Revisiting wireless NAC

[David Curry <david.curry () NEWSCHOOL EDU>]

Hello,

We're currently in the process of re-designing our wireless network to
split it into a guest side and a "secure" side, add a guest management
system, replace the captive portal sign-on with 802.1X authentication on
the secure side, etc. As part of this project, we're also taking a look at
our use of Network Access Control and thinking about what we're really
trying to accomplish. At the moment, we use a "permanent agent" based NAC
on PCs and Macs connecting to the wireless network, but the only policy we
enforce is that the computer must have antivirus running with up-to-date
signatures. If the connecting computer doesn't pass that check, we put it
into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring
antivirus software was a major factor in keeping malware out of our
network. But as we all know, it's not that simple anymore--just having
antivirus isn't enough to keep the malware out because malware has changed,
and an argument can perhaps even be made that now that Windows and Mac OS X
come with built-in firewalls and whatnot, the requirement to have antivirus
installed is obsolete. And then there's the fact that the majority of
devices on our wireless network now are not PCs and Macs anyway, and our
existing NAC doesn't do anything with those. So, given all that plus some
of the push-back we've received from our user community about the NAC
requirement in general and this specific NAC in particular, we started
thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let
any device connect to the network (provided the user authenticates), and
let it do whatever it wants, right up until the point at which it
misbehaves. Instead of running the NAC system, we'll run some kind
of intrusion detection system that's looking for malicious traffic. If it
sees some, it will block the traffic from that device, and move the device
into a "quarantine" or "remediation" VLAN where the user can be informed
(with a captive portal or whatever) that his/her computer may be infected
with malware and provided with advice/tools on cleaning it up. This seemed
easy enough, but when we started looking for products, we couldn't find
any. There are plenty of IDS/IPS systems out there that can detect and
block the traffic; that part's easy. But we've been unable to find any
products that can also do the other part--sending users to some sort of
quarantine/remediation portal so that they know why their computer isn't
working on the network anymore. This last part is critical to us, as we do
not run a 24x7 help desk, and we don't want to just silently drop users'
traffic with no explanation when there's nobody they can call to find out
what's happening.

So finally, my question: Has anybody implemented something like this? If
so, would you be willing to share how you did it?

Thanks,
--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu