NAC for ISPs

[Kern <timetrap () gmail com>]

That is an interesting question, but I think you should not;

1. Increase complexity to satisfy the lowest common denominator
2. Increase overhead of the wireless network (and face possible vendor lock in)
3. Force all of your clients into a particular OS (I am assuming
2000, XP, 2k3, or Vista)

I see NAC being used in a heterogeneous, closed environment
(Enterprise and Corporate, environments), not in the "wild".

If I was the customer and you told me that I had to have updated AV
or I would be dropped off of the Internet, I would be pissed. Or worse
yet that I had to run a particular OS or Patch level, I would get out
of my service contract.

Now if you decided to use NAC transparently (one subnet or VLAN with
updated AV clients, and one subnet for unknowns)but still allow
everyone Internet access, then go for it. But you are a wireless ISP,
and more bandwidth is not readily available.

Leave the NAC out, and just add VLANs that do not allow inter-host
communication on your local side. Managing a bunch of VLANs would be
easier than NAC clients.


IMHO



On 11/7/06, Curt Shaffer <cshaffer () gmail com> wrote:
> I have been kicking around the idea of more ways to protect an ISP client I
> have. He is a smaller ISP that is all wireless. As of next week we are
> introducing VLANs for select bridged segments and QoS end to end. My
> question to the group is this. How feasible do you all think NAC would be
> for extra protection? On one hand I see full benefits of quarantining people
> that don't have up to date virus definitions, don't have certain updates or
> are currently infected. But there is just something sitting in the back of
> my mind that tells me customers won't like this even though it is in
> everyone's best interest. I am open to everyone's point of view on this.
> Please let me know your thoughts pros and cons!
>
> Thanks!
>
> Curt
>
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
>  http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------



--
//jkern//timetrap//

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------