Re: NAC devices - opinions sought

[Cal Frye <cjf () CALFRYE COM>]

David Boyer wrote:
> Anyone familiar with Ciscos Network Admission Control (formerly Cisco
> Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network
> Access Control or similar software/appliances?
Hi, David,
We installed Perfigo in 2004, after a disastrous back-to-school
experience the previous August. What's more useful in daily practice
than quarantining infected computers is that NAC provides a report to
the user which both indicates the vulnerabilities found and can provide
a link to the patches or programs to be installed to solve. As much as
you can get the users to remediate their own systems, you're time and
money ahead.

We have a rather different approach than others reported. We have not
used the client agent too much. In our experience, the network scan
manages most of what we need to worry about on a users' system. Besides,
the Cisco NAC Macintosh client does not actually scan the Mac as the
Windows client does, the Mac client only authenticates to the network
(at present). If we can't scan your system 'cause the firewall is on,
that's a good thing. We are just now considering changing this stance,
in response to what you are seeing, the subsequent infection of
previously-clean systems.

Plus, we do have a small but busy and vocal Linux community, so letting
them pass is important. Further, this year we have three students to my
knowledge that have linux desktop systems but are not themselves linux
gurus; the systems were set up by parents or friends and as long as
email, web, and Open Office are there, they're happy. Beats our former
assumption that if you ran Linux, you knew what you were doing with it...

--
Regards,
-- Cal Frye, Network Administrator, Oberlin College

   www.calfrye.com,  www.pitalabs.com

"Every thing secret degenerates, even the administration of justice;
nothing is safe that does not show it can bear discussion and
publicity." - Lord Acton