Network Access Control (NAC)

For the past two years DHTS has worked with IT groups across Duke Health and University. This effort is a change that follows close to many institutions on securing access to our network. Increased intrusion activity heightens the need to secure access to internal network. This effort not only protects PHI, it also secures Academic Property, research data, Duke business data.

NAC is part of a DHTS upgrade to all network closets, that will limit access to the wired network, to devices not registered with Duke Health.

Devices are defined as any electronic equipment that requires access to the Internet, so the change will go beyond computers.

A few examples are:

  • Printers
  • Freezer monitors
  • Network connected lab equipment

For Duke managed and supported computers, the following security agents will be installed:

  • NAC agent
  • Crowdstrike
  • BigFix

Devices such as printers and lab equipment, local IT support works with DHTS Networking to create a network profile that allows the device to function on the Duke network.

DHTS Network Team has created a complete site, https://nac.dhts.duke.edu/, that provides detailed information on NAC and how it will improve network security.

Frequently Asked Questions

What is NAC?

NAC (Network Access Control) is a network security that ensures any wired or wireless devices connected to the Duke Health Secured Network does not pose a security risk. After enforcement begins, if a device cannot be identified by the network or does not have a minimum level of protections on the device, the device will not be able to access the network. The device will need to have the minimum level of protections installed and registered.

With the current network threats faced by organizations, this system will help ensure that risk of a breach is minimum and will strengthen network security infrastructure. NAC can deny network access to non-compliant devices, quarantine them, or give them only restricted access, thus keeping insecure nodes from infecting the network.

How does it affect my daily activities?

Most Duke IT-managed devices connected to the network already have the necessary security software in place, therefore, enforcement of NAC will not interfere with day-to-day operations.

If personal laptops are brought in for use on the Duke Health Network, they be used on the Guest network. If it is necessary for personal computers to connect to the primary Duke Health network to access internal shares or print to Duke Health printers, the device would need to have the minimum-security software installed and registered through the NAC Portal as a “User-Managed” device. These step-by-step instructions will walk you through the process or you can contact your local IT support or the DHTS Service Desk at 919-684-2243 if you need assistance.

Will I lose access to important devices?

If you are using a Duke IT-managed computer you should not lose any access. Otherwise, if the device is registered with NAC and running the required security software, an IT profile request for the device has been submitted, or an exception has been approved, the device should not lose any access.

You can work with your local IT support or the DHTS Service Desk at 919-684-2243 to help evaluate any devices you would like assistance with.

How does it affect students?

Students will need to register their personal devices with NAC for Duke Health network access. The system requirements are listed below and there are step-by-step instructions on how to register a personal device for NAC.

For basic internet access, students can still connect to the wireless Guest network.

Does Guest network allow access to our shared drive?

The Guest network will not allow access to Duke Health share drives. If you need to access internal share drives or printers, please consider registering for NAC and installing the necessary security software.

What are the tools you are installing on my computer?

Duke IT-managed devices

  • FortiNAC Persistent Agent
  • Crowdstrike Falcon
  • BigFix Client

Personal devices

  • FortiNAC Persistent Agent

 

An approved anti-virus application listed below:

Windows:

  • Crowdstrike (preferred)
  • Microsoft Defender
  • Avast
  • AVG

Mac and Linux:

  • Crowdstrike (preferred)
  • Avast
  • Bitdefender

Operating systems supported include Windows, Mac and Linux where its vendor is providing security patches. Please visit this FAQ page for specific information pertaining to Linux supported operating systems.

How do I get an exception?

Please consult your local IT support for assistance with determining if a device needs a security exception submitted or not. Security exceptions can be placed for review with DHTS on this ServiceNow portal: NAC Duke Health Device Registration & Security Exception Request

Is OIT supported the same as Duke/DHTS supported?

The Office of Information Technology (OIT) at Duke University uses a different network monitoring system called Planisphere. Therefore, if you have an OIT-managed Duke device and intend to connect to Duke Health networks, you will need to ensure that the device meets the requirements of NAC with DHTS. If assistance is needed, contact the DHTS Service Desk at 919-684-2243.