Volunteer labor is essential to the success of nonprofit organizations, but for IT managers and network security professionals, they also pose a security threat, especially when volunteers use their own laptops to access the network. One legal aid firm is addressing that threat through network access control (NAC).
"We have 12 locations, and at each location we sometimes have volunteer students who will come in," said Joseph Mays, director of IT at the Georgia Legal Services Program (GLSP). "I felt the need to be able to put a net out across our network so that when students came in and plugged in their laptops, they would not spread a virus that would completely shut down our network."
GLSP is a Cisco Systems shop, with Catalyst 3560s and 2950s spread across its 12 locations, so Mays looked at Cisco as a potential vendor for his NAC project. Unfortunately, he determined that using Cisco for NAC would require him to update IOS across his infrastructure, something he didn't have the resources to do because most of his remote locations have no on-site IT staff. As a nonprofit, GLSP was extremely price sensitive. The purchase price for NAC is one issue, but the cost of implementation is just as important.
"To go out there and upgrade all these switches would have cost us travel time and cost us a potential engineer to go out and do the upgrades," he said.
Mays looked at a handful of other NAC vendors before settling on CyberGatekeeper and Dynamic Network Access Control (DNAC) from InfoExpress.
"With the CyberGatekeeper products we were able to roll [NAC] out in one day," he said. "After rolling out the client to all the desktops and putting it into monitoring mode, it gave us a really good view of what was loaded onto desktops, what types of applications were there, and [it allowed us] to see whether or not our McAfee [desktop security] technology had been updating its desktop clients. We wouldn't have that kind of insight into our desktops without the tool."
Selecting an independent NAC vendor also protects GLSP from vendor lock-in. "Using the DNAC product, we can put any vendor's switch in any location and not worry about whether it is Cisco or HP or whatever," Mays said. "DNC will work with those products."
He uses NAC to control the kinds of applications employees and volunteers use on the network. For instance, AOL Instant Messenger (AIM) is banned from the network in favor of an internal IM solution. If a user opens up AIM or some peer-to-peer file-sharing application, the InfoExpress product quarantines the device and instructs the user to click on a remediation link. Clicking on the link shuts down the banned application.
InfoExpress has already helped Mays avert potentially serious security problems.
"We had an instance where a user was browsing out to a particular site and contracted a worm that tried to disable McAfee," he said. "DNAC disabled that worm and quarantined the user off the network for remediation. We have a script in place that pops up a window which says, 'Contact the help desk.' The user called in and we were able to go out and look at what was causing the issue. Since NAC quarantined the desktop off the network, we were able to take it into the lab and fix the problem."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor