Re: NAC Question

[Micheal Cottingham <techie.micheal () gmail com>]

I agree that NAC is a good approach to this problem, and probably
something you want to look in to implementing in the future, but what
about a slightly less expensive solution for the time being while you
whittle things down? I can see this being a two-pronged approach.
First, setup something similar to ICARUS
(http://uf.freeculture.org/wiki/ICARUS) and do a blackhole vlan. If
you have the right equipment, you can do this for nothing on your
existing infrastructure. The second step would be to have social
enforcement instead of technical enforcement through having your
laptop users come to you every time they go offsite and come back,
they go to the helpdesk, get an AV scan, spyware scan, etc. and run
updates. This way you can hopefully limit the amount of unwanted
traffic on your network and get cleaned up. While it does impose some
problems on the helpdesk, especially when the changes are first
implemented, it will help tremendously with getting cleaned up and
hopefully teaching your users that the company laptop belongs to the
company. ;)

As far as IPS instead of NAC, while I am an avid supporter of IPS,
IPS's can be as expensive, if not moreso, than NAC. I've seen
lower-end IPS models run about 20k and go up as high as 100k and more,
not counting support contracts.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------