Educause Security Discussion mailing list archives
Re: NAC devices - opinions sought
From: Conor McGrath <conormc () UCHICAGO EDU>
Date: Sat, 17 Feb 2007 11:57:49 -0600
On Sat, Feb 17, 2007 at 09:47:31AM -0600 Brian T Nichols said:
Hi David, At LSU, we've been evaluating Microsoft Network Access Protection (NAP). For a very high level description, NAP is composed of a client side component, a server component, and an enforcement mechanism. When a client tries to associate with a network, the server component forces the client to run through a series of tests that we pre-determine (such as is the firewall enabled, are all patches installed, etc.). If the client fails these tests, the server signals the enforcement mechanism (either DHCP, 802.1x or IPSec) to quarantine the client. The quarantine network is an isolated area where the client can update itself so as to be compliant (for example, by downloading patches). After the client is updated, it will retry to associate with the network, at which point the server will again check the client and, assuming it now passes, signal the enforcement mechanism to allow 'normal' access to the network. The real benefit of NAP is that it provides persistent enforcement of our policies. Rather than being a manual process done at the beginning of the semester only, NAP ensures that a system is compliant each time it connects to the network. LSU selected NAP because of easy integration, low cost, and flexible deployment options. We performed an initial pilot of 250+ machines with DHCP based enforcement, and have already tested 802.1x enforcement, which will be our long term solution. We have integrated NAP with existing Cisco hardware, Symantec Antivirus software, and Microsoft Systems Management Server.
How well does NAP handle OS X and Linux clients? We have a lot of each of those here so need to consider how they would integrate with any NAC solution we would choose. -Conor
________________________________ From: David Boyer [mailto:David () BVU EDU] Sent: Friday, February 16, 2007 5:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] NAC devices - opinions sought Anyone familiar with Ciscos Network Admission Control (formerly Cisco Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network Access Control or similar software/appliances? Like many schools, we have a 1:1 ration of computers to students. We'd like to avoid letting vulnerable or malware-infected systems onto our network while simultaneously addressing the infection or vulnerability. Almost all of our systems are running Windows XP or Windows 2000. I'd be interested in hearing about your experiences with these or similar solutions. Any open-source solutions that you know of?
-- Conor McGrath Phone: (773)702-7611 Manager for Network Security Fax: (773)834-8444 Network Security Center, The University of Chicago NetSec: (773)702-2378 PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
Current thread:
- NAC devices - opinions sought David Boyer (Feb 16)
- <Possible follow-ups>
- Re: NAC devices - opinions sought Michael Cole (Feb 16)
- Re: NAC devices - opinions sought Charlie Prothero (Feb 16)
- Re: NAC devices - opinions sought David Boyer (Feb 16)
- Re: NAC devices - opinions sought Jeff Murphy (Feb 16)
- Re: NAC devices - opinions sought Cal Frye (Feb 16)
- Re: NAC devices - opinions sought Brian T Nichols (Feb 17)
- Re: NAC devices - opinions sought Conor McGrath (Feb 17)
- Re: NAC devices - opinions sought Brian T Nichols (Feb 17)
- Re: NAC devices - opinions sought Barros, Jacob (Feb 19)
- NAC devices - opinions sought Chris Harrington (Feb 19)
- Re: NAC devices - opinions sought Walter E. Petruska (Feb 19)
- Re: NAC devices - opinions sought David Gillett (Feb 20)
- Re: NAC devices - opinions sought John (Feb 20)
- Re: NAC devices - opinions sought Brian Friday (Feb 20)
- Re: NAC devices - opinions sought John Kemp (Mar 08)
- Re: NAC devices - opinions sought David Gillett (Mar 08)