Re: NAC devices - opinions sought

[Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>]

Hi, David!  Keystone College purchased the Clean Access product (then
called "Clean Machines") just as Cisco was absorbing Perfigo.  There
were not as many choices in this space back then as there are now, but I
can't IMAGINE running our resnet without it.  We used to spend WEEKS of
tech-hours each fall trying to track and clean up all orders of malware
in our resnet.  Our students just didn't understand the importance of
antivirus software or OS patches - and many of their machines were just
dreadful to clean up.  With this product, the students can't get their
machines on the network without meeting minimum maintenance requirements
- so the burden is on them to "clean up their act" so to speak.  That's
quite a shift from the tech group running around trying to find and fix
the student computers!  We had also found ourselves fixing the same
machines over and over again, because the students "unfix" 'em as soon
as you leave.  Students never cared what their machines were spewing out
across our network, as long as their AIM client worked.  Now, it won't
work for sure until they're running clean.  

As I said before, there are more choices now than when we went with this
one - but we only considered ones that include client software to be
installed on the student machines.  One "agentless" product that we
looked at depended on the student to create an administrative account on
their machine in order to allow the server to peek in and verify
maintenance status.  That would be fine in a corporate setting where you
control all of the machines, but it looked like a management intensive
nightmare for a resnet situation!  The Clean Access product includes
clients for Windows as well as Mac.  There is no Linux client, but it
can detect a Linux OS, so we have set ours up to provide one hour of
restricted bandwidth per system boot in order to allow students to play
with Linux (only one student has ever used it, and he was happy with
this solution).  Another plus for the client is that it provides pretty
good guidance to the student as to why their machine failed its
maintenance checks and what to do about it.  

Would you write back to the list after you choose a product?  I would be
interested to know which one you choose and what factors influenced you
in that direction.  Thanks, and good luck!

- Charlie

 

________________________________

From: David Boyer [mailto:David () BVU EDU] 
Sent: Friday, February 16, 2007 5:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] NAC devices - opinions sought

 

Anyone familiar with Ciscos Network Admission Control (formerly Cisco
Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network
Access Control or similar software/appliances?

 

Like many schools, we have a 1:1 ration of computers to students. We'd
like to avoid letting vulnerable or malware-infected systems onto our
network while simultaneously addressing the infection or vulnerability.
Almost all of our systems are running Windows XP or Windows 2000.

 

I'd be interested in hearing about your experiences with these or
similar solutions. Any open-source solutions that you know of?

 

Thanks in advance,

 

David Boyer

Buena Vista University