PaulDotCom mailing list archives
Re: is NAC dead?
From: Kerry <kerry.milestone () gmail com>
Date: Fri, 3 Sep 2010 16:35:34 +0100
I'm building together one at the moment based likely soon to be based on Packetfence (www.packetfence.org). Currently, have 802.1x machine authentication working through Radius and LDAP with eap-tls. Then when a user signs in, it re-auths and puts them on the correct team vlan. Mostly, I want it all to be done at L2, I can do MAC and .1x on the same port. Packetfence allows you to use external triggers, such as Snort and Nessus. Already i have compliance policy scans with nessus which works with Oracle as well as windows desktops. I can trigger a machine to be put onto a remediation lan with this. NAC isn't dead, but I do believe that you have to know what it is you want, and most vendors that I've been to see etc promise a drop in solution so long as your network is what they want it to be. as for agents, I like the idea of agentless where you are inspecting the traffic on the network (ala snortish types) and actually logging into the box to check (ala nessusish scans). Agents are a pain... and you are limited to what a vendor can provide you with. I'm not a huge fan of a blackbox controlling my network. NAC isn't as hard as you think, if you can properly understand what you want to be doing. I think having separates is better than a single box doing everything where you can log to the nth degree to see what the network and machines are doing. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- is NAC dead? Albert R. Campa (Sep 03)
- Re: is NAC dead? Jack Daniel (Sep 03)
- Re: is NAC dead? Albert R. Campa (Sep 03)
- Re: is NAC dead? Dan McGinn-Combs (Sep 03)
- Re: is NAC dead? Aa'ed Alqarta (Sep 03)
- <Possible follow-ups>
- Re: is NAC dead? Kerry (Sep 03)
- Re: is NAC dead? Jack Daniel (Sep 03)