Home page logo

educause logo Educause Security Discussion mailing list archives

Re: NAC devices - opinions sought
From: Brian T Nichols <bnicho1 () LSU EDU>
Date: Sat, 17 Feb 2007 13:16:45 -0600


We have not done extensive testing on these clients.  However, in the
near future, we will be rolling out NAP, moving from DHCP to 802.1x.
Our plan is to rely on 3rd party software to handle Mac and Linux



Brian Nichols, CISSP, CISM, CISA, CIA
Chief IT Security & Policy Officer
Louisiana State University

-----Original Message-----
From: Conor McGrath [mailto:conormc () UCHICAGO EDU] 
Sent: Saturday, February 17, 2007 11:58 AM
Subject: Re: [SECURITY] NAC devices - opinions sought

On Sat, Feb 17, 2007 at 09:47:31AM -0600 Brian T Nichols said:
Hi David,

At LSU, we've been evaluating Microsoft Network Access Protection
For a very high level description, NAP is composed of a client side
component, a server component, and an enforcement mechanism.  When a
client tries to associate with a network, the server component forces
the client to run through a series of tests that we pre-determine
as is the firewall enabled, are all patches installed, etc.).  If the
client fails these tests, the server signals the enforcement mechanism
(either DHCP, 802.1x or IPSec) to quarantine the client.  The
network is an isolated area where the client can update itself so as
be compliant (for example, by downloading patches).  After the client
updated, it will retry to associate with the network, at which point
server will again check the client and, assuming it now passes, signal
the enforcement mechanism to allow 'normal' access to the network.
real benefit of NAP is that it provides persistent enforcement of our
policies.  Rather than being a manual process done at the beginning of
the semester only, NAP ensures that a system is compliant each time it
connects to the network.

LSU selected NAP because of easy integration, low cost, and flexible
deployment options.  We performed an initial pilot of 250+ machines
DHCP based enforcement, and have already tested 802.1x enforcement,
which will be our long term solution.  We have integrated NAP with
existing Cisco hardware, Symantec Antivirus software, and Microsoft
Systems Management Server.

How well does NAP handle OS X and Linux clients?  We have a lot of each
of those here so need to consider how they would integrate with any NAC
solution we would choose.



From: David Boyer [mailto:David () BVU EDU] 
Sent: Friday, February 16, 2007 5:50 PM
Subject: [SECURITY] NAC devices - opinions sought

Anyone familiar with Ciscos Network Admission Control (formerly Cisco
Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network
Access Control or similar software/appliances?

Like many schools, we have a 1:1 ration of computers to students. We'd
like to avoid letting vulnerable or malware-infected systems onto our
network while simultaneously addressing the infection or
Almost all of our systems are running Windows XP or Windows 2000.

I'd be interested in hearing about your experiences with these or
similar solutions. Any open-source solutions that you know of?

Conor McGrath                                           Phone:
Manager for Network Security                            Fax:
Network Security Center, The University of Chicago      NetSec:
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]