Until Carroll College bought into NAC technology, it took six weeks of work by a dozen full-time IT staff and student volunteers to clean up student PCs, stemming infections they brought to the network.
The effort has gotten a lot simpler. Since putting Tipping Point gear in place in 2005, the effort to keep the network clean has requires just three people and three days at the start of the semester.
"This year we couldn't believe we got done in three days with no major network issues, no major looming security threats, no incidents after those three days - nothing," says John Arechavala, director of infrastructure services at the school. "We're pinching ourselves."
With 1,300 students living in dorms and another 1,700 commuting, Carroll had a big chore. The network let students bring whatever PCs they had at home and attach them to the network. "Consequently you expose yourself to all the evils of the world that happen to be installed on those computers," Arechavala says.
When he started looking at NAC gear three years ago, there weren't that many options. The school is primarily a Nortel shop for its wired infrastructure, and a combination of Cisco and Xirrus for wireless. Nortel wasn't ready with NAC then, but Arechavala had heard of the start-up Roving Planet that had success in other universities. Roving Planet was later bought by Tipping Point.
He says he knew the NAC software could control admission by machine and user as well as perform a basic scan without using client software on each machine. He took the opportunity of implementing NAC to streamline the definition of acceptable PCs that the school would allow on its network. "We don't own these devices, we don't know where they come from, we don't see them before they come in," he says.
First, the student computers had to have either Mac OS, Linux or Windows XP operating systems. Before NAC, he allowed several other flavors of Windows, but he learned that that required too much help-desk knowledge.
The only other requirement for the machines was that each PC have an acceptable antivirus client that was updated and running. If the machines could meet those requirements, they could gain access, he says.
With NAC in place to make sure these two criteria are met, as students plug in for the first time and attempt to access network resources, their traffic is intercepted and they are diverted to an untrusted VLAN where their machines are scanned.
They are diverted to a site where they can download antivirus software if their machines are found lacking, he says. Since the school provides enterprise-grade Norton antivirus from Symantec to students for free, many of them adopt that, he says. Those with unsupported operating systems receive a notice that they must switch to a supported operating system, he says.
Adopting NAC two years ago was daring for the school. It was a significant investment for the college - about US$56,000 - and the name Roving Planet wasn't well known. But because it could reference satisfied customers at other schools, Carroll trustees approved the expenditure, Arechavala says. At the time, the alternative being considered was issuing standard-configuration computers to each student. "Obviously this was cheaper," he says.
The NAC software is deployed on five hardened Linux-based Dell servers attached to core switches, and they are managed by a Tipping Point Network Commander management platform. The NAC servers are attached to core switches, plugged into VLANs designated as trusted and untrusted. Each device can handle hundreds of users, he says.