Re: Revisiting wireless NAC

["SCHALIP, MICHAEL" <mschalip () CNM EDU>]

Before being in higher ed, I was in the fed sector.....heavy duty R&D stuff.  We had wireless networks for both 
internal and "guest" use.  We didn't use a NAC at all on the guest wireless.  The belief system was that the risk 
wasn't really anything to do with the network - the risk is in the data......where it's stored, how it's 
stored/accessed, etc.  If a vendor brought in an infected system and connected to the wireless, the guest network was 
deemed a "use at your own risk" resource.  That being said - we did log everything that when on/through that network, 
but that was about it.....never really had any issues.....but then again, there was really nothing on that network that 
needed to be protected at the edge.  And if there *were* any resources of value that could be reached from the wireless 
edge - those systems were hardened and scanned for vulnerabilities on a VERY regular basis....

Just another $.02.....

M

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Curry
Sent: Friday, January 04, 2013 12:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Revisiting wireless NAC

Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, 
add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. 
As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're 
really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the 
wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date 
signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in 
keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't 
enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that 
Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. 
And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our 
existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user 
community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided 
the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of 
running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it 
sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN 
where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware 
and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we 
couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's 
easy. But we've been unable to find any products that can also do the other part--sending users to some sort of 
quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part 
is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no 
explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did 
it?

Thanks,
--Dave



--

DAVID A. CURRY, CISSP * DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL * 55 W. 13TH STREET * NEW YORK, NY 10011

+1 212 229-5300 x4728 * david.curry () newschool edu<mailto:david.curry () newschool edu>

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.