Re: Pre-Scan or Scan-After

[Chad McDonald <chad.mcdonald () GCSU EDU>]

We do both, sort of...
We have recently implemented the Impulse Point solution and after some
installation issues were resolved, have been pleased with its performance
and price.  Currently we have this in production on our main campus wireless
network and have it set to prevent access if policies are not met.  We scan
for Windows patches, anti-virus definitions, and status of anti-virus
software.  We have the ability to also scan for spy ware and redirect peer
to peer file sharing attempts to music download retailers.

We will most likely take a different approach on our residential network
where we will scan wired and wireless connections.  Here we plan to offer
"warnings" to the user that access will be terminated in n hours if the
client is not patched, updated, etc.  We plan to offer access to select
on-campus services or addresses regardless of patch status so that we can't
be accused of impeding academic progress of our students.  We don't offer
the "walled garden" approach on campus because the students have broad
access to hundreds of lab or classroom computers that are patched.

As for pre or post scanning, our implementation is better described as
"live" scanning.  Clients are scanned in both states before AND after
connection.  If, for instance, the anti-virus software is turned off after
the pre-connection scan, network access will be terminated in short order
until the software is turned back on.  While this isn't actually real-time,
it's pretty darn quick.


Chad McDonald, CISSP

Chief Information Security Officer

Georgia College & State University

Office    478.445.4473

Cell       478.454.8250



  _____

From: Tom Neiss [mailto:TNeiss () UAMAIL ALBANY EDU]
Sent: Tuesday, September 13, 2005 2:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pre-Scan or Scan-After



We are in the process of deciding on scanning for vulnerabities after
connection (having went  through the necessary authorization and
authentication) to the network opposed to pre-scanning for them.  We are
seeking best practices of those that have chosen this route.  In addition we
would like those that chose to pre-scan to share with us why you made that
decision.

We would appreciate your sharing with us....

If you have chosen to scan-after can you give me a url to you process?
Can you share any insight into your arriving at that decision?
If you chose to pre-scan, what were your deciding factors?
thanks,
tn

Thomas R. Neiss
Director of Telecommunications
University at Albany
State University of New York
1400 Washington Avenue MSC 209
Albany, NY 12222
tneiss () uamail albany edu
(518) 437-3803
(518) 437-3810 (FAX)