Educause Security Discussion mailing list archives
Re: NAC devices - opinions sought
From: David Gillett <gillettdavid () FHDA EDU>
Date: Thu, 8 Mar 2007 16:45:51 -0800
We have to be able to work with a lot of private client machines with minimal support impact, so an agentless (or easy "dissolving agent") mode is important. And a "log but don't enforce" mode is nice, as is the ability to phase in implementation per building or even per port. About 40% of our population are Macintoshes, and most of the Windows machines aren't in AD. And our switches aren't Cisco. That really only leaves a couple of contenders for each access control choice. David Gillett
-----Original Message----- From: John Kemp [mailto:kemp () network-services uoregon edu] Sent: Thursday, March 08, 2007 4:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] NAC devices - opinions sought Lots of odd choices to make. We've been looking at this pretty hard. Here's a couple of papers for background: http://www.juniper.net/solutions/literature/white_papers/nac_d eployment_opus_one.pdf http://www.bradfordnetworks.com/products/reports/MarketScopeFo rNAC2007/bradford2160.pdf Basic choices are things like: -- in-band or out-of-band (approximately) -- L2 or L3 controls, or both -- access control mechanism The last one is the fun part: do you do VLAN reassignment of the switch port, do you do ARP spoofing of the gateway, do you do MAC address filtering or retagging, or do you do IP redirect? My own preference is that you do switchport VLAN reassignment. This assumes that you have a high-quality infrastructure, and 1-user-per-port. CCA can do that. BradfordNetworks can do it, with more platforms than Cisco can. And it looks like those two open source projects can do it. One big differentiator is remediation capability. It all gets very fuzzy when you start to look at that part of it, so my recommendation is to choose your architecture first, then worry about the assessment and remediation components. Or to put it another way, you are doing ACCESS CONTROL. Make sure your ACCESS CONTROL mechanism works the way you want it to. -- John G. Kemp ( kemp () network-services uoregon edu ) http://security.uoregon.edu/ mailto:security () uoregon edu pgp:C9BE D1C4 9893 1A9E FF1A B354 77DE E6DC A3CA 7130
Current thread:
- Re: NAC devices - opinions sought, (continued)
- Re: NAC devices - opinions sought Brian T Nichols (Feb 17)
- Re: NAC devices - opinions sought Conor McGrath (Feb 17)
- Re: NAC devices - opinions sought Brian T Nichols (Feb 17)
- Re: NAC devices - opinions sought Barros, Jacob (Feb 19)
- NAC devices - opinions sought Chris Harrington (Feb 19)
- Re: NAC devices - opinions sought Walter E. Petruska (Feb 19)
- Re: NAC devices - opinions sought David Gillett (Feb 20)
- Re: NAC devices - opinions sought John (Feb 20)
- Re: NAC devices - opinions sought Brian Friday (Feb 20)
- Re: NAC devices - opinions sought John Kemp (Mar 08)
- Re: NAC devices - opinions sought David Gillett (Mar 08)