When you need NAC now

The Upper Canada District School Board decided it needed network access control to securely expand wireless access across the vast district, broaden the types of devices allowed access to its network and keep students out of sensitive servers.

When it started looking for NAC technology 18 months ago, the options were limited, and CIO Jeremy Hobbs came across a story about Nevis Networks in a trade publication. He contacted the company and reached someone he had dealt with before at another vendor. They worked out an arrangement in which the district would be a test bed for the product.

Click to see: Jeremy Hobbs, CIO, Upper Canada District School Board

The district also chose Nevis because it doesn't like to get locked into a single vendor, Hobbs says, which is why it decided against NAC schemes from the two industry heavyweights -- Cisco's Network Admission Control and Microsoft's Network Access Protection, he says.

The school district sprawls over an area of Ontario three times the size of the state of Connecticut and includes 35,000 students and 5,000 staff. The schools use NAC to allow personal laptops onto the network as well as to expand wireless access, he says. At the same time, the Nevis gear helps keep unauthorized users out of the data center, where human-resources and student information are stored.

"We find the majority of threats come internally from kids who are aspiring to grow up to be hackers or who are interested in tinkering," Hobb says.

Nevis gear was added to the district network without requiring reconfiguration of the network infrastructure. Hobbs put two Nevis 2026 devices between core switches and access switches serving the data center at the district headquarters in Brockville, Ontario. They integrate with the district's Active Directory so users gain access when they log in from authorized machines. The experience is identical to what users experienced before the NAC equipment was installed, he says.

Users logging in with their own laptops are diverted by the Nevis appliance to a portal, and their devices are scanned for virus definitions, malware and spyware. The Nevis system does not require client software on devices seeking entry to the network.

Users attempting to connect via any of the Wi-Fi access points across the district also must authenticate via user name and password through the Nevis appliance. All of the district's 120 sites have at least one wireless access point, and Hobbs hopes within two years to have 100% wireless coverage in those buildings and to accommodate any wireless device. "We'd like to let the wireless network be wide open but let the network security layer take care of itself," he says.

Hobbs says that while Nevis hardware cost $17,500 for each appliance - the district bought two -- the initial outlay to get NAC up and running came to about $70,000. "Adding in a few bits of network gear we needed, plus software and three years maintenance, each appliance came to $35,000," he says. He also recognizes that NAC is new and that start-ups around today might not be here tomorrow. Nevertheless, he has a philosophical bias in favor of vendors that sell their technology as appliances, including Fortinet, Infoblox and Caymas.

"The advantage to this approach for us has been better manageability, cost effectiveness and the advantage of better input into product development," Hobbs says. For that reason, he steered clear of Microsoft's NAP. "We simply believe that purpose-built appliances offer greater advantages," he says. "With Cisco NAC, we simply do not want to get that deeply in bed with one vendor for switching, NAC, etc." He says he expects the NAC market to consolidate, he may be forced to deal with larger vendors, but not because of any shortcomings with Nevis gear.