“Despite a NAC system being in place, it is not trusted. There was a high degree of manual intervention to authorise system onto the network”
IT profile
The school uses Microsoft based systems. End-users connect via Wi-Fi and wired infrastructure to access the school systems. These are managed through several, non-integrated systems. Systems are managed in house using a variety of opensource and element managers. The students have guest access, though this is heavily controlled to prevent harm to such a young user base.
Project Drivers
The end of life of a key NAC system was a catalyst for evaluation of a replacement. Core NAC feature was to deny access to non-approved devices. It needed to be agentless and not require 802.1x nor mac pre-authorisation on the switches. The school was also looking at how to control “unauthorised” network usage. This is where the students might obtain a staff credentials to bypass student controls. The bursar also wanted to take the opportunity to save money on the overall IT budget.
Evaluation and Proof of Concept (PoC)
Rebasoft was chosen for a PoC based on technical features, cost, and ease of deployment. The organisation also wanted to deliver quick results to meet project timeframes. The areas for evaluation were:
- Deliver NAC functionality including port blocking and VLAN steering
- Auto discover all assets, including hardware, OS, installed applications and enabled features to identify non-authorised systems with full visibility to reduce manual effor
- Check systems against security policy:
- Is anti-malware installed?
- Is disk encryption enabled?
- Are secure settings enabled to prevent users installing software or Autorun programs from running?
- Deliver vulnerability scanning (which was not covered in house), but in the PoC revealed a number of potential issues
- Investigate replacement of Solarwinds & Kiwicat tools for monitoring and configuration backup
Challenges
The organisation had Solarwinds for monitoring and Bradford networks for NAC. There was a degree of overlap in systems and little visibility on compliance with security policy. The network infrastructure was being updated as it had been configured with a high degree of segmentation that made management difficult.
The other issue was that while there were school owned devices (PC’s and other systems), there were thousands of pupil owned devices- iPhones, Tablets, Watches, Kindles and more. These systems were constantly accessing the network to gain access to non-allowed services using “stolen” credentials
Rebasoft Approach
Rebasoft overcame the challenges
- Quick results: Rebasoft was deployed on a hyper-v platform
- Network data was collected from the existing HPE networks switching infrastructure, including configuration backups
- End point data was collected with WMI to allow security compliance reporting
- Port blocking and VLAN steering was demonstrated
- Systems monitoring (switches and servers was established – with email (with alert supersession for duplicate events)
- Vulnerability scan showing Wi-Fi high severity issues
Little involvement was needed from the IT operations team, other than providing credentials and network access (firewall rules). Rebasoft did not need to install software agents on PC’s.
Rebasoft Benefits
Rebasoft delivered and exceeded the stated needs:
- Network visibility & device search capability. Down to device details on each port
- Improved perimeter security & rogue Network device/shadow IT detection
- Vulnerability testing to improve internal security & reduce/avoid annual internal pen testing fees
- Real-time asset database with monitoring available for selected systems
- Automation & config collections – improve systems management & aid resilience
- Additional reports for breaches of access rules avoiding the need for spend on log/SIEM tools
- Cost savings through the retirement of existing monitoring tools – with relevant cost savings on maintenance fees