Re: NAC devices - opinions sought

[Brian T Nichols <bnicho1 () LSU EDU>]

Hi David,

At LSU, we've been evaluating Microsoft Network Access Protection (NAP).
For a very high level description, NAP is composed of a client side
component, a server component, and an enforcement mechanism.  When a
client tries to associate with a network, the server component forces
the client to run through a series of tests that we pre-determine (such
as is the firewall enabled, are all patches installed, etc.).  If the
client fails these tests, the server signals the enforcement mechanism
(either DHCP, 802.1x or IPSec) to quarantine the client.  The quarantine
network is an isolated area where the client can update itself so as to
be compliant (for example, by downloading patches).  After the client is
updated, it will retry to associate with the network, at which point the
server will again check the client and, assuming it now passes, signal
the enforcement mechanism to allow 'normal' access to the network.  The
real benefit of NAP is that it provides persistent enforcement of our
policies.  Rather than being a manual process done at the beginning of
the semester only, NAP ensures that a system is compliant each time it
connects to the network.

LSU selected NAP because of easy integration, low cost, and flexible
deployment options.  We performed an initial pilot of 250+ machines with
DHCP based enforcement, and have already tested 802.1x enforcement,
which will be our long term solution.  We have integrated NAP with
existing Cisco hardware, Symantec Antivirus software, and Microsoft
Systems Management Server.

Sincerely,

-Brian

Brian Nichols, CISSP, CISM, CISA, CIA

Chief IT Security & Policy Officer

Louisiana State University

________________________________

From: David Boyer [mailto:David () BVU EDU] 
Sent: Friday, February 16, 2007 5:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] NAC devices - opinions sought

Anyone familiar with Ciscos Network Admission Control (formerly Cisco
Clean Access, formerly Perfigo), Juniper Infranet, Symantec Network
Access Control or similar software/appliances?

 

Like many schools, we have a 1:1 ration of computers to students. We'd
like to avoid letting vulnerable or malware-infected systems onto our
network while simultaneously addressing the infection or vulnerability.
Almost all of our systems are running Windows XP or Windows 2000.

 

I'd be interested in hearing about your experiences with these or
similar solutions. Any open-source solutions that you know of?

 

Thanks in advance,

 

David Boyer

Buena Vista University