The CCRI Network Infrastructure is a complex collection of servers, storage, switches and routers that would be incredibly difficult to rebuild. Such a project would take days of recovery and many hours of resource allocation. As a result, the protection of that infrastructure and the security model that must be applied should be significant and as bullet-proof as possible. That being said the clients connecting to the CCRI Network Infrastructure should be as up to date and as secure as possible. Network Access Control is a means of ensuring all client devices are up to date.
Network Access Control (NAC) is a system that provides authentication, scanning, remediation and accountability of devices and users connected to a network. When a user, either plugs into a data jack for the first time or connects to the CCRI wireless network, the process begins. The first step is registration, during this step the user will be asked for credentials. This is the authentication piece. In the authentication piece the user’s role is determined from the user database and the type of PC is determined by MAC address. These are important because they will be factors in what client the device gets and which policy is applied to that device. The machine then gets scanned for updates and AV. If the user passes the scan the user is then let onto the appropriate network and allowed to use the resources allowed to that network. This is all recorded in the NAC system for accountability.
During registration there are a number of processes that will be used to determine the varying users and devices that will be connecting to the network. Let’s begin with authentication. Right now our NAC system authenticates to the LDAP directory in the Luminous system. This is ok for now but I think it would be better to use the AD for this implementation. AD has many more fields we can use and our system has redundancy in case of failure. When a user puts their credentials in the appropriate window the NAC system then checks AD to see what role the user belongs to. Once the role is determined the device is then checked for the appropriate type ie.. PC, Apple, Linux, Mobile device, then the security client agent is downloaded to the device. Different devices will have different agents or some will not have one. Currently there is no agent for Linux or portable devices. PC’s and Apples have either a dissolvable or persistent agent. We should use the persistent agent everywhere possible because there are many more benefits than not. We can run a scan anytime there is a virus out-break, also we can send a message to any machine anytime, with the persistent agent on it for emergency notification.
NAC Policy will be set by role/group. Currently there are 4 roles Student, Faculty/Staff, Cart, Guest. Part of this project will be to determine if the current roles are sufficient for the college needs or do we need to create new roles. Then we need to determine the Policies assigned to these roles. These policies should check for updates that are recent but not too recent. If they are too recent then many users will be sent to the remediation network and this will mean a bigger support issue than we have the resources. The NAC committee will develop the policies and the Security committee will approve them. The policies will include what to scan for and what resources the user networks will be allowed to use. These policies will be important in determining the support levels the college will give to users. The Guest user policy is another issue which will have to be refined as there is a new Guest user administration in the new version of software.
The Scanning of each device/user is checked against a policy set in place for the role that user belongs to. These policies are configurable and can be as granular as the CCRI administration wants. The scan can be as simple as find the Anti-Virus software installed or as in depth to find an individual registry key value. If the user passes this scan then the user gets on the network with all the security settings assigned to the user’s group/role in place. If the user fails then the user gets put into a Remediation network. In the Remediation network the only resources the user’s device is allowed access to, is what CCRI determines is enough for that user to self remediate the device. All users in remediation will be steered to a website with links to AV software or Microsoft updates, etc, etc. Once the user has self remediated then the user can choose to rescan. Once the user has passed a scan/rescan only then will that user be allowed on to a network.
NAC also provides a means of identifying which user is on what PC at a particular time. NAC also provides a means of tracking when a PC/device connects to a particular port on a particular switch on the network. The system keeps a database with all this information. There are many varying reports that can be generated on a regular basis to keep track of what is going on.
CCRI will be using the Bradford Campus Manager Network Access Control system. The Network Sentry 1200 (Network Control Server), the Network Sentry 8200 (Network Application Server) and the Client all make up the NAC system from Bradford. When we first wanted to incorporate the some wired network into our current NAC system we thought we could just add licenses. This project, for a full blown wired and wireless NAC solution, will not run on the current hardware we have. An upgrade is needed to the existing system to handle the load. The eventual project will look into the redundancy issue involved and the acquiring of a second set of the above stated equipment for the Lincoln campus to be fully redundant. Currently we are using about 3500 Licenses with peek times of around 500 – 600 concurrent users. This is only our wireless network. This project will add approximately 2500 wired PC’s. Also we have to add any device connected to the network so we are adding around 200 printers and 120 VOIP phones. When done with this implementation any printer can be moved to any active jack and the network will know what it is and what network to put it in, the same will go for VOIP phones. This project will put us in a great place for future VOIP implementations.
As part of this project a new team must be created within IT. We will call it the NAC team. In the beginning the team should meet at least bi monthly to go over what the project will entail, who will effect, what are going to be the support issues, policy creation, etc. etc.. The team members should comprise of the networking group and other key IT group members that support desktop machines. This team should start meeting in April 2010 to get a head start on the project.
Also as an off shoot there should be a security committee for the whole college. NAC plays very important role of the college’s security preparedness. The college community should know more about NAC and security in general. I think the committee should start meeting right away to start preparing the departments for what is coming and to start teaching them about security. This committee will go far beyond the scope of this project but it should exist for this project so it is a good time to get it started.
The NAC project requires appropriate new hardware as well upgrading the licensing of the Bradford Campus Manager software for all wired and wireless devices.
Policy’s need to be in place before Campus Manager can be configured to enforce them. Policy needs to be backed by upper management of college. This is to include what software does the college support and what is to be scanned for.
Pilot group needs to be identified, configured and a time frame needs to be set.
Phased roll out plan needs to be setup so appropriate support can be given.
Wireless has already been using this system but the scanning has not been implemented. I think the wireless users will be scanned starting Fall-2010 semester.
Assigned Project Manager, Authority and Responsibility:
Manny Correia – Project Manager Organization, Authority and Stakeholders:
Network Group IT
Setting up New Campus Manager System, configure Network devices to be managed by CM, Support Pilot, Chair NAC team, Begin Security Committee,