It's challenging enough to keep systems secure within a corporate network – imagine having to secure a network in which you had little to no control over each endpoint. No security policies. No way to confirm what software was installed, how it was configured, what types of applications were downloaded, or even determine software patch levels.
That's the world of Adrian Raymond, network manager at Kelly College in Tavistock, Devon, UK. Adrian is responsible for keeping the network running safely for the independent coeducational boarding and day education school. In addition to its full academic curriculum, Kelly College offers an extensive range of extracurricular activities, as well as clubs and societies.
“As an independent boarding school, our needs are not unlike larger institutions," says Raymond. His small IT staff supports users and monitors the network from 8:30 AM through 5:00 PM, but the network users – especially the students – access that network 24/7. "While we want to encourage students to use our resources and become competent autonomous IT users, we also need to prevent damage to our systems from either our resident users or malicious outsiders," he says.
To make things even more challenging, IT students with exceptional grades actually are encouraged by the Information Communication Technology (ICT) teachers to "investigate" the school's network. "We have no sanctions to prevent students making attempts at hacking. This tends to keep us alert," he says.
Those network use policies would keep any security manager on his/her toes; yet, the college knew it still had to find a way to keep those network freedoms in place, while also ensuring that the integrity of the network was not placed in jeopardy and all students and administrators could use the school's IT resources safely. That meant bringing a manageable, flexible, yet adequate level of security to the network, both wireless and wired.
For some time, Kelly College provided F-Secure Internet Security software to all of its students for their own PCs. However, there was no way for IT to check to see if the software actually was installed, running properly, and up to date.
To get to the level of protection it needed, Kelly College considered various dedicated wireless "intrusion prevention" systems, as well as the possibility of network access control deployment. The wireless-only network security option was dismissed because it did not provide a complete solution, as all its wired connections still were unprotected. Also, the hardware-based NAC technologies that were evaluated would have required the school to replace or reconfigure all of its existing network switches – obviously at a substantial cost.
To find a viable fix to its situation, Kelly College turned to a local security solutions provider, Armana Systems, to help it find the best way to secure its systems. "Kelly College needed a NAC solution that could meet its security requirements immediately, scale for future demand, and be easy to install," explains Paul Godden, managing director at Armana Systems.
Kelly College ultimately installed the peer-to-peer-based dynamic NAC technology from InfoExpress. Dynamic NAC, Raymond explains, could be deployed with no network changes, thus a deep level of inspection from an enterprise-class NAC device that is easy to use and manage.
Dynamic NAC provides all the security the college needs on both its wired and wireless segments. "The main benefit of Dynamic NAC is how it enforces policies, with software enforcers being managed by a central server without manual intervention," says Raymond. “For instance, a new user has to comply to be able to access the Domain, and this compliance helps to enforce the policy to other machines. In effect, we have enforcing clients attached to every hardware network device, with no way to avoid them being detected.”
One of the capabilities that separate InfoExpress' Dynamic NAC from other more complicated NAC offerings is its reliance on an organization's existing distributed network. “Dynamic NAC turns qualified, secure PCs into NAC enforcers that can detect, quarantine, and remedy rogue endpoints and unhealthy PCs,” says Armana Systems' Godden. “At Kelly College, Dynamic NAC checks that the college-supplied F-Secure Internet Security software is installed, operational, and up to date, and ensures that no rogue PCs can connect to the college network. Dynamic NAC also can be used to harvest the F-Secure and Dynamic NAC agents automatically at the end of the school year. That would provide a considerable cost savings."
With so many of its students encouraged to explore the network, and with no stated polices against hacking in place, Kelly College faced security challenges few others would want. And it needed security defenses that work consistently, with little management. "Dynamic NAC has helped us make certain that no outside visitors can access the network and that the right applications are running and up to date, all while academic curiosity on the network could occur without restraint" says Raymond.