BYOD made secure with Network Access Control

The Hamilton Southeastern School District, located in Fishers, Indiana, has always striven to prepare its students for a successful post-secondary education and to excel within a quickly evolving modern workforce. With those goals in mind, the district focuses on instilling in each student what it calls "the five C's": critical thinking, creativity, collaboration, communication, and cultural competency. The district aims to integrate technology and to take a more project-based approach to education, so that the learning experience will match the experiences its students will face in college and the workplace.

However, with technology changing so quickly - just look at the rapid adoption of tablet computers in the past two years - there's little chance any school district can accurately predict what the prevailing technologies may be in the years ahead, let alone afford to acquire devices for each student. The answer for the Hamilton Southeastern School District was similar to that of most school districts around the nation, as well as businesses for that matter: let individuals bring your own device (BYOD) to school.

"BYOD" Required a new IT security paradigm

The BYOD trend, whether a public school or a Fortune 500 enterprise, isn't without risks. Mobile malware is on the rise. And when organizations give up control over what endpoints are allowed to connect to the network, they lose a great deal of control over how those devices are managed and secured.

"While users bringing their own devices help make everyone happy and hopefully productive, and also helps to preserve the district's budget, we needed a way that we could ensure that our students and faculty were not introducing malware from their personal devices onto our network," says Walter Morales, chief technology officer at Hamilton Southeastern School District. "We believed that network access control would provide the best defense."

Network Access Control (NAC) enables organizations to vet the security posture of devices before they can connect to the network and control access to network resources.

Serge Melki, president of Indianapolis, Indiana-based IT solution provider Melsernet, agreed. "Network Access Control is ideal when it comes to maintaining the level of security an organization needs for devices they own and manage, as well as devices users bring on their own," Melki says.

The only NAC technology that met both Melki and Morales' strict criteria was Safe NAC, made possible by a joint effort by Alcatel-Lucent and InfoExpress. The security capabilities of Safe NAC protects the public school division's distributed network and helps its more than 20 schools offer staff and students secure access to the instructional tools and resources they need. In addition, Safe NAC's unique visibility features gives Melki's team a complete picture of who and what is connecting to the network.

In-Depth, Safe Network Access Control
Safe NAC is an integrated NAC solution, designed for multi-vendor networks equipped with a variety of managed and unmanaged endpoints. It provides guest access, host integrity checks, and role-based access control to help organizations ensure compliance.

Safe NAC reduces costs by automating operational processes and minimizing the need for IT operator intervention during authentication. There also is simplified troubleshooting and reduced help desk costs, which enables a reduction in operational overhead and proactively ensures the health of the network.

Safe NAC is composed of the InfoExpress CyberGatekeeper Policy Server, CyberGatekeeper Policy Management and Reporting Server, and CyberGatekeeper agents. It is integrated with Alcatel-Lucent products including the OmniSwitch platforms (AOS 6.3.4 and newer), the OmniVista Access Guardian and Quarantine Manager, the VitalQIP and OmniAccess wireless platforms.

With Safe NAC, CyberGatekeeper's tight integration with Alcatel-Lucent enables enterprises to make certain that endpoint devices are verified to be compliant and healthy when connecting to the network. Only those endpoint devices that are compliant with enterprise security policies are allowed access to the network. As long as an endpoint is connected to the network, CyberGatekeeper provides continuous security surveillance. Those endpoint devices that fail the host integrity check are redirected and placed into quarantine for quick remediation before being granted access.

"The deployment went very smoothly," says Morales. "The support and help from both InfoExpress and Melsernet were second-to-none. Whenever we had a question, InfoExpress made its support team and engineers readily available to us."

For the first phase of the deployment, the district tested Safe NAC on a number of desktops, where it began enforcing the requirement that updated anti-virus definitions be in place before being admitted to the network. "That went very well," explains Morales. "Within a few weeks, we deployed Safe NAC out to the rest of the network, as well as student devices."

Should a student's or faculty member's system try to connect in a noncompliant state, it is guided to a web page containing instructions on how to bring the system to expectations set by the district's security policy. Once done, immediate network access is granted.

Building on that success, in upcoming months, the district plans to extend its Safe NAC deployment to its remaining high schools. "Without Safe NAC, we probably wouldn't have been able to allow students to bring the devices of their choice onto the school's network. Fortunately, thanks to Safe NAC, that's not a situation we have to face," says Morales.