Deploying Identity-Based Access Control

Enterprise Networks & Servers, Jun 2004 by Welcher, Peter J

The policy issue arises with colleges because of hesitancy, either on cost or support. Both can be complex issues.

Re cost, it costs money to upgrade Windows, or to buy the Funk or Meetinghouse driver. I've got two kids in college, I understand how sensitive parents are about cost. Colleges are very hesitant to dictate more cost for their students. Part of that goes with being an open environment. Part of it may also relate to staying competitive.

Operating systems upgrades may not be feasible, since they may require the cost of a new PC. That's a show-stopper for many families. Concerning purchasing drivers for older Windows variants, one could argue that $40 per student is cheap, compared to the support costs of worm containment. That's where policy becomes a problem. Some colleges feel they cannot afford to support the wide variety of desktops or the sheer number of PCs their students have. And installing drivers or requiring installation of drivers means you own any support problems the student subsequently encounters. So do you provide "legacy support?" Is a component of it lesser connectivity as an incentive for students to opt for the buy-and-install-drivers solution?

One counter-argument is that students who get virii do impose very real costs on the college. If they get a worm that creates traffic, it may adversely affect other users or even knock out the network.

Colleges often try to provide anti-viral software to their students. Who then ignore it, don't install it, turn it off, etc. The necessary teeth might then be access control (NAC? Web-based?), or it might be a hefty fine if your PC gets infected and starts trashing the network. I personally think stringent standards up front ("You must have one of the following anti-viral products installed") with fee for non-compliance may be where we all end up. But even there, how does one induce the unwilling to periodically update their virus signatures and refrain from turning the protection off? That's where NAC will be of intense interest to colleges.

This is also why 802.1x arises in college environments right now. Student PCs are a very scary unknown right now, not under any anti-viral control. So it is highly desirable to identify student machines and isolate them (quarantine them?) in student VLANs. Then run traffic from those VLANs through firewalls or IDSes. That at least addresses damage containment now.

Having a focal IDS allows identification and treatment of infected PCs. Down the road, NAC may provide more enforcement without major labor burden. At that point, maybe student PCs become trusted again, and the policy split becomes "NAC-approved" versus "guest and non-NAC-approved PCs."

To sum that up, what's messy with clients right now is figuring out what is technically feasible, and what the policy ought to be. The interaction with culture and expectations of the surrounding environment make this particularly sensitive for colleges.

In a few years, most people will be running OS variants that support 802.1x. No doubt we'll all have some other hot issue then. In the meantime, we do have the challenge of transition and "legacy support." Either users have to have OS upgraded, have to have supplicants installed, or there has to be some way to support legacy non-802.1x devices. The latter is another potential article. I 've got two techniques that you may find useful, ones that work right now. Which to use depends on your policy and needs.