News Release

Baylor College of Medicine Implements Network Remedy: Cisco Network Admission Control with Device Profiling

Cisco NAC Enhances Network Security and Visibility, Eliminates Labor-Intensive Maintenance for IT
Oct 30, 2007

HOUSTON, TX - October 30, 2007 - Cisco® announced today that Baylor College of Medicine, an internationally respected medical and research institution known for excellence in education, research and patient care, has strengthened its control of network security by deploying Cisco Network Admission Control (NAC). As one of the early adopters of NAC, Baylor College of Medicine has been able to increase the visibility of all the devices on its network, identify legitimate users on the network, and enforce requirements that minimize security vulnerabilities.

Serving a facility that sprawls across 700 acres and 16 buildings, the college's information technology department faced two challenges: identifying and monitoring an array of devices that sought access to the network and enforcing specific security policies so that only "clean and healthy" machines were granted access.

"With literally thousands of students, faculty, and affiliated staff from our teaching hospitals all accessing our network, we decided that making an early investment in NAC was the most secure, future-proof way to protect our IT infrastructure and the users who depend on it," said Eric Johnson, IT project manager at Baylor College of Medicine.

Deployment Flexibility

The Baylor College of Medicine team, in conjunction with Troubadour Ltd., a Cisco Global Security Partner of the Year, chose Cisco's NAC solution based in part on its deployment flexibility. Johnson and Troubadour chose two methodologies for deploying NAC, both of which could be managed through one management interface: Layer 3, out-of-band for the 30,000 ports on the wired portion of the network, and in-band for the wireless and virtual private network portions. Combining the capabilities of Cisco NAC with those of the Cisco NAC Profiler, the team rapidly identifies and locates any new devices accessing the ports.

Because of Cisco NAC's advanced roles-based access permissions and virtual LAN capabilities, Baylor College of Medicine also achieved a low-impact, measured rollout by turning on NAC capabilities floor by floor, building by building, independent of whether users worked in a specific location or preferred to move between floors.

Johnson said one of the largest hurdles for implementing a technology like NAC is minimizing the impact on users. Cisco NAC offers three modes of assessing a device's posture: silent, optional, and mandatory. Using the silent, or audit mode, the team was able to gauge the impact of turning on a "full NAC with enforcement" system without disrupting user experience and productivity.

"This helps greatly with making sure the rollout was as painless as possible," Johnson said. "Knowing where the problems were in advance of turning on the system helps us better explain the scope of the project and engage each department administrator to help communicate the changes. It gives the administrator's a stake in the success of the project."

Expanding NAC Services

A crucial element of the implementation at Baylor College of Medicine was the use of profiling services, offered by the Cisco NAC profiler as an enhancement to the Cisco NAC solution. According to Jay Kirby, chief sales officer of Troubadour, the added visibility enhances the effectiveness of Cisco NAC.

"A very important part of testing and designing NAC in any network is making sure that the changes that it causes are compatible across the board," said Jay Kirby, chief sales officer of Troubadour. "Having an accurate roadmap of every port's configuration on the customer's network is one of the key predecessors to a successful NAC Appliance deployment. A contextual, real-time inventory of every device, including non-Windows, non-authenticating devices such as printers, IP phones and medical imaging devices, is a vital tool we need to manage our customers' network security deployment for initial discovery prior to a NAC installation."

With the Cisco NAC Profiler, Johnson was able to find instantly any IP or Media Access Control (MAC) address on the network from a switch or port location. "What once took us 20 minutes per device now takes about 20 seconds," he said. In addition, the Cisco NAC Profiler was able to monitor continuously the behavior of various devices to ensure that their MAC addresses had not been spoofed.

"As the market leader, Cisco is continuing to innovate with NAC beyond simply authentication and assessing the posture of a device," said Nick Chong, director of product management for the Cisco NAC Appliance. "We need to address the 'whole network' by augmenting authentication and posture assessment with services such as profiling for non-PC devices, simplified guest provisioning and access, and governance to capture all the corner and edge cases that must be solved for NAC to be effective."