Re: Revisiting wireless NAC

[Patrick Gorsuch <patrick.gorsuch () GALLAUDET EDU>]

Take a look at IDPs that support IF-MAP (Juniper, Cisco, etc. are either 
in the game or planning to be there soon).  Leveraging an orchestration 
server (InfoBlox term/name; or infranet controller if you're talking 
Juniper) and an dot-x implementation, malicious/bad activity detected by 
the IDP can trigger the flow of actions you describe.  Ideally, IF-MAP 
is platform agnostic but with so few players, it's tough to tell just 
how well that's working out.

We're working toward a similar solution -- no posture check, watch for 
bad stuff at points of traffic consolidation, and take action 
accordingly -- using Juniper, InfoBlox, and GreatBay products.  The user 
community (and support desk) definitely does not miss the fat NAC client.

- Pat

Patrick N. Gorsuch
Manager, Networks and Information Security
Gallaudet University
202-651-5070
patrick.gorsuch () gallaudet edu

On 1/4/2013 2:43 PM, David Curry wrote:
> Hello,
>
> We're currently in the process of re-designing our wireless network to 
> split it into a guest side and a "secure" side, add a guest management 
> system, replace the captive portal sign-on with 802.1X authentication 
> on the secure side, etc. As part of this project, we're also taking a 
> look at our use of Network Access Control and thinking about what 
> we're really trying to accomplish. At the moment, we use a "permanent 
> agent" based NAC on PCs and Macs connecting to the wireless network, 
> but the only policy we enforce is that the computer must have 
> antivirus running with up-to-date signatures. If the connecting 
> computer doesn't pass that check, we put it into a remediation VLAN.
>
> Back when we first implemented NAC (this is the second product), 
> requiring antivirus software was a major factor in keeping malware out 
> of our network. But as we all know, it's not that simple anymore--just 
> having antivirus isn't enough to keep the malware out because malware 
> has changed, and an argument can perhaps even be made that now that 
> Windows and Mac OS X come with built-in firewalls and whatnot, the 
> requirement to have antivirus installed is obsolete. And then there's 
> the fact that the majority of devices on our wireless network now are 
> not PCs and Macs anyway, and our existing NAC doesn't do anything with 
> those. So, given all that plus some of the push-back we've received 
> from our user community about the NAC requirement in general and this 
> specific NAC in particular, we started thinking...
>
> Why don't we get rid of the NAC all together? And instead, we'll just 
> let any device connect to the network (provided the user 
> authenticates), and let it do whatever it wants, right up until the 
> point at which it misbehaves. Instead of running the NAC system, we'll 
> run some kind of intrusion detection system that's looking for 
> malicious traffic. If it sees some, it will block the traffic from 
> that device, and move the device into a "quarantine" or "remediation" 
> VLAN where the user can be informed (with a captive portal or 
> whatever) that his/her computer may be infected with malware and 
> provided with advice/tools on cleaning it up. This seemed easy enough, 
> but when we started looking for products, we couldn't find any. There 
> are plenty of IDS/IPS systems out there that can detect and block the 
> traffic; that part's easy. But we've been unable to find any products 
> that can also do the other part--sending users to some sort of 
> quarantine/remediation portal so that they know why their computer 
> isn't working on the network anymore. This last part is critical to 
> us, as we do not run a 24x7 help desk, and we don't want to just 
> silently drop users' traffic with no explanation when there's nobody 
> they can call to find out what's happening.
>
> So finally, my question: Has anybody implemented something like this? 
> If so, would you be willing to share how you did it?
>
> Thanks,
> --Dave
>
>
> --
>
> *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
>
> *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
>
> +1 212 229-5300 x4728 • david.curry () newschool edu 
> <mailto:david.curry () newschool edu>