International School of Beijing Embraces Secure BYOD for its Students

This prestigious institution needed to find a way to ensure only authorized devices could gain access to its network and systems.

“Safe NAC addressed our needs, and had the advantage of integration with our Alcatel-Lucent OmniSwitch and with our Alcatel-Lucent WLAN controller. We were not disappointed. With Safe NAC, the policies are enforced as anticipated.”

- Russell Layton, ICT Director at International School of Beijing.

In the early 1970s – when relations were reestablished between China and the United States – a tiny foreign school was established in Beijing with the support of the United States Liaison Office in Beijing, a precursor to the U.S. Embassy in China. Today, this school is known as the International School of Beijing (ISB), and it’s recognized as a world leader in international education. Over its 30+-year history, ISB has expanded to include students from more than 50 countries. Building on a foundation of academic excellence, ISB works in partnership with parents to ignite passions for learning and to help all students to reach their full and unique potential.

As an independent, private English-language day school, ISB offers an international curriculum for foreign expatriate children in China from pre-kindergarten (age three) through Grade 12, in three divisions: elementary school, middle school, and high school. Understanding that fluency in technology is vital to 21st-century learning, the school takes a strategic approach to IT for its 300 staff members and 1900-plus students. Beginning in 2008, ISB undertook to convert the entire school to the use of laptop computers. The shift was of necessity gradual, as desktop computers and computer classrooms gave way to the use of shared laptops. The latest phase of this change, taking place over the past two years, was the allocation of individual laptops for every student in grades 2-12 and all staff.

Managing mobile device security
Worldwide, k-12 education has undergone a dramatic transformation in methodology and philosophy over the past three decades. Much of this change is tied to the continuous development of educational technology. Today at ISB, students commonly bring high-powered personal computers, tablets, smartphones, and media devices to school. Because these devices are not owned by the school, yet are capable of connecting to the network, they create a potential risk to internal ISB network resources. “This presented a variety of security threats to ISB technology systems, and it’s a threat we needed to manage,” explains Russell Layton, the school’s ICT Director.

In an effort to manage access to the network, ISB had relied on a Windows 2008 server-based Network Policy Server to prevent a local IP address from being assigned to new and unknown devices. The IT team also relied on its Active Directory group policy to restrict non-approved software from running on systems within its network domain. “This helped us reduce some risk, but it wasn’t the best solution and it didn’t resolve all of the risks we needed to mitigate,” Russell explains.

One of the school’s networking providers, Alcatel-Lucent, recommended that ISB investigate deploying Safe NAC from Alcatel-Lucent and InfoExpress “We were intrigued when we heard about Safe NAC, as it would provide the management and security we needed,” Russell says.

Safe NAC hardens the existing network by allowing access only to authorized devices and reporting and blocking rogue endpoints. Noncompliant endpoints are quarantined until remediation brings them back into compliance. Safe NAC supports multiple NAC enforcement methods for managing access to the network: the Safe NAC integration with Alcatel-Lucent’s OmniSwitch and OmniAccess provides ACL enforcement, Dynamic NAC (DNAC) enforcement method requires zero changes to infrastructure or equipment; 802.1x NAC, which uses VLANs; and in-line NAC, which relies on a bridge to filter traffic. All this flexibility means that users can be authenticated using 802.1x or Windows domains and attain automated and interactive remediation and continuous validation of endpoint compliance. For easy management, all configuration changes and policy updates are managed centrally.

For ISB, Safe NAC enables comprehensive policy enforcement
The ISB IT team chose Safe NAC’s Alcatel-Lucent integration with OmniSwitch and OmniAccess to enforce its network policy. One of the primary ways Safe NAC helps to harden the ISB network is by restricting network access by using ACL’s on the OmniSwitch and OmniAccess controller. This eliminates the need for VLAN switching which is typically disruptive for the end user and requires significant network changes. A small software agent audits the endpoint and vets access to the network based on ISB policy criteria. Unauthorized devices, and unhealthy clients are quarantined. The unhealthy endpoints can quickly rejoin the network after automatic remediation brings them into compliance.

“The NAC deployment was a success,” says Russell. He says he appreciated that Safe NAC’s small agent, in addition to the Safe NAC CyberGatekeeper Server appliance, do not require complex network changes. “Safe NAC addressed our needs, and had the advantage of integration with our Alcatel-Lucent OmniSwitch and with our Alcatel-Lucent OmniAccess WLAN controller,” he says. “We were not disappointed. With Safe NAC, the policies are enforced as anticipated and it is easy to maintain,” he says.

Today, non-ISB owned devices are isolated from the internal network, and ISB-owned devices that are not compliant with key policy attributes, such as up-to-date virus definitions, will be quarantined for signature updates. “Safe NAC has helped us to improve our network security. And the impact on the network is so minimal that most users don’t even know the system exists,” he says. “We currently run the Safe NAC agent to provide the same level of security on Mac OS X and Windows endpoints but going forward, we plan to install the Safe NAC app to protect mobile devices. We hope to continue to expand the way we rely on Safe NAC to help secure our infrastructure.”

# # #

Firm Overview
Organization: International School of Beijing
Business: ISB is an English-medium independent international school serving the children of foreign expatriates living in Beijing, from pre-kindergarten (age three) through Grade 12, in elementary school, middle school, and high school.
Size: 1,900+ students; 300 faculty and staff

Business Problem
Students and parents wanted to bring their own devices and connect to the Internet. However, because the school does not manage these devices, they created considerable security risks to ISB’s networked resources. ISB needed a way to make certain that, while Internet access was granted, those devices could not access its internal network.

Safe NAC is a Network Access Control solution composed of InfoExpress’ CyberGatekeeper NAC solution which integrated with Alcatel-Lucent’s OmniAccess wireless, OmniSwitch, OmniVista Access Guardian and Quarantine Manager, and Vital QIP platforms.