Educause Security Discussion mailing list archives
Re: Network Access Control
From: "Scholz, Greg" <gscholz () KEENE EDU>
Date: Fri, 24 Feb 2006 08:57:12 -0500
If you consider Cisco Clean Access (CCA) a NAC system, then yes we have one but no, we have not had any privacy issues brought to us. I believe there were some grumblings but nothing formally brought to our attention. As for a mitigation strategy, we have statements regarding the potential for IT Group personal to come across personal information in the course of their duties. If any one said "you can see what we are doing" my response would be that "technically, yes, we can but..."
From our CNUP:
"The IT Group will respect and strive to ensure users' privacy and intellectual property while managing the computing and network infrastructure and information application transactions and data. The IT Group does not actively monitor network traffic or view content. However, while researching computing and/or network issues, system administrators or network administrators may need to use tools or utilities that expose content or users' internet habits. Under these circumstances, the IT Group will hold this information and knowledge in strictest confidence." http://www.keene.edu/policy/cnup.cfm For percentages, I do not have specifics but at startup this past fall (the first time with CCA) we had easily 75% because no one had AV, even the ones that thought they did (e.g. expired trialware). As for ongoing we have a handful flowing in and out of quarantine at any given time. This is mostly due to students who have not followed our guidance (not mandate) for turning on automatic windows and AV updates which we spent a lot of time and money communicating to them. Short answer for minimizing quarantine issues is to communicate early and often and train the helpdesk to get callers to turn on automatic everything so that they never have to call again. _________________________ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 --Seek first to understand, and then to be understood. (Steven Covey) -----Original Message----- From: David Millar [mailto:millar () ISC UPENN EDU] Sent: Thursday, February 23, 2006 5:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Network Access Control We're planning a Network Access Control project. Has anyone encountered privacy (or any other) concerns about requiring the installation of a software agent that reports on patch status, A/V status and password strength, as a condition of network access? Also, would anyone be willing to share statistics about the percentage of machines that typically wind up in quarantine? Thanks, David Millar University Information Security Officer
Current thread:
- Network Access Control David Millar (Feb 23)
- <Possible follow-ups>
- Re: Network Access Control David Lundy (Feb 23)
- Re: Network Access Control Scholz, Greg (Feb 24)