Network access control (NAC) is unique when it comes to a campus environment. First and foremost, the network is
fairly open and must be accessed by thousands of students, staff and faculty members. On the flipside, that openness is just what keeps college campus networking pros awake at night, worrying whether something unwanted is being introduced to the network.
And Jeff Dorsz, telecommunications and network manager for California's South Orange County Community College District, said he's no stranger to fretting over what's happening on his network. But with many network access controls being agent based -- meaning that an agent would need to be installed on each endpoint that wants access to the network -- Dorsz said his options were relatively limited.
"Given the sensitivity and volume of the information assets we maintain," he said, "coupled with the sheer number of students and faculty that continually seek access to that information, we recognized the need to put new security provisions in place without the cost and headache of having to install and manage endpoint software or agents."
Dorsz said he looked into some agent-based and software solutions, but it was unrealistic to think that he could deploy it to all machines, especially since the district's network typically serves 38,000 students and 2,500 faculty and staff members.
"Having them download an agent to get access, they were going to balk at that," he said.
Dorsz was originally going to put in new internal firewalls -- "I'm an old traditional firewall kind of guy," he said – but further investigation led him to want something that not only authenticated but also performed checks before and after admission to the network.
"Initially, this project started off evaluating internal firewalls," he said, "but it quickly evolved to a network access control initiative with a requirement for both pre- and post-connect user monitoring and control."
"We didn't want just authentication and then give them access. We want to see user activity," Dorsz continued. "We want to enforce policy and contain malware."
Dorsz said he evaluated all of the key NAC vendors, but financial constraints and management concerns steered him toward Nevis Networks.
"One of my major concerns was manageability," he said. "A lot of the different NAC solutions were difficult to manage."
Also, he repeated, a lot of them were agent based.
Dorsz wanted pre-authentication controls, user activity monitoring, and identity-based policy enforcement, along with pre- and post-connect security policies that wouldn't take a toll on network performance and throughput.
"Because our policies are built around user and group definitions, such as segmenting academic and administrative traffic coming into the district data center, we felt it absolutely necessary to have our policy-enforcement system linked to user identities," he said.
In phase 1, users at the main district office on one of the district's two campuses would access the network through a Nevis LANenforcer, which can distinguish among student, faculty, administration and guest users to control which areas they can access. In phase 2, Dorsz said, South Orange County Community College will implement a data center protection initiative by installing LANenforcer appliances on additional LAN segments to protect key back-end services that store sensitive information.
Dorsz also said he now keeps a real-time eye on the network for incident reporting purposes and can continuously monitor user activity for better security.
"We evaluated options from traditional firewall providers and various flavors of NAC solutions," he said, "but cost factors, performance issues and scalability limitations eliminated these options."
And though the NAC market may still be shrouded in a level of uncertainty, Dorsz is confident that the Nevis solution he selected will help South Orange County Community College adapt as the market grows.
"We needed to authenticate users, and we needed to set up trust zones," he said. "I don't see those two concepts going away any time in the near future. There's always going to be the next best thing coming over the horizon, but pretty soon you have to jump into the water."