Re: Network Access Control

["Scholz, Greg" <gscholz () KEENE EDU>]

If you consider Cisco Clean Access (CCA) a NAC system, then yes we have
one but no, we have not had any privacy issues brought to us.  I believe
there were some grumblings but nothing formally brought to our
attention. 

As for a mitigation strategy, we have statements regarding the potential
for IT Group personal to come across personal information in the course
of their duties.  If any one said "you can see what we are doing" my
response would be that "technically, yes, we can but..."
> From our CNUP:
"The IT Group will respect and strive to ensure users' privacy and
intellectual property while managing the computing and network
infrastructure and information application transactions and data. The IT
Group does not actively monitor network traffic or view content.
However, while researching computing and/or network issues, system
administrators or network administrators may need to use tools or
utilities that expose content or users' internet habits. Under these
circumstances, the IT Group will hold this information and knowledge in
strictest confidence."

http://www.keene.edu/policy/cnup.cfm


For percentages, I do not have specifics but at startup this past fall
(the first time with CCA) we had easily 75% because no one had AV, even
the ones that thought they did (e.g. expired trialware). As for ongoing
we have a handful flowing in and out of quarantine at any given time.
This is mostly due to students who have not followed our guidance (not
mandate) for turning on automatic windows and AV updates which we spent
a lot of time and money communicating to them.  

Short answer for minimizing quarantine issues is to communicate early
and often and train the helpdesk to get callers to turn on automatic
everything so that they never have to call again.

_________________________
Thank you,
Gregory R. Scholz
Lead Network Engineer
Information Technology Group
Keene State College
(603)358-2070

--Seek first to understand, and then to be understood. 
      (Steven Covey)


-----Original Message-----
From: David Millar [mailto:millar () ISC UPENN EDU] 
Sent: Thursday, February 23, 2006 5:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Network Access Control

We're planning a Network Access Control project.

Has anyone encountered privacy (or any other) concerns about requiring
the 
installation of a software agent that reports on patch status, A/V
status 
and password strength, as a condition of network access?

Also, would anyone be willing to share statistics about the percentage
of 
machines that typically wind up in quarantine?

Thanks,
David Millar
University Information Security Officer