Making Students Safe, Sound with NAC

Case Study: Bradford Networks' Campus Manager network access control system makes the grade at SMU.

Like many academic institutions, Southern Methodist University in Dallas had dabbled in open-source software. After all, as at most schools, IT dollars and resources were stretched tight at SMU, so the price was right.

For years, SMU had been using the NetReg open-source network registration system to verify user identities on its student residence network. The functionality was basic—but, hey, it was free.

But three years ago, the Mydoom virus hit the campus just as students were returning to school in August, and network engineer George Finney knew it was time to put some money where his mouth was.

"The [student residence network] was hit fairly hard. Students were able to infect each other," said Finney.

Besides viruses, worms and spyware, students are particularly vulnerable to the attractions of illegal music downloads and bandwidth-hogging multiplayer online games, among other enticements. Though NetReg handled basic network registration well, it did not have advanced features to protect against these threats. Finney said he needed software that would enable robust identity management, endpoint compliance and usage-policy enforcement.

Finneys first move was to install an intrusion detection appliance—Juniper Networks IDP. That immediately blocked viruses, the most pressing security challenge facing the dorm network (which is separate from the university network). He also bought Packeteers PacketShaper application management appliance. Finney said this enabled him to limit network bandwidth per user and per port, sharply reducing the amount of illegal file-sharing activity.

"We grouped all the illegitimate file-sharing programs, and we limited them to 10K bps. That still lets it go on, but its so painfully slow they are forced to do other things," said Finney.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

In March 2005, SMU purchased all new network equipment for its 2,000-user student residence network, installing Cisco Systems and Hewlett-Packard switches, Nortel Networks routers, and Aruba Networks wireless access points. To Finney, that was a natural time to replace NetReg as well. In addition to advanced features, "we needed vendor support," he said.

The network upgrade had eaten up so much time, Finney said he had to move quickly when choosing a NAC (network access control) product and vendor.

"We spent so much time doing switch and router evaluations that we didnt have time to sit down and look at all the different vendors in this space," Finney said.

Finney said that he regularly cruised online communities for university IT people, and in one of those he heard about Campus Manager, a NAC network appliance from Bradford Networks, of Concord, N.H.

There were several things that Finney said he liked about Campus Manager. For one thing, Campus Manager works in tandem with hardware from a host of network vendors, including HP, Cisco and Nortel.

It also supports a variety of anti-spyware and anti-virus software, important in case some students were attached to packages other than McAfee, the university standard. The universitys IT team could add it without taking the network down. Campus Manager works with a mix of operating systems, including Windows, Apple Computers Mac OS X and Linux, another practical consideration.

Campus Manager is an out-of-band solution, which means that it can be integrated into an existing network. This is especially important in the perennially cash-strapped university environment, according to Jerry Skurla vice president of marketing at Bradford.

"It can be added into a well-functioning, high-performance network without having to rip things out and switch the network design," said Skurla. "Most universities have multivendor networks. We work with a broad range of infrastructure equipment. Universities like that. They dont want to change the network; they just want to secure it."

Finney decided in May 2005 to buy Campus Manager, which included a management server and a separate server for scanning and registration. He asked for Bradford personnel to come on-site for a week to help with the installation, which took place once the students cleared out of the dorms for the summer.

Bradford was working with systems integrators, but Finney also felt strongly that he wanted representatives direct from the vendor since they would arguably have a deeper understanding of the system. He also had Bradford trainers come on-site to train the SMU help desk.

Finney explained that he decided to split the Campus Manager implementation into two parts: First would be the basic identity management piece in the summer of 2005, with the compliance scanning to come in the summer of 2006.

The first Campus Manager installation featured one significant glitch. Finney and his team had to figure out how to connect Campus Manager with the private student dorm network as well as the universitys general public network.

"We didnt have enough interfaces in the standard Bradford server to accommodate all the different connections we needed to make," Finney said. A week or two of back and forth between the Bradford account executive and Finney was all it took to straighten out the snafu. "It wasnt a big deal," he said.

/zimages/3/28571.gifClick here to read about why todays NAC remains vulnerable to attack.

One of the biggest tasks was preparing the student documentation that would explain the NAC software and procedures. Students arriving in the fall would register their laptops, desktops and any other devices on Campus Manager, a process that went smoothly for most of the student population.

This summer, SMU took the next step and implemented once-per-semester scans for up-to-date anti-virus and anti-spyware definitions. By the time the athletes arrived—always the first to come on campus at the end of the summer—the number of entries in the Juniper IDP log was already reduced by 90 percent.

"We had fewer entries in the IDP log when 1,000 students came on campus than [we did] when there were 50 people on campus in the summer [whose computers werent] being scanned," said Finney.

And Finney was surprised that his team had all 2,000 students registered and successfully accessing the Internet in just two weeks, as opposed to the four to six weeks that it had taken in years past. As SMU has a sitewide license for McAfee, Finney said he had been concerned there would be problems uninstalling it with the few students who might insist on using Symantecs Norton AntiVirus or another product. He neednt have worried. "That wasnt a big issue, either," Finney said. "There were less than 10 users we had to help."

Finney said he feels much more secure now that SMUs residential network is protected by strong NAC, thanks to Campus Manager. He said he may expand the client endpoint scanning to once or twice per week at some point, but, for now, that doesnt seem necessary.

"Were talking about doing weekly scanning now, just to be extra safe. It has just been so easy," Finney said.

Lauren Gibbons Paul is a freelance writer in Waban, Mass. Contact her at

Request for Comments

Have a comment or suggestion? Please e-mail Solutions Series Associate Editor David Weldon at

Case File: Southern Methodist University, Dallas

  • Organizational snapshot: A private liberal arts university with total enrollment of approximately 11,000; its on-campus students number 2,500
  • Business need: Stopping illegal software downloads, controlling gaming devices, locating stolen computers, identifying rogue servers and securing wireless access
  • Technology partner: SMU secured its student dorm networks with Bradford Networks Bradford Campus Manager, a NAC solution that identifies users and verifies PC configuration compliance before granting network access
  • Solution: Bradford Campus Manager continuously enforces security policies and records historical data to document network access and activity and generate reports for security threat

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.