Going forward

UNC Chapel Hill is far from finished with its NAC deployment. Rather, it continues to investigate ways to get more out of the system, such as by extending the automated blocking of offending devices and users to more constituencies and scanning for offending devices, especially repeat offenders. The school is also looking to streamline the process of connecting various types of devices to the network by creating policies for different device classes - everything from card readers to HVAC monitoring tools - then letting appropriate managers on campus decide whether a specific device belongs in that class. If it does, the manager can register the device's hardware address in the policy database and, no matter where the device connects on the network, it will be outfitted with the appropriate policy.

The school is also continually evaluating additional anomaly detection products that it may tie in to its NAC system and examining whether it can be extended to the school's wireless network.

Asked for advice for others who may be headed down the NAC road, Hawkins said adhering to standards greatly improves your flexibility, giving you the ability to add in new products. Such standards include 802.1X, RADIUS and RFC 3580, which deals with RADIUS-based virtual LAN assignment. UNC's NAC management software, for example, relies on RADIUS for much of its media access control address authentication. "There are solutions out there that use proprietary sorts of things. You need to be very careful about that," he said.

Gogan said to think about your goal. "If the ultimate goal is to keep infected machines off your network, that's pretty short-sighted for the capability of a tool like this."

The goal at UNC Chapel Hill was far broader, Hawkins added. "Our goal was to improve how we manage the devices on our network. We feel like we've taken a big step forward in that."

Desmond is president of PDEdit, an IT publishing company. Reach him at paul@pdedit.com.