again, he said he could write a custom policy that looks for registry keys associated with the malware. He would then be able to write a note that would automatically inform users when they had been infected with this latest and greatest virus and instruct them on remediation.

"It's a huge benefit for me," De Beer said. Before the NAC rollout, it was difficult to be proactive, he said. Now, it's no sweat: "It's a pleasure to finally be more proactive and look to new projects rather than doing triage all the time."