Queens College reveals their approach to network security.

GUEST COLUMN | by Morris Altman

With a faculty and staff of 5,000 and student population of nearly 20,000, we here at Queens College, a senior college of the City University of New York, were in need of a way to see and manage corporate assets and all connecting personal and corporate devices. Our network became overloaded with not only a large number of college-owned devices, but the powerful surge of the bring your own device (BYOD) trend as well in recent years. Therefore, we decided to search for a network access control (NAC) solution that would help us better manage corporate assets and monitor our network with complete visibility and control.

Prior to implementing the solution, we had security incident-related network outages that could last a day or more, two or three times per year. We now have almost 100 percent uptime. 

Before our NAC deployment, we really didn’t have an effective way to accurately estimate the number of devices connecting to our networks, such as desktops and laptops. Having the ability to identify and classify these endpoints was a critical goal in improving our school’s network security. Even more importantly, we had a dire need to securely manage personal and mobile devices campus-wide that were accessing our computing resources.

In the early 2000s, our IT team turned to ForeScout CounterACT, a next-generation NAC solution, to help protect against the onslaught of advanced persistent threats (APTs) and propagating worms. At the time, these worms would infect hundreds of computers, often bringing our entire network to a crawl.

However, once we deployed this solution, we were able to identify and isolate any infected machines, which decreased immediately from hundreds to only a handful. Users with infected machines were automatically notified about the problem and instructed to call our help desk, and we were then able to resolve the issues in less than a day with minimal impact on our students, faculty or staff.

Because we had such positive experiences throughout the initial implementation, we expanded our solution to provide visibility into all devices accessing our network, improve asset management and continuously monitor and mitigate threats and security exposures. On top of this, we’re realizing the benefits of flexible policy management and enforcement, improved network uptime, and help desk savings through the adoption of automated processes and strong security software interoperability.

Since the NAC implementation, we have achieved unmatched real-time visibility. Our networking team can see, for example, what versions of software and operating systems users are running on their devices. Specifically, we’ve even been able to identify that we have about 6,000 wireless and 5,000 wired endpoints at any given time. Having this visibility also offers us insights for enterprise asset management. For instance, I work closely with the asset management team lead to notify them of missing plug-ins for managing devices.

This solution has provided us with network control capabilities to block unauthorized and noncompliant users. We use the appliance to enforce policies, such as resolving take-down notices for music and movies with copyright violations being downloaded from peer-to-peer software. Such downloading is in direct violation of the Digital Rights Millennium Copyright Act, so this policy helps us remain compliant.

We can also block unauthorized applications from running on the network and allow the IT teams to notify users when their machines are lacking up-to-date software. This indirectly assists with Family Educational Rights and Privacy Act (FERPA) compliance — by keeping all endpoints up-to-date, we reduce the risk of information disclosure.

The appliance has provided us with IT time savings through its automated approach as well. With it, the help desk now knows about issues, many times before the user does, and calls them first to solve any issue quickly and conveniently.

Another major benefit we’ve realized since our NAC deployment is significantly improved network uptime. Prior to implementing the solution, we had security incident-related network outages that could last a day or more, two or three times per year. We now have almost 100 percent uptime.

More recently, we’ve leveraged ForeScout’s ControlFabric technology to integrate CounterACT with FireEye, which allows us to easily identify and quarantine advanced persistent threats (APTs). Being vigilant with updating signatures and reputation lists, or monitoring for network anomalies, is no longer good enough. With FireEye and ForeScout, we know the details, security posture and activity of all devices on our network, and we can automatically isolate violations, malware and affected systems before anything gets out of hand.

Overall, we’ve gained immense technical benefits that have led to our long-time customer standing and positive experience with the organization. One of the most customer-centric companies we have worked with, its technology has vastly improved both our security posture and ability to accommodate the college’s ever-changing mobile and BYOD-driven environment.

—

Morris Altman is the Director of Network Services and Internet Security Officer for Queens College in New York. Visit: http://www.qc.cuny.edu/