NAC evolution

UNC chose to go with its NAC vendor for a number of reasons, not least of which is the fact that about 90 per cent of switches on campus come from the vendor. But UNC also liked the idea of policy enforcement taking place on the switch, near the network edge. Likewise, all the work the school had put into developing its acceptable-use policies would be immediately applicable. The team was also impressed with how easy it was to deliver policies to its switches, with the ability to update any number of switches with the press of a button - an important capability given that the university has more than 3,700 switches on campus.

"This was one of the few [NAC products] we looked at that scaled to tens of thousands of switches and routers," Gogan said. The product enabled the school to automate the rollout of NAC software to all of its switches, which greatly diminished implementation time as compared with other solutions that require software on all client computers. "Because we don't own the desktops out there, that would've been a nightmare," he says. Two to three staffers working roughly four hours each per day rolled out the NAC software in about two months - all the while dealing with their day-to-day trouble tickets and other issues.

The NAC idea first came up three or four years ago, before any vendor had NAC products available, Hawkins said. "We were on the same wavelength [as our NAC vendor] in terms of blocking things at the edge of the network. So some of the original thinking was ours as well as theirs."

Being involved at the alpha stage also enabled UNC Chapel Hill to have a hand in shaping product features. One example is the scripting feature that complements the graphical user interface of the NAC management software. Essentially, the capability enables users to trigger scripts based on SNMP alerts. The scripting capability is what enables UNC to take automated actions, such as the one that redirects users with infected machines to remediation resources or to apply the appropriate policy when a steam meter connects, all without involving network personnel. Another script can detect copyright violations, such as when students download and distribute illegal recordings. The script then proceeds to remove offending machines from the network and directs users to a page that explains the copyright offense and provides instructions for how to get back on the network.

Another bonus is that UNC's NAC software works with multiple vendors' switches. While 90 per cent of UNC Chapel Hill's switches are from the same vendor, it has about a dozen dorms outfitted with switches from two other vendors. In each case, the university has a switch from its primary vendor at the entry point to the dorm acting as an uplink for the other switches inside.

"The point of NAC in that building is the entrance switch," Hawkins said. "We can authenticate each user on that switch and take action on them on the uplink port. We can either block them or extend to them the capabilities they need based on that one device." The only down side is that if a machine inside the dorm becomes infected with a virus, it may infect other users connected to the same local switch, "but it won't infect all 3,000 users in the resident domain."