NAC

[Phil Mayers]

On Thu, 2007-07-12 at 12:46 +0100, Arran Cudbard-Bell wrote:
> >> It's another topic that I'm overall sceptical of NAC, IMO a network should 
> >> only reactively shut a client down *after* it did something wrong, not 
> >> proactively sniff around the local environment and lock it away at once. But 
> >> NAC is here to stay I guess. :-(
> >>     
> >
> > "Presumed innocent" is a nice idea, but IMHO there are environments that
> > simply doesn't work in. Financial institutes are one I can think of, and
> > I could make convincing arguments based on my own experience that many
> > academic networks (and CERTAINLY student residence networks) would
> > benefit greatly from a default-deny.
> >   
> Right, but machines on a residential network are generally going to be 
> personal machines, I for one would protest greatly if I was forced to 

You could protest all you wanted; *if* we had implemented that policy
then it would have been signed off by the student union, senior tutors
and college IT security advisory group, and it would have been in the
wording on the bit of paper you sign when you join the university.

We've done this with lots of other policies (e.g. 5Gb/24 hours bandwidth
limit - exceed it once and you're off for 48 hours, 2nd time and it's 2
weeks and 3 times, you're off for the rest of the academic year) and it
works fine.

> install an AV solution just to use the network in my halls of residence. 
> It's fine dictating what is installed on University owned machines, but 
> users personal equipment is their *own*, and they should be able to 
> manage it how they see fit.

I have no intention of forcing people to install software to get onto
the network.

But when they get kicked off into a BANNED vrf, after the first offense
we require that they prove their machine is clean before they get back
on. At the moment, that means they physically carry it to the helpdesk.
Were the option available, running some kind of software agent that we
supply seems like a clear win.

People focus rather too much on the "initial access" bit of NAC, and
seem to ignore the remediation benefits.

> If you feel like experimenting a little, you can always stick a snort 
> probe at a key point in your infrastructure.

We have extensive IDS and IPS systems setting between our residence
network.

> Then make decisions as to whether the user should be segregated  from 
> the main network, based on the information gathered about what their

The residences systems ARE segregated from the main network, always and
forever - they live in a VRF and hit a firewall before coming into the
main production zone.