In-Depth

Case in Point: Protecting the Network Edge

Japanese university finds easy way to control network access

• By Mathew Schwartz
• 08/13/2003

“We had already established e-mail IDs and passwords for students, so we wanted to be able to use the same IDs and passwords for network access to avoid making students learn new ones,” says Koichi Yamauchi, the university’s Director of the Office of Academic Affairs Department of IT Education.

The university examined various offerings, eventually settling on Top Layer Networks new ASIC-based access control security switches, dubbed Secure Controller, which protect wired and wireless networks.

“When we looked at what each vendor was offering, most of them required assigning unique user names and passwords, but they also required a lot of complicated work to manage each of these details and for importing and linking pre-existing user IDs. Top Layer Networks had the only products that let us use existing IDs and passwords under a unified user management scheme,” says Yamauchi.

The Secure Controller switches address “the unsecured access edge,” notes Mike Paquette, vice president of marketing and product management for Top Layer. While organizations secure their networks from the gateway on in, as well as dial-up lines, organizations don’t typically secure two other critical areas: the always-on Ethernet ports in the walls of classrooms or conference rooms, and wireless networks, say on campuses and in hospitals. In other words, organizations often don’t lock down the connections that are easiest to access, hence easiest for attackers to exploit.

Top Layer has two Secure Core Controllers, one for 2,000 people, the other for 4,000. Simply rolling out controllers can get expensive in large environments, however, so the company also has two Secure Edge Controllers; one for 150 people, one for 512. The Secure Core Controllers can handle up to a gigabit per second of throughput, says Paquette. The Edge Controllers sacrifice some of that speed for cost savings.

The products use Dynamic Host Configuration Protocol (DHCP) to automate the client computer’s TCP/IP configuration. In addition, the client doesn’t need any software to authenticate beyond a Web browser. To log in to the network, the user enters username and password information into a browser window, then gets access per his or her existing user rights, via the Authentication Server, a needed Web server that handles access requests. The server can tie access relevant information from a range of authentication directories—RADIUS, LDAP, NTLM, and Active Directory.

Network administrators can also give guests access through a “guest password of the day,” notes Paquette.

For Matsuyama, the combination of new access controllers and logging better secures the network and gives them a way to “centrally manage information about the when, the who, the where, and the how of access to our campus network,” says Yamauchi.