Re: NAC devices - opinions sought

[Conor McGrath <conormc () UCHICAGO EDU>]

On Sat, Feb 17, 2007 at 09:47:31AM -0600 Brian T Nichols said:
> Hi David,
>
> At LSU, we've been evaluating Microsoft Network Access Protection (NAP).
> For a very high level description, NAP is composed of a client side
> component, a server component, and an enforcement mechanism.  When a
> client tries to associate with a network, the server component forces
> the client to run through a series of tests that we pre-determine (such
> as is the firewall enabled, are all patches installed, etc.).  If the
> client fails these tests, the server signals the enforcement mechanism
> (either DHCP, 802.1x or IPSec) to quarantine the client.  The quarantine
> network is an isolated area where the client can update itself so as to
> be compliant (for example, by downloading patches).  After the client is
> updated, it will retry to associate with the network, at which point the
> server will again check the client and, assuming it now passes, signal
> the enforcement mechanism to allow 'normal' access to the network.  The
> real benefit of NAP is that it provides persistent enforcement of our
> policies.  Rather than being a manual process done at the beginning of
> the semester only, NAP ensures that a system is compliant each time it
> connects to the network.
>
> LSU selected NAP because of easy integration, low cost, and flexible
> deployment options.  We performed an initial pilot of 250+ machines with
> DHCP based enforcement, and have already tested 802.1x enforcement,
> which will be our long term solution.  We have integrated NAP with
> existing Cisco hardware, Symantec Antivirus software, and Microsoft
> Systems Management Server.

How well does NAP handle OS X and Linux clients?  We have a lot of each
of those here so need to consider how they would integrate with any NAC
solution we would choose.

-Conor

> ________________________________
>
> From: David Boyer [mailto:David () BVU EDU]
> Sent: Friday, February 16, 2007 5:50 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] NAC devices - opinions sought
>
> Anyone familiar with Ciscos Network Admission Control (formerly Cisco
> Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network
> Access Control or similar software/appliances?
>
> Like many schools, we have a 1:1 ration of computers to students. We'd
> like to avoid letting vulnerable or malware-infected systems onto our
> network while simultaneously addressing the infection or vulnerability.
> Almost all of our systems are running Windows XP or Windows 2000.
>
> I'd be interested in hearing about your experiences with these or
> similar solutions. Any open-source solutions that you know of?

--
Conor McGrath                                           Phone: (773)702-7611
Manager for Network Security                            Fax: (773)834-8444
Network Security Center, The University of Chicago      NetSec: (773)702-2378
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml