The school uses Microsoft based systems. End-users connect via Wi-Fi and wired infrastructure to access the school systems. These are managed through several, non-integrated systems. Systems are managed in house using a variety of opensource and element managers. The students have guest access, though this is heavily controlled to prevent harm to such a young user base.
The end of life of a key NAC system was a catalyst for evaluation of a replacement. Core NAC feature was to deny access to non-approved devices. It needed to be agentless and not require 802.1x nor mac pre-authorisation on the switches. The school was also looking at how to control “unauthorised” network usage. This is where the students might obtain a staff credentials to bypass student controls. The bursar also wanted to take the opportunity to save money on the overall IT budget.
Evaluation and Proof of Concept (PoC)
Rebasoft was chosen for a PoC based on technical features, cost, and ease of deployment. The organisation also wanted to deliver quick results to meet project timeframes. The areas for evaluation were:
- Deliver NAC functionality including port blocking and VLAN steering
- Auto discover all assets, including hardware, OS, installed applications and enabled features to identify non-authorised systems with full visibility to reduce manual effor
- Check systems against security policy:
- Is anti-malware installed?
- Is disk encryption enabled?
- Are secure settings enabled to prevent users installing software or Autorun programs from running?
- Deliver vulnerability scanning (which was not covered in house), but in the PoC revealed a number of potential issues
- Investigate replacement of Solarwinds & Kiwicat tools for monitoring and configuration backup
The organisation had Solarwinds for monitoring and Bradford networks for NAC. There was a degree of overlap in systems and little visibility on compliance with security policy. The network infrastructure was being updated as it had been configured with a high degree of segmentation that made management difficult.
The other issue was that while there were school owned devices (PC’s and other systems), there were thousands of pupil owned devices- iPhones, Tablets, Watches, Kindles and more. These systems were constantly accessing the network to gain access to non-allowed services using “stolen” credentials