Re: NAC devices - opinions sought

[John <jgarner () SFASU EDU>]

I am reviewing the Mirage solution:

www.miragenetworks.com

it's to be a commercial appliance similar to the Packetfence solution.

Pros: out of band, appliance based, updates arp cache of router to redirect
traffic of quarantined pc instead of swapping vlans for the switch port –
quarantine by mac address so when student moves to another port, the
student’s pc is still quarantined.

Cons – I don’t have one yet, costs $$, it’s a start up company

Is anybody on the list using the Mirage?

Thanks,
John Garner

________________________________________
From: David Gillett [mailto:gillettdavid () FHDA EDU] 
Sent: Tuesday, February 20, 2007 3:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] NAC devices - opinions sought

  At RSA this year (week before last) I attended several NAC presentations. 
The big three
currently seem to be Cisco (our infrastructure is mostly not Cisco),
Microsoft (our current
population is about 40% Macintosh, and not all of the Windows are XP/Vista
and AD), and
an effort by the IETF toward an open standard that client agents and policy
enforcement
servers can use to talk to one another.  This latter effort is likely to
improve the availability 
of open-source offerings....
 
  My shopping list includes:
cross-platform support (Macs aren't going away in any timeframe I can plan
for)
"agentless" (new term is "dissolving agent") since we cannot require
installation on clients we don't manage
802.1x supported but not required (we're just starting to get equipment that
supports it, and building the IDM back-end support)
more generally, works with our current and near-future infrastructure (i.e.
not just Cisco)
has a "don't act, but show me what you would have done" eval mode
 
  A year ago, I'm not sure any vendor could meet all of those criteria --
now, there are probably 
at least 6, and perhaps as many as a dozen, and they don't all meet them in
the same way.
 
David Gillett
 

________________________________________
From: David Boyer [mailto:David () BVU EDU] 
Sent: Friday, February 16, 2007 2:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] NAC devices - opinions sought
Anyone familiar with Ciscos Network Admission Control (formerly Cisco Clean
Access, formerly Perfigo), Juniper Infranet, Symantec Network Access
Control or similar software/appliances?
 
Like many schools, we have a 1:1 ration of computers to students. We'd like
to avoid letting vulnerable or malware-infected systems onto our network
while simultaneously addressing the infection or vulnerability. Almost all
of our systems are running Windows XP or Windows 2000.
 
I'd be interested in hearing about your experiences with these or similar
solutions. Any open-source solutions that you know of?
 
Thanks in advance,
 
David Boyer
Buena Vista University