Educause Security Discussion
mailing list archives
Re: NAC devices - opinions sought
From: Conor McGrath <conormc () UCHICAGO EDU>
Date: Sat, 17 Feb 2007 11:57:49 -0600
On Sat, Feb 17, 2007 at 09:47:31AM -0600 Brian T Nichols said:
At LSU, we've been evaluating Microsoft Network Access Protection (NAP).
For a very high level description, NAP is composed of a client side
component, a server component, and an enforcement mechanism. When a
client tries to associate with a network, the server component forces
the client to run through a series of tests that we pre-determine (such
as is the firewall enabled, are all patches installed, etc.). If the
client fails these tests, the server signals the enforcement mechanism
(either DHCP, 802.1x or IPSec) to quarantine the client. The quarantine
network is an isolated area where the client can update itself so as to
be compliant (for example, by downloading patches). After the client is
updated, it will retry to associate with the network, at which point the
server will again check the client and, assuming it now passes, signal
the enforcement mechanism to allow 'normal' access to the network. The
real benefit of NAP is that it provides persistent enforcement of our
policies. Rather than being a manual process done at the beginning of
the semester only, NAP ensures that a system is compliant each time it
connects to the network.
LSU selected NAP because of easy integration, low cost, and flexible
deployment options. We performed an initial pilot of 250+ machines with
DHCP based enforcement, and have already tested 802.1x enforcement,
which will be our long term solution. We have integrated NAP with
existing Cisco hardware, Symantec Antivirus software, and Microsoft
Systems Management Server.
How well does NAP handle OS X and Linux clients? We have a lot of each
of those here so need to consider how they would integrate with any NAC
solution we would choose.
From: David Boyer [mailto:David () BVU EDU]
Sent: Friday, February 16, 2007 5:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] NAC devices - opinions sought
Anyone familiar with Ciscos Network Admission Control (formerly Cisco
Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network
Access Control or similar software/appliances?
Like many schools, we have a 1:1 ration of computers to students. We'd
like to avoid letting vulnerable or malware-infected systems onto our
network while simultaneously addressing the infection or vulnerability.
Almost all of our systems are running Windows XP or Windows 2000.
I'd be interested in hearing about your experiences with these or
similar solutions. Any open-source solutions that you know of?
Conor McGrath Phone: (773)702-7611
Manager for Network Security Fax: (773)834-8444
Network Security Center, The University of Chicago NetSec: (773)702-2378