When virus outbreaks and network downtime threatened customer data, Curtis Simonson faced a conundrum: How could he allow the necessary network access for customer and employee PCs and laptops without also subjecting his environment to disruptions? Simonson, senior technologist at the University of New Hampshire InterOperability Laboratory in Durham, N.H., says because his team provides commercial testing services to some 125 clients, protecting test data, minimizing the impact of virus outbreaks and ensuring network uptime is critical.
The labs are affiliated with the university, but are “100 per cent funded” by the commercial test services it performs for data and telecom companies, among others. That’s why he says keeping customer data secure and reducing downtime while testing became critical to the lab’s business.
“Because we are a test lab, our work has to remain confidential. We can’t put our network at risk or let our results out, so malware and spyware represent a big problem,” Simonson says. “We needed a way to ensure systems on our network didn’t get viruses, but if they did we needed to a way to reduce the spread. We also wanted to be able to keep people we don’t want on the network from gaining access.”
Finding the right technology
Simonson realized quickly that network access control (NAC) technology could meet his criteria. The technology scans devices attempting to access the network for viruses and to ensure their security and other settings comply with the network’s predefined security and patch policies. Yet Simonson was not sure what type of NAC tool he would put in place — an integrated system or a stand-alone appliance.
“The biggest thing for us with NAC was trying to figure out what was easiest to deploy because we didn’t have a lot of manpower to put behind this project,” says Simonson, who spoke at the recent Network World (U.S.) IT Roadmap event held in Boston. “Also we needed to strongly consider price. Being a non-profit entity we needed a low-cost solution.”
Simonson says he went back and forth between deploying a broad NAC technology, for example, from the likes of Cisco and Microsoft, to researching stand-alone appliances that would serve as a watchdog of sorts for machines attempting to access the network. Among the motivations for a stand-alone appliance were ease of install and low cost. In addition, Simonson liked the appeal of a single point of management for distributed devices and a variety of supported authentication databases. Stand-alone appliances also did not require Simonson to upgrade his current infrastructure or deploy client software across multiple machines.
The lab network consists of about 50 switches, 400 PCs or PC-like test systems, 30 servers and 10 printers. With 150 employees in the lab, Simonson says he wanted to better secure the network from virus outbreaks without requiring employees and guests such as customers to perform additional authentication or any more steps than a standard log-on would require. “We wanted single sign-on and to have our users log on through the Windows domain, without requiring an additional Web sign-on process,” Simonson explains.
Yet Simonson also had reservations about stand-alone NAC appliances. “We weren’t sure the model would be able to leverage all the capabilities of our current infrastructure,” he says. Stand-alone appliance also had the potential for less flexibility than a broad integrated system, he says.
In the end, his requirements and research on available products lead him to Vernier Networks and its beta program. The vendor provided the stand-alone option Simonson thought better suited the UNH InterOperability Lab and also made it possible for the organization to get access to the technology at a low cost.
“Vernier supported Windows domain and included traffic controls, which meant the appliances could make decisions based on traffic,” Simonson says. Vernier also promised to perform network policy enforcement, authentication, endpoint validation and intrusion detection/prevention functions. “We didn’t have to change a lot on our network and we avoided costs by providing testing feedback to them.”
Deploying the technology — twice
After deciding to deploy stand-alone appliances from Vernier Networks, Simonson says his team ran into issues with routing.
The first rollout of Vernier’s Control Server and EdgeWall 8800 appliance didn’t work as planned because the UNH InterOperability Lab had a one-armed router scenario. A one-armed router routes traffic through virtual LAN (VLAN) segments, and with Vernier appliances in place it enabled the NAC tools to only see upstream traffic when it needed to see downstream traffic to effectively protect the network, Simonson says. “We put it in the wrong spot on the network to start, between our Netscreen firewall and a core Nortel 5520 routing switch,” he says. “Our VLANs terminate in the Netscreen firewall and the appliances needed to monitor different traffic. We moved it eventually.”
Now Simonson has the Vernier EdgeWall 8800 between the core routing switch and another Nortel 5510 aggregation routing switch. Vernier sniffs the traffic and Windows domain authentication systems decide if the machines can be trusted. EdgeWall appliances sit at the network edge behind switches and wireless access points. The appliances report data back to Vernier’s Control Server, which stores policies and integrates with customers’ existing authentication servers.
Vernier’s EdgeWall will query devices attempting to access the network to ensure they have the proper policies, configuration, software and patches applied before logging on. If the device doesn’t comply or meet security requirements, it can be denied access until a patch can be applied, for example. The idea is to prevent infection proactively rather than respond to threats after they’ve hit.
At the UNH InterOperability Lab, the product is running in a relatively passive mode, tracking traffic and access attempts and alerting lab IT staff to anomalies. Simonson says he has yet to put Vernier’s technology to work blocking access to unauthorized devices or placing potentially infected machines on a VLAN to prevent a virus outbreak.
About 75 PCs are behind the Vernier appliances, and Simonson says this number will fluctuate when more guests attempt to access the facility’s network. “We are using NAC in a more protective than enforcement manner. If Vernier sees a problem, it doesn’t block the packet, but alerts us to the user sessions or traffic issues,” Simonson says. “If a virus does get on our network, we can isolate it and stop it from spreading.” 075875