Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Good Network Access Control solution using

From: Ryan Sumida <rsumida () csulb edu>
Date: Thu, 16 Sep 2004 15:46:33 -0700
Thank you for the write up, it is very informative.  I forgot to mention 
in my post that our campus does not support the Dorm users at all.  For 
the most part their network is wide open.  They bring in their own 
computers and install/uninstall any OS/software that they want.  I skimmed 
through your paper and noticed all the solutions require client software. 
Is there a product that uses a network based scan (e.g. Nessus) or NIDS to 
validate network access?

Thanks,

Ryan


"Buelna, Derek" <derek.buelna () office xerox com> wrote on 09/16/2004 
02:20:50 PM:


I wrote a paper on enforcing policy at the perimeter that you might find 

useful. 

http://www.giac.org/practical/GSEC/Derek_Buelna_GSEC.pdf

Cheers,

-Derek

From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-
admin () lists netsys com] On Behalf Of Ryan Sumida
Sent: Thursday, September 16, 2004 12:43 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Good Network Access Control solution using 

dot1x?



Hello Security Folk, 

Looking for a network solution to mitigate the virus/worm problems in 
our university dorm network.  Has any one company moved ahead of the 
pack in the port based NAC market?  I'm not sure if this is the best way
to go but in theory it would solve some of our problems.  At the moment 
our IPS is blocking over 90,000 attacks/hour from the dorm area alone! 

A solution similar to Perfigo's CleanMachine product is what I have in 
mind but with 802.1x support.  When end-users would like to get on the 
network they start in a temporary restricted VLAN.  The system will then
be scanned (Nessus scan , etc.)  for vulnerabilities defined by the 
security policy.  If compliant then the mac is granted network access 
and the port is then changing to a non-restricted VLAN.   If non-
compliant the mac is put on quarantine list and the port is then set to 
"jailed" VLAN. 

Anyone know of a good product that can do this or something similar? 


Regards, 

Ryan
Previous By Date Next
Previous By Thread Next

Current thread: