Network Access Control Technologies and Symantec Compliance on Contact
NAC solutions require multiple enforcement methods and policy flexibility to cover the entire enterprise network. As an innovator in NAC solutions, Symantec provides the most comprehensive and flexible set of options for deploying NAC to best fit your enterprise needs. Read this paper to learn more about the theory behind Symantec’s technology.
Click here to download PDF

The Essential Elements of Comprehensive Endpoint Security
Description: For today’s computing environments, there is little question that endpoint security is a required component of an overall enterprise security strategy. Read this paper is to clarify the various aspects of the endpoint security problem and to identify the functional requirements of a comprehensive endpoint security solution.
Click here to download PDF

Internet Security Threat Report
The Highlights of this volume reveals the security threat environment continues to be populated by lower-profile, targeted attacks as cyber criminals identify new ways to steal information or provide remote access to user systems. This report offers analysis and discussion of threat activity, including: Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends.
Click here to download PDF

University picks Impulse Point NAC over Cisco's for price

One Safe-Connect security box costs less and won’t block traffic

Despite an extensive investment in Cisco network infrastructure, when it came time to install network access control, the University of the Pacific shunned Cisco gear as too costly and opted instead for an appliance from Impulse Point.

"We would have had to put one of [Cisco's Clean Access] servers in each of our distribution closets, and we have eight of those," says Rob Henderson, director of cyber infrastructure at the university. "We're a very big Cisco shop so they were quite disappointed with us when we had to look elsewhere. We just ran the numbers, and they couldn't come close to the price of the Impulse Point equipment."

The single Impluse Point Safe-Connect box that the university bought cost about $45,000, roughly a quarter of what Cisco estimated for the price of its gear, Henderson says.

Cisco wasn't the only contender for Pacific's NAC business, Henderson says. The school also tested Blue Socket and HP NAC equipment that included Vernier technology, but both came up short for the same reasons the Cisco equipment did -- they had to be deployed in distribution closets, meaning the school needed eight boxes. That made them too costly and complex for his budget, Henderson says. Also, they had to be installed inline with network traffic, and if they failed, no traffic could get past them.

Safe-Connect, which supports up to 10,000 end points according to the vendor, attaches to a port on one of the university's core Cisco 6509 switches where it taps into NetFlow data to discover new devices. As a part of each device being authenticated to the network it receives a policy key and a Safe-Connect agent that enforces the policies.

So if policy says a particular device is restricted to a certain virtual LAN, the agent enforces it by restricting the devices to which it is allowed to connect. To accomplish this, the device is not deployed inline with traffic, so if the box fails, traffic can continue unimpeded.

The University of the Pacific has 1,700 students on three campuses in Stockton, Sacramento and San Francisco, Calif., and there was no way to check for antivirus and operating-system patches on their computers, Henderson says.

In 2004 the university had begun using 802.1X capabilities in its Cisco 3560 access switches in conjunction with Microsoft 802.1X client software to authenticate faculty and staff machines. "But it didn't truly check compliance on the workstations for the students," he says With a network of Cisco 802.1X gear in place, the school was a prime candidate for Cisco NAC.

With the new NAC installation, when users log on to the network their machines are diverted to a captive portal page that has been customized by the school. Users must agree to the acceptable-use policy for the network before they are allowed on. The machines download the agent and their machines are scanned for updated antivirus and Microsoft operating system software, he says.

The school plans to expand the checks for whether a properly configured desktop firewall is installed on faculty and staff machines. Also in the future the device could be used to check for a particular malware executable file on machines as well, and to quarantine those machines if it is found.

"We would have to know about the exploit and the exact executable file," Henderson says. "It's not a zero-day type of defense. For that we're relying on our desktop firewalls."

Henderson would like to see more features in the captive portal, one of which could be used to send security alerts that could be useful in an emergency such as the shooting rampage at Virginia Tech University earlier this month.

The agent on machines could launch the browser on any network-attached computer and display the portal page, on which the school could post warnings, he says. "We're working with Impluse Point to improve that," he says.

The portal could also be used to advertise campus events, he says.

Education of users was important to the deployment because the university is considered an open environment and many users didn't want an agent on their computer, he says. "They're always worried about Big Brother watching them," he says.

Back to top

Click here to submit a story for consideration by Cram Session Editor, stories@cramsessionnac.com