Educause Security Discussion mailing list archives
Re: NAC devices - opinions sought
From: Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>
Date: Fri, 16 Feb 2007 18:32:40 -0500
Hi, David! Keystone College purchased the Clean Access product (then called "Clean Machines") just as Cisco was absorbing Perfigo. There were not as many choices in this space back then as there are now, but I can't IMAGINE running our resnet without it. We used to spend WEEKS of tech-hours each fall trying to track and clean up all orders of malware in our resnet. Our students just didn't understand the importance of antivirus software or OS patches - and many of their machines were just dreadful to clean up. With this product, the students can't get their machines on the network without meeting minimum maintenance requirements - so the burden is on them to "clean up their act" so to speak. That's quite a shift from the tech group running around trying to find and fix the student computers! We had also found ourselves fixing the same machines over and over again, because the students "unfix" 'em as soon as you leave. Students never cared what their machines were spewing out across our network, as long as their AIM client worked. Now, it won't work for sure until they're running clean. As I said before, there are more choices now than when we went with this one - but we only considered ones that include client software to be installed on the student machines. One "agentless" product that we looked at depended on the student to create an administrative account on their machine in order to allow the server to peek in and verify maintenance status. That would be fine in a corporate setting where you control all of the machines, but it looked like a management intensive nightmare for a resnet situation! The Clean Access product includes clients for Windows as well as Mac. There is no Linux client, but it can detect a Linux OS, so we have set ours up to provide one hour of restricted bandwidth per system boot in order to allow students to play with Linux (only one student has ever used it, and he was happy with this solution). Another plus for the client is that it provides pretty good guidance to the student as to why their machine failed its maintenance checks and what to do about it. Would you write back to the list after you choose a product? I would be interested to know which one you choose and what factors influenced you in that direction. Thanks, and good luck! - Charlie ________________________________ From: David Boyer [mailto:David () BVU EDU] Sent: Friday, February 16, 2007 5:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] NAC devices - opinions sought Anyone familiar with Ciscos Network Admission Control (formerly Cisco Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network Access Control or similar software/appliances? Like many schools, we have a 1:1 ration of computers to students. We'd like to avoid letting vulnerable or malware-infected systems onto our network while simultaneously addressing the infection or vulnerability. Almost all of our systems are running Windows XP or Windows 2000. I'd be interested in hearing about your experiences with these or similar solutions. Any open-source solutions that you know of? Thanks in advance, David Boyer Buena Vista University
Current thread:
- NAC devices - opinions sought David Boyer (Feb 16)
- <Possible follow-ups>
- Re: NAC devices - opinions sought Michael Cole (Feb 16)
- Re: NAC devices - opinions sought Charlie Prothero (Feb 16)
- Re: NAC devices - opinions sought David Boyer (Feb 16)
- Re: NAC devices - opinions sought Jeff Murphy (Feb 16)
- Re: NAC devices - opinions sought Cal Frye (Feb 16)
- Re: NAC devices - opinions sought Brian T Nichols (Feb 17)
- Re: NAC devices - opinions sought Conor McGrath (Feb 17)
- Re: NAC devices - opinions sought Brian T Nichols (Feb 17)
- Re: NAC devices - opinions sought Barros, Jacob (Feb 19)
- NAC devices - opinions sought Chris Harrington (Feb 19)
- Re: NAC devices - opinions sought Walter E. Petruska (Feb 19)
- Re: NAC devices - opinions sought David Gillett (Feb 20)
(Thread continues...)