mailing list archives
Re: is NAC dead?
From: Kerry <kerry.milestone () gmail com>
Date: Fri, 3 Sep 2010 16:35:34 +0100
I'm building together one at the moment based likely soon to be based
on Packetfence (www.packetfence.org).
Currently, have 802.1x machine authentication working through Radius
and LDAP with eap-tls. Then when a user signs in, it re-auths and
puts them on the correct team vlan.
Mostly, I want it all to be done at L2, I can do MAC and .1x on the same port.
Packetfence allows you to use external triggers, such as Snort and
Nessus. Already i have compliance policy scans with nessus which
works with Oracle as well as windows desktops. I can trigger a
machine to be put onto a remediation lan with this.
NAC isn't dead, but I do believe that you have to know what it is you
want, and most vendors that I've been to see etc promise a drop in
solution so long as your network is what they want it to be.
as for agents, I like the idea of agentless where you are inspecting
the traffic on the network (ala snortish types) and actually logging
into the box to check (ala nessusish scans). Agents are a pain... and
you are limited to what a vendor can provide you with.
I'm not a huge fan of a blackbox controlling my network.
NAC isn't as hard as you think, if you can properly understand what
you want to be doing. I think having separates is better than a
single box doing everything where you can log to the nth degree to see
what the network and machines are doing.
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com
- is NAC dead? Albert R. Campa (Sep 03)
- <Possible follow-ups>
- Re: is NAC dead? Kerry (Sep 03)