Educause Security Discussion mailing list archives
Re: Revisiting wireless NAC
From: John Kaftan <jkaftan () UTICA EDU>
Date: Sat, 5 Jan 2013 13:31:55 -0500
David: This could be done with the system we have but it would be a long haul for you to get there. It would pretty much mean a single vendor for Wireless, NAC, and SIEM and possibly IPS. We are there accept for the SIEM. I looked at trying to squeeze in a SEIM with our last network upgrade but I really don't have the resources to manage such a device once installed. We'd need a dedicated security guy and we don't have that. The SEIM is not a trivial charge plus adding head count made me steer clear. With our vendor (Enterasys) the IPS would send events to SEIM and the SEIM would tell the NAC to put the person in quarantine. The NAC would redirect users to a portal that told them that they were quarantined and why and how to fix it. They also have an IPS which I am sure they would prefer that you use but I think you could pull it off with any IPS that has syslog although integration would be a challenge. I have been thinking about the same thing. For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc. It is very heavy on the front end, i.e. guilty until proven innocent. I'd rather let them on and then just spank them if they are doing something bad. The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network. With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like. It would be amazingly powerful and secure and cool. We have a cyber-securty program and I know the students are playing around on our network with the ethical hacker skills they are picking up. I would love to be able to shut them down immediately when they try that stuff. It would show them that we really mean business and are serious security as an institution. On Fri, Jan 4, 2013 at 2:43 PM, David Curry <david.curry () newschool edu>wrote:
Hello, We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN. Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking... Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening. So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it? Thanks, --Dave -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu
-- John Kaftan IT Infrastructure Manager Utica College
Current thread:
- Revisiting wireless NAC David Curry (Jan 04)
- Re: Revisiting wireless NAC Justin Azoff (Jan 04)
- Re: Revisiting wireless NAC Patrick Gorsuch (Jan 04)
- Re: Revisiting wireless NAC Hahues, Sven (Jan 04)
- Re: Revisiting wireless NAC Mark Monroe (Jan 04)
- Re: Revisiting wireless NAC SCHALIP, MICHAEL (Jan 04)
- Re: Revisiting wireless NAC Martin Golizio (Jan 05)
- Re: Revisiting wireless NAC John Kaftan (Jan 05)
- Re: Revisiting wireless NAC Jeff Kell (Jan 06)