Re: SECURITY Digest - 4 Jan 2013 to 5 Jan 2013 (#2013-4)

[Jeff Uebele <jeff.uebele () DAL CA>]

Martin,

Being as you are touting the merits and suitability of your product, could
you respond specifically to David Curry's critical requirement to "send
users to some sort of quarantine/remediation portal," (paraphrased from the
paragraph below).

Thanks, I look forward to your response.


*There are plenty of IDS/IPS systems out there that can detect and block the
*traffic; that part's easy. But we've been unable to find any products that
*can also do the other part--sending users to some sort of
*quarantine/remediation portal so that they know why their computer isn't
*working on the network anymore. This last part is critical to us, as we do
*not run a 24x7 help desk, and we don't want to just silently drop users'
*traffic with no explanation when there's nobody they can call to find out
*what's happening.
*
*So finally, my question: Has anybody implemented something like this? If
*so, would you be willing to share how you did it?




*Date:    Sat, 5 Jan 2013 17:52:15 +0000
*From:    Martin Golizio <mgolizio () PALOALTONETWORKS COM>
*Subject: Re: Revisiting wireless NAC
*
*Dave,
*
*Have you looked into Palo Alto Networks? Palo Alto Networks' award winning
*firewall (Gartner Report
*<http://www.paloaltonetworks.com/cam/gartner/index.php>) integrates with
*many NAC solutions via our very robust API, which includes direct
*integration with Aruba's Amigopod and Enterasys' Mobile IAM to provide the
*protection you are seeking.
*
*Here are a few links to learn more:
*http://media.paloaltonetworks.com/documents/aruba.pdf and
*http://media.paloaltonetworks.com/documents/enterasys.pdf
*
*Palo Alto Networks - Malware Solution -
*Wildfire<http://www.paloaltonetworks.com/solutions/WildFire.html>
*
*And I also found this which might help  http://50.57.171.168/wp-
*content/media/2011-Gartner-Magic-Quadrant-NAC.pdf
*
*I hope this helps.
*
*
*Best regards,
*
*Martin Golizio   |   Regional Sales Manager
*Office: 609.858.5531 | Mobile: 609.638.1326
*www.paloaltonetworks.com
*
*From: The EDUCAUSE Security Constituent Group Listserv
*[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Curry
*Sent: Friday, January 04, 2013 2:44 PM
*To: SECURITY () LISTSERV EDUCAUSE EDU
*Subject: [SECURITY] Revisiting wireless NAC
*
*Hello,
*
*We're currently in the process of re-designing our wireless network to
*split it into a guest side and a "secure" side, add a guest management
*system, replace the captive portal sign-on with 802.1X authentication on
*the secure side, etc. As part of this project, we're also taking a look at
*our use of Network Access Control and thinking about what we're really
*trying to accomplish. At the moment, we use a "permanent agent" based NAC
*on PCs and Macs connecting to the wireless network, but the only policy we
*enforce is that the computer must have antivirus running with up-to-date
*signatures. If the connecting computer doesn't pass that check, we put it
*into a remediation VLAN.
*
*Back when we first implemented NAC (this is the second product), requiring
*antivirus software was a major factor in keeping malware out of our
*network. But as we all know, it's not that simple anymore--just having
*antivirus isn't enough to keep the malware out because malware has changed,
*and an argument can perhaps even be made that now that Windows and Mac OS X
*come with built-in firewalls and whatnot, the requirement to have antivirus
*installed is obsolete. And then there's the fact that the majority of
*devices on our wireless network now are not PCs and Macs anyway, and our
*existing NAC doesn't do anything with those. So, given all that plus some
*of the push-back we've received from our user community about the NAC
*requirement in general and this specific NAC in particular, we started
*thinking...
*
*Why don't we get rid of the NAC all together? And instead, we'll just let
*any device connect to the network (provided the user authenticates), and
*let it do whatever it wants, right up until the point at which it
*misbehaves. Instead of running the NAC system, we'll run some kind of
*intrusion detection system that's looking for malicious traffic. If it sees
*some, it will block the traffic from that device, and move the device into
*a "quarantine" or "remediation" VLAN where the user can be informed (with a
*captive portal or whatever) that his/her computer may be infected with
*malware and provided with advice/tools on cleaning it up. This seemed easy
*enough, but when we started looking for products, we couldn't find any.
*There are plenty of IDS/IPS systems out there that can detect and block the
*traffic; that part's easy. But we've been unable to find any products that
*can also do the other part--sending users to some sort of
*quarantine/remediation portal so that they know why their computer isn't
*working on the network anymore. This last part is critical to us, as we do
*not run a 24x7 help desk, and we don't want to just silently drop users'
*traffic with no explanation when there's nobody they can call to find out
*what's happening.
*
*So finally, my question: Has anybody implemented something like this? If
*so, would you be willing to share how you did it?
*
*Thanks,
*--Dave
*
*
*
*--
*
*DAVID A. CURRY, CISSP * DIRECTOR OF INFORMATION SECURITY
*
*THE NEW SCHOOL * 55 W. 13TH STREET * NEW YORK, NY 10011
*
*+1 212 229-5300 x4728 *
*david.curry () newschool edu<mailto:david.curry () newschool edu>
*
*------------------------------
*
*End of SECURITY Digest - 4 Jan 2013 to 5 Jan 2013 (#2013-4)
************************************************************