RE: Good Network Access Control solution using dot1x?

["Buelna, Derek" <derek.buelna () office xerox com>]

I wrote a paper on enforcing policy at the perimeter that you might find useful. 
http://www.giac.org/practical/GSEC/Derek_Buelna_GSEC.pdf <http://www.giac.org/practical/GSEC/Derek_Buelna_GSEC.pdf> 
 
Cheers,
 
-Derek

  _____  

From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Ryan 
Sumida
Sent: Thursday, September 16, 2004 12:43 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Good Network Access Control solution using dot1x?



Hello Security Folk, 

Looking for a network solution to mitigate the virus/worm problems in our university dorm network.  Has any one company 
moved ahead of the pack in the port based NAC market?  I'm not sure if this is the best way to go but in theory it 
would solve some of our problems.  At the moment our IPS is blocking over 90,000 attacks/hour from the dorm area alone! 

A solution similar to Perfigo's CleanMachine product is what I have in mind but with 802.1x support.  When end-users 
would like to get on the network they start in a temporary restricted VLAN.  The system will then be scanned (Nessus 
scan , etc.)  for vulnerabilities defined by the security policy.  If compliant then the mac is granted network access 
and the port is then changing to a non-restricted VLAN.   If non-compliant the mac is put on quarantine list and the 
port is then set to "jailed" VLAN.   

Anyone know of a good product that can do this or something similar?   


Regards, 

Ryan