Re: Revisiting wireless NAC

[John Kaftan <jkaftan () UTICA EDU>]

David:

This could be done with the system we have but it would be a long haul for
you to get there.  It would pretty much mean a single vendor for Wireless,
NAC, and SIEM and possibly IPS.  We are there accept for the SIEM.  I
looked at trying to squeeze in a SEIM with our last network upgrade but I
really don't have the resources to manage such a device once installed.
We'd need a dedicated security guy and we don't have that.

The SEIM is not a trivial charge plus adding head count made me steer
clear.

With our vendor (Enterasys) the IPS would send events to SEIM and the SEIM
would tell the NAC to put the person in quarantine.  The NAC would redirect
users to a portal that told them that they were quarantined and why and how
to fix it.

They also have an IPS which I am sure they would prefer that you use but I
think you could pull it off with any IPS that has syslog although
integration would be a challenge.

I have been thinking about the same thing.  For us registration takes 10 +
min the first time because they have to register, get scanned, load the
agent, get scanned again and then go through our network use agreement
etc.  It is very heavy on the front end, i.e. guilty until proven
innocent.  I'd rather let them on and then just spank them if they are
doing something bad.

The other thing we are missing is that we are not catching other
questionable behavior such as folks trying to hack our network.  With this
system we could quarantine someone if they did a Netscan or hit the admin
account on our DCs or anything that we don't like.  It would be amazingly
powerful and secure and cool.  We have a cyber-securty program and I know
the students are playing around on our network with the ethical hacker
skills they are picking up.  I would love to be able to shut them down
immediately when they try that stuff.  It would show them that we really
mean business and are serious security as an institution.




On Fri, Jan 4, 2013 at 2:43 PM, David Curry <david.curry () newschool edu>wrote:

> Hello,
>
> We're currently in the process of re-designing our wireless network to
> split it into a guest side and a "secure" side, add a guest management
> system, replace the captive portal sign-on with 802.1X authentication on
> the secure side, etc. As part of this project, we're also taking a look at
> our use of Network Access Control and thinking about what we're really
> trying to accomplish. At the moment, we use a "permanent agent" based NAC
> on PCs and Macs connecting to the wireless network, but the only policy we
> enforce is that the computer must have antivirus running with up-to-date
> signatures. If the connecting computer doesn't pass that check, we put it
> into a remediation VLAN.
>
> Back when we first implemented NAC (this is the second product), requiring
> antivirus software was a major factor in keeping malware out of our
> network. But as we all know, it's not that simple anymore--just having
> antivirus isn't enough to keep the malware out because malware has changed,
> and an argument can perhaps even be made that now that Windows and Mac OS X
> come with built-in firewalls and whatnot, the requirement to have antivirus
> installed is obsolete. And then there's the fact that the majority of
> devices on our wireless network now are not PCs and Macs anyway, and our
> existing NAC doesn't do anything with those. So, given all that plus some
> of the push-back we've received from our user community about the NAC
> requirement in general and this specific NAC in particular, we started
> thinking...
>
> Why don't we get rid of the NAC all together? And instead, we'll just let
> any device connect to the network (provided the user authenticates), and
> let it do whatever it wants, right up until the point at which it
> misbehaves. Instead of running the NAC system, we'll run some kind
> of intrusion detection system that's looking for malicious traffic. If it
> sees some, it will block the traffic from that device, and move the device
> into a "quarantine" or "remediation" VLAN where the user can be informed
> (with a captive portal or whatever) that his/her computer may be infected
> with malware and provided with advice/tools on cleaning it up. This seemed
> easy enough, but when we started looking for products, we couldn't find
> any. There are plenty of IDS/IPS systems out there that can detect and
> block the traffic; that part's easy. But we've been unable to find any
> products that can also do the other part--sending users to some sort of
> quarantine/remediation portal so that they know why their computer isn't
> working on the network anymore. This last part is critical to us, as we do
> not run a 24x7 help desk, and we don't want to just silently drop users'
> traffic with no explanation when there's nobody they can call to find out
> what's happening.
>
> So finally, my question: Has anybody implemented something like this? If
> so, would you be willing to share how you did it?
>
> Thanks,
> --Dave
>
>
> --
>
> *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
>
> *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
>
> +1 212 229-5300 x4728 • david.curry () newschool edu


-- 
John Kaftan
IT Infrastructure Manager
Utica College