Network Access Control Overview
What is Network Access Control?
To connect to the UNC Campus Network, it has always been the case that a customer’s computer must meet certain minimum requirements, including having anti-virus software installed, running and up-to-date. It must also have specific operating system updates installed to prevent the computer from being compromised. In the past, this policy was enforced using a combination of a customer honor-system and technology (Tipping Points) that identified and blocked “bad” internet traffic to prevent infections from spreading across the network. As our network evolves, we have to modify this approach to continue to protect all users.
In order to increase the speed of our network (10x), we had to remove the Tipping Points from most of campus, which could make us susceptible to security risks. As a result, we implemented a new security service called NAC in specific regions of campus.
Network Access Control (NAC) is a proactive, end-user networking solution for wired and Wi-Fi connections that allows us to identify potential problems on a computer before it accesses the web. The system can educate the customer about any potential vulnerability and then provide them a link or resource to resolve it on their own. This solution is highly customizable and will be setup in the best interest of all campus network users.
Malware (e.g. spyware, viruses, worms) exist that can automatically disable services like anti-virus software. Many times the customer has no idea this has happened. This service will help alert the customer that this problem has occurred and provide them with a solution.
If a computer is connected to a NAC-enabled region of our network via wired or Wi-Fi, then the NAC Assessment server will attempt to communicate with the device (e.g. computer). It checks the device to see if the NAC agent is installed. After a few minutes, if it does not find the NAC agent, it will then redirect any web-based (HTTP) traffic to a specific website. This site will walk the customer through the NAC agent installation steps. Finally, the customer will initiate another scan and if the server can communicate with the agent, then the customer can continue browsing the web with no problem.
Next, if the NAC agent identifies a security issue or problem, as explained in the next section, it will then provide the customer with information on how to resolve it. As long as their computer meets the requirements, they will never know that the NAC agent is running.
During the installation of this service or if a device is found to have a vulnerability, the only impact on the customer is that they cannot browse the web. If they use internet connected applications like Outlook, Thunderbird, Instant Messaging, etc., those programs will continue to function as normal.
Currently, this software is designed to work for computers running Microsoft Windows or Apple OS X. We are specifically exempting Linux-based computers, which is a small minority of campus, and will address those in the future.
ITS Security and the UNC Legal department have approved the use of NAC to scan devices connected to our network for the following conditions:
- Does the computer have anti-virus software installed, running and up-to-date?
- Does the computer have a firewall installed and enabled?
- Is the computer configured to automatically install system updates OR was the last time it was updated more than 30 days ago?
- Other specific security concerns, such as zero-day virus outbreaks. For example, we may know how to identify the presence of a specific virus before Symantec is able to detect it. To minimize the risk to the University, we will scan for these specific issues as requested by the ITS-Security and/or OIS Security groups.
All CCI machines are configured to meet all of these requirements by default. If a computer fails any of these conditions, meaning the answer is “No” to the questions above, nothing will happen to customer’s computer. They will be able to browse with no problem, but they will be notified via a pop-up message with a link that will help resolve the issue.
If the issue is not resolved within a 2 week period, those computers may be removed from the network until they are in compliance. Currently, this is a manual process, but will be automated in the future.
This service is designed to allow specific types of devices or operating systems to simply bypass the service. So if your operating system is not listed (e.g. Ubuntu), then you can simply ignore this service for now. Depending on your operating system, your Network Access Control setup may be slightly different. Please select your operating system below:
- Microsoft Windows
- Apple OS X (documentation coming soon — for now please refer to the Microsoft Windows information above)
- Linux – (NAC is currently disabled for the Linux OS. If you have a Linux-based OS that is receiving the NAC website, simply provide us with your MAC address and we can resolve the issue within 24 hours. This includes customers with dual-booted machines.)
We automatically “whitelist” devices that should be exempt from the NAC service e.g scientific equipment. To request an exemption please Submit a Web Request and enter the details of the device.
How do I get support?
The process for installation should be very fast and user-friendly. If however, you still need help, contact your departmental support team, or through one of the following methods:
- Submit a Web Request
- Call 919-962-HELP
- Visit our walk-in area in 65 MacNider
- What will happen if I use Linux?
If you are running any Operating System other than Windows, or Apple Operating Systems, you should not be impacted. The NAC system should ignore the ignore the machine and therefore not block access to the network. If you are blocked from the network, you can contact either firstname.lastname@example.org, or 962-HELP and ask to be whitelisted which will allow you back on the network.
- What if I do not use the campus Symantec Anti-Virus?
The NAC System uses the operating systems to confirm the presence of an Anti-Virus tool. If it recognizes the anti-virus tool, then it will report to the NAC System that it was running on the machine.
- Do I have to comply with these requirements?
Yes, ports on the School of Medicine network require any device that connects to the SOM Network meet the minimum NAC requirements.
- Do I have to install this agent on my personal machine?
No, you only have to install the agent on the device if you plan on connecting it to the School of Medicine network. The NAC System has been put in place to enhance the level of security on the network, and therefore it does not matter if the device is personal or university property.