Educause Security Discussion
mailing list archives
Re: NAC devices - opinions sought
From: David Boyer <David () BVU EDU>
Date: Fri, 16 Feb 2007 18:11:41 -0600
The computers used by our students are all university-issued. They all
have our antivirus software which is centrally managed and updated, and
we're using Microsoft WUS with a domain policy to ensure patch
installation. Even with that and a gateway malware scanner, things still
manage to get under the radar.
I like the idea of disallowing network access until a system is
healthy. As you pointed out, students have an amazing ability to
tolerate malware on their system. It might make things slow for them or
potenially compromise their privacy, but it doesn't become a priority
until it causes MSN or some other app not to work. Shutting off network
access informs them of the problem in a way that is difficult to ignore,
plus it adds an element of inconvenience that might encourage safer
Charlie Prothero <Charlie.Prothero () KEYSTONE EDU> 5:32 PM 2/16/2007
Hi, David! Keystone College purchased the Clean Access product (then
called *Clean Machines*) just as Cisco was absorbing Perfigo. There
were not as many choices in this space back then as there are now, but I
can*t IMAGINE running our resnet without it. We used to spend WEEKS of
tech-hours each fall trying to track and clean up all orders of malware
in our resnet. Our students just didn*t understand the importance of
antivirus software or OS patches * and many of their machines were just
dreadful to clean up. With this product, the students can*t get their
machines on the network without meeting minimum maintenance requirements
* so the burden is on them to *clean up their act* so to speak. That*s
quite a shift from the tech group running around trying to find and fix
the student computers! We had also found ourselves fixing the same
machines over and over again, because the students *unfix* *em as soon
as you leave. Students never cared what their machines were spewing out
across our network, as long as their AIM client worked. Now, it won*t
work for sure until they*re running clean.
As I said before, there are more choices now than when we went with
this one * but we only considered ones that include client software to
be installed on the student machines. One *agentless* product that we
looked at depended on the student to create an administrative account on
their machine in order to allow the server to peek in and verify
maintenance status. That would be fine in a corporate setting where you
control all of the machines, but it looked like a management intensive
nightmare for a resnet situation! The Clean Access product includes
clients for Windows as well as Mac. There is no Linux client, but it
can detect a Linux OS, so we have set ours up to provide one hour of
restricted bandwidth per system boot in order to allow students to play
with Linux (only one student has ever used it, and he was happy with
this solution). Another plus for the client is that it provides pretty
good guidance to the student as to why their machine failed its
maintenance checks and what to do about it.
Would you write back to the list after you choose a product? I would
be interested to know which one you choose and what factors influenced
you in that direction. Thanks, and good luck!
From:David Boyer [mailto:David () BVU EDU]
Sent: Friday, February 16, 2007 5:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] NAC devices - opinions sought
Anyone familiar with Ciscos Network Admission Control (formerly Cisco
Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network
Access Control or similar software/appliances?
Like many schools, we have a 1:1 ration of computers to students. We'd
like to avoid letting vulnerable or malware-infected systems onto our
network while simultaneously addressing the infection or vulnerability.
Almost all of our systems are running Windows XP or Windows 2000.
I'd be interested in hearing about your experiences with these or
similar solutions. Any open-source solutions that you know of?
Thanks in advance,