New York -- The "Bring Your Own Device" trend can cause a lot of disruption, but not at New York Law School, the downtown Manhattan college where students, faculty and visitors have always been allowed to use any mobile device they want on the wireless network. But that doesn't mean anything goes.
"It a BYOD world," says Peter Trimarchi, the technical director at New York Law School (NYLS), whose job includes making sure all those BYOD smartphones, tablets and laptops are truly authorized to use the campus wireless network and that they don't bring in computer viruses.
Trimarchi says he's learned over the years that it's much simpler to do all this without having to install agent software. And on the main campus, which houses a bright and modern building where students in libraries pore over thick legal volumes, BYOD security is enforced primarily through a ForeScout Technologies hardware appliance called CounterACT that can tackle network access control in an agentless fashion.
[GARTNER:Containerization is no BYOD panacea]
Housed in the law school's humming data center that you reach four stories deep via elevator, the small rack-mounted CounterACT appliance has been given a big job: Monitor the network and ensure each mobile device has been properly registered for authorization of the network according to user group. Visitors get a daily code that would get them on, but students at registration go through a machine Service Set Identifier (SSID) process and their authentication information is tied to Active Directory and CounterACT.
Today, about 3,700 devices that students bring with them (Apple devices predominate) gain access to the network this way through CounterACT, which also watches to see if they might be bringing in malware. "If there's a threat, we get an alert," says Trimarchi, adding that when there's a virus outbreak, most of the time students simply don't know at all what's happening.
Malware-infected devices are blocked and the user is informed why via e-mail. The school makes Symantec anti-malware technology available at the touch of a button to an infected device. Staff and faculty devices use a VPN for access as well. For some Windows-based machines that are owned by the school, a small 100KB software agent from CounterACT will be used to exert greater controls. Students aren't allowed to do some things on the NYLS network, such as use P2P file-sharing applications. This is a common restriction at universities because it might lead to copyright violations related to content, and P2P tends to do a lot of evasive jumping around, hogging bandwidth. CounterACT blocks P2P.
CounterACT is also set up at NYLS to share some detail via e-mail about device problems with the school's helpdesk so if a student calls to ask what's happening, the helpdesk will have information ready. CounterACT takes on other jobs, too, such as helping Windows Services Update Services provide patch updates to Windows machines.
Today, ForeScout's CounterACT is focused on being an enterprise network access control (NAC) system, and one question is how it might expand that role into cloud-based services. ForeScout says it's working on technologies such as a virtual appliance that would extend its NAC functionality into the cloud, with details about that likely to be revealed early next year.
Trimarchi says cloud-based services are of growing importance, and NYLS today in fact use Microsoft Office 365 for student e-mail. NYLS is also taking a look at whether to use mobile-device management (MDM) software for the relatively small number of smartphones and tablets that don't fall into the BYOD category, such as those issued to school executives.
MDM would address the need for tracking and "bricking" any lost devices that are corporate-owned. If New York Law School pursues an MDM path, ForeScout CounterACT will probably still be part of it all because plug-ins for CounterACT support several MDM software packages.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org
Read more about anti-malware in Network World's Anti-malware section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.