Educause Security Discussion mailing list archives

Re: NAC devices - opinions sought

From: David Gillett <gillettdavid () FHDA EDU>
Date: Thu, 8 Mar 2007 16:45:51 -0800

  We have to be able to work with a lot of private client machines
with minimal support impact, so an agentless (or easy "dissolving
agent") mode is important.  And a "log but don't enforce" mode is
nice, as is the ability to phase in implementation per building or
even per port.
  About 40% of our population are Macintoshes, and most of the
Windows machines aren't in AD.  And our switches aren't Cisco.
  That really only leaves a couple of contenders for each access
control choice.

David Gillett

-----Original Message-----
From: John Kemp [mailto:kemp () network-services uoregon edu]
Sent: Thursday, March 08, 2007 4:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] NAC devices - opinions sought

Lots of odd choices to make.  We've been looking at this pretty hard.
Here's a couple of papers for background:

http://www.juniper.net/solutions/literature/white_papers/nac_d
eployment_opus_one.pdf
http://www.bradfordnetworks.com/products/reports/MarketScopeFo
rNAC2007/bradford2160.pdf

Basic choices are things like:

      -- in-band or out-of-band (approximately)
      -- L2 or L3 controls, or both
      -- access control mechanism

The last one is the fun part: do you do VLAN reassignment of
the switch port, do you do ARP spoofing of the gateway, do
you do MAC address filtering or retagging, or do you do IP redirect?

My own preference is that you do switchport VLAN reassignment.
This assumes that you have a high-quality infrastructure, and
1-user-per-port.  CCA can do that.  BradfordNetworks can do
it, with more platforms than Cisco can.  And it looks like
those two open source projects can do it.

One big differentiator is remediation capability.  It all
gets very fuzzy when you start to look at that part of it, so
my recommendation is to choose your architecture first, then
worry about the assessment and remediation components.  Or to
put it another way, you are doing ACCESS CONTROL.  Make sure
your ACCESS CONTROL mechanism works the way you want it to.

--

John G. Kemp ( kemp () network-services uoregon edu )
http://security.uoregon.edu/ mailto:security () uoregon edu
pgp:C9BE D1C4 9893 1A9E FF1A  B354 77DE E6DC A3CA 7130

Current thread:

Re: NAC devices - opinions sought, (continued)
- Re: NAC devices - opinions sought Brian T Nichols (Feb 17)
- Re: NAC devices - opinions sought Conor McGrath (Feb 17)
- Re: NAC devices - opinions sought Brian T Nichols (Feb 17)
- Re: NAC devices - opinions sought Barros, Jacob (Feb 19)
- NAC devices - opinions sought Chris Harrington (Feb 19)
- Re: NAC devices - opinions sought Walter E. Petruska (Feb 19)
- Re: NAC devices - opinions sought David Gillett (Feb 20)
- Re: NAC devices - opinions sought John (Feb 20)
- Re: NAC devices - opinions sought Brian Friday (Feb 20)
- Re: NAC devices - opinions sought John Kemp (Mar 08)
- Re: NAC devices - opinions sought David Gillett (Mar 08)