Re: is NAC dead?

[Kerry <kerry.milestone () gmail com>]

I'm building together one at the moment based likely soon to be based
on Packetfence (www.packetfence.org).

Currently, have 802.1x machine authentication working through Radius
and LDAP with eap-tls.  Then when a user signs in, it re-auths and
puts them on the correct team vlan.

Mostly, I want it all to be done at L2, I can do MAC and .1x on the same port.

Packetfence allows you to use external triggers, such as Snort and
Nessus.  Already i have compliance policy scans with nessus which
works with Oracle as well as windows desktops.  I can trigger a
machine to be put onto a remediation lan with this.

NAC isn't dead, but I do believe that you have to know what it is you
want, and most vendors that I've been to see etc promise a drop in
solution so long as your network is what they want it to be.

as for agents, I like the idea of agentless where you are inspecting
the traffic on the network (ala snortish types) and actually logging
into the box to check (ala nessusish scans).  Agents are a pain... and
you are limited to what a vendor can provide you with.

I'm not a huge fan of a blackbox controlling my network.

NAC isn't as hard as you think, if you can properly understand what
you want to be doing.  I think having separates is better than a
single box doing everything where you can log to the nth degree to see
what the network and machines are doing.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com