When the University of North Carolina in the US implemented network access control campus-wide last year, it was as much a natural progression of the school's network management strategy as it was a security project.

"We view good management as equal to security and security as equal to good management," said Mike Hawkins, associate director of networking for UNC, during his talk at the recent Network World IT Roadmap Conference & Expo in Dallas.

To many, NAC implies solutions that interrogate end devices to ensure they have proper security controls in place before they are allowed on the network. At UNC, it's more about automating the implementation of acceptable-use policies that the school has had in place for years. And while tales abound of NAC rollouts that require wholesale network infrastructure upgrades, UNC has NAC working on switches that are as many as 7 years old and come from multiple vendors. Of course it helped that UNC was in on the ground floor with its NAC vendor, enabling it to help shape what the product looked like. (Because of university policy against endorsing vendors, UNC declined to name vendors for this story.)

Background

UNC Chapel Hill, the second-oldest public university in the United States, has some 28,000 students, 3,100 faculty and 7,500 staff. Altogether, some 35,000 users of traditional computing devices connect to its network each day along with about 50,000 other types of devices, ranging from soda machines to parking gates and water meters.

For years the university has been applying acceptable-use policies to its switch ports to dictate what each type of device can and cannot do when it connects to the network. While that worked well enough, it was a manual, static process to assign an acceptable-use policy each time a new device wanted to connect.

The university's NAC implementation brings a new level of automation to the table, said Jim Gogan, director of networking at UNC Chapel Hill. "The issue is how to provide the appropriate policies for whatever class of device wants to connect," he says. If a utility group connects a steam meter, the network should immediately recognize the device is a steam meter and apply the appropriate policy. That saves the network group from having to get involved every time some specialized device needs to connect.

"This is precise, granular edge control over what goes on in the network," Hawkins said. "I see very few NAC solutions that are actually doing this."

The term NAC typically conjures images of solutions that interrogate end devices to ensure they have proper security controls in place before they are allowed on the network. But UNC Chapel Hill is sensitive to being quite that intrusive given its network lives to serve an environment meant to foster research and teaching. So it takes a slightly different tack, using other security measures to catch dangerous traffic and then using NAC to shut down the offending port or IP address.

For example, the school uses intrusion-prevention appliances to block virus infections from spreading. When it detects an infected machine, the appliance will kick off a trouble ticket detailing which IP address the virus is coming from. "I got three of those this morning between 10 and 11 a.m.," Hawkins said. "Within minutes, I applied a policy to each of those hardware addresses and forced them off the network. No matter where they plug in, they will not be allowed on."

Users of infected machines are then allowed access only to a Web page explaining why they've been denied access and pointing them to remediation resources. That redirect happens automatically, driven by the NAC implementation.