Appliance provides network access protection on school campus

By Ron Condon, UK Bureau Chief 18 Dec 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

That is the challenge facing Mark Gosden, network manager at Sutton Valence School in Kent, whose job it is to provide an efficient network service for school staff and pupils.

Founded in 1576, Sutton Valence is a co-educational independent day and boarding school for children aged 3 to 18. The school is split over two sites a mile apart, linked by a 100 megabytes per second (MBps) fibre optic link. Around 1000 devices may be attached to the wide area network at any one time. Many of these will be laptops brought in by pupils or guest speakers, which need to be checked before being allowed on to the network.

Up to recently, Gosden adopted what he admits was a "piecemeal approach" which relied on loading a small application on to everyone's machine to check that each had an up-to-date version of Sophos antivirus running.

This meant he had to buy enough Sophos AV licences not only for staff on the school network, but also for all the students' laptops, which was proving expensive. "The little piece of software was pretty crude," he said. "It just blocked drive access if Sophos was not present or up to date. That was just done on file, date and time – so it was easily circumvented, unfortunately."

Gosden decided that with the expense of the Sophos licences and the rather crude approach to device checking, he needed to adopt a more effective network access control method.

Having decided to go for an appliance, which would be easier to manage, he looked at two NAC products: one from Bradford Networks Inc., and the other from Forescout Technologies Inc.

Although Bradford Networks had a specialist NAC product for the education market, Gosden felt both companies would be able to deliver what he needed. "There was little to choose between the Forescout and Bradford devices, but to be brutal, Forescout's was cheaper. We didn't have a huge requirement -- we just wanted a device that would sit on the network and scan any machine that sat outside of our Active Directory domain and allow them network access as long as they had up-to-date antivirus software, and were not flooding the network with junk. Beyond that, everything else was a bonus," Gosden said.

In the summer of 2008, Gosden installed Forescout's CounterACT CT-1000 NAC appliance. "The support we had from Forescout was very good. They did the majority of the implementation and configuration. I have the admin console which I look at occasionally, but once you set the rules in the device, the device really looks after itself."

Since then, the system has needed very little management. Working against a list of known antivirus packages (not just Sophos as before), it checks any new device to make sure it has AV and that it is up to date.

"I only had to make a change when a couple of the kids were using AV software from F-Secure, which wasn't on the list of defined AV applications in the Forescout box. We just added those in, which Forescout showed me how to do. Once that was done, the users were allowed through," Gosden said.

The system either allows or blocks users, and does not attempt to carry out remediation work. "It works by mirroring all the network traffic through to itself from one of the ports on the switch. If it sees anything suspicious, it will block that person off completely with appropriate Web-based warnings," Gosden said.

He said he prefers the students to look after their own machines. "For the last couple of years we have been going through a programme of education rather than prevention with the kids. They are increasingly IT literate when they come to the school. So we are trying to put as much of the onus on them," he says.

"They are now quite capable of updating their own antivirus, for example, whereas three or four years ago, we would have had to do more of it for them."

That independence of spirit has a downside too, of course. For example, URL blocking is "an ongoing battle" as the kids find ways of bypassing the filtering system from Websense Inc., usually by the use of anonymous proxies. "Websense works pretty well, but the kids are adept at finding ways around it if they want. It takes 24 hours for Websense to update all the latest proxy sites. So it's a manual task for us to check the logs to see if a lot of kids are heading for a site that looks a bit odd. It's just something we live with at the moment."

However, the presence of the CounterACT appliance will at least ensure the network stays operational by analysing traffic flows and blocking anything that looks suspicious. "It analyses the packets as they pass through, and for example, if it sees traffic flooding from one device on the network to one of our servers, it would certainly stop that for us, and the user would lose his or her connection."

Tags: Endpoint and NAC Protection,  Threat and Vulnerability Management,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Endpoint and NAC Protection Microsoft issues temporary fix for Windows Shell zero-day Attackers target Windows Shell zero-day via USB sticks Perimeter defenses deemed ineffective against modern security threats Market snapshot: PC virtual desktops on a USB Alternatives to buying full-on network access control (NAC) systems Apple iPad security debated as U.K. launch approaches Microsoft to issue two critical bulletins, SharePoint to remain vulnerable Logical and physical security integrated by U.K. startup Panel debates 'buy vs. build' mobile device security policy management Data encryption methods: Securing emerging endpoints Threat and Vulnerability Management Microsoft issues temporary fix for Windows Shell zero-day Attackers target Windows Shell zero-day via USB sticks How to stop Conficker: Anti-Conficker patch management, defense Trojan virus attack using hijacked Web browser sessions hits UK banks Law firm security gets positive verdict with UTM device IBM to acquire BigFix for configuration, vulnerability management Perimeter defenses deemed ineffective against modern security threats Critical Adobe Reader, Acrobat update due today Twitter settles with FTC over security issues, careless policies Frustration growing over limited ability to shut down botnets Security Policies and User Awareness Risk management in information technology Prevent data leakage with secure media reuse policies Information security awareness lacking in laptop users, according to study Kent company offers 'low-tech' hard disk destruction product Survey: Compliance efforts drive security, but may not produce results Using resource allocation management to prevent DoS and other attacks Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary