Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NAC devices - opinions sought

From: John Kemp <kemp () NETWORK-SERVICES UOREGON EDU>
Date: Thu, 8 Mar 2007 16:18:07 -0800
Lots of odd choices to make.  We've been looking at this pretty hard.
Here's a couple of papers for background:

http://www.juniper.net/solutions/literature/white_papers/nac_deployment_opus_one.pdf
http://www.bradfordnetworks.com/products/reports/MarketScopeForNAC2007/bradford2160.pdf

Basic choices are things like:

        -- in-band or out-of-band (approximately)
        -- L2 or L3 controls, or both
        -- access control mechanism

The last one is the fun part: do you do VLAN reassignment of
the switch port, do you do ARP spoofing of the gateway, do you
do MAC address filtering or retagging, or do you do IP redirect?

My own preference is that you do switchport VLAN reassignment.
This assumes that you have a high-quality infrastructure, and
1-user-per-port.  CCA can do that.  BradfordNetworks can do it,
with more platforms than Cisco can.  And it looks like those two
open source projects can do it.

One big differentiator is remediation capability.  It all gets
very fuzzy when you start to look at that part of it, so my
recommendation is to choose your architecture first, then worry
about the assessment and remediation components.  Or to put it
another way, you are doing ACCESS CONTROL.  Make sure your
ACCESS CONTROL mechanism works the way you want it to.

--

John G. Kemp ( kemp () network-services uoregon edu )
http://security.uoregon.edu/ mailto:security () uoregon edu
pgp:C9BE D1C4 9893 1A9E FF1A  B354 77DE E6DC A3CA 7130
Previous By Date Next
Previous By Thread Next

Current thread: