NAC

[Arran Cudbard-Bell]

>> It's another topic that I'm overall sceptical of NAC, IMO a network should 
>> only reactively shut a client down *after* it did something wrong, not 
>> proactively sniff around the local environment and lock it away at once. But 
>> NAC is here to stay I guess. :-(
>>     
>
> "Presumed innocent" is a nice idea, but IMHO there are environments that
> simply doesn't work in. Financial institutes are one I can think of, and
> I could make convincing arguments based on my own experience that many
> academic networks (and CERTAINLY student residence networks) would
> benefit greatly from a default-deny.
>   
Right, but machines on a residential network are generally going to be 
personal machines, I for one would protest greatly if I was forced to 
install an AV solution just to use the network in my halls of residence. 
It's fine dictating what is installed on University owned machines, but 
users personal equipment is their *own*, and they should be able to 
manage it how they see fit.

If you feel like experimenting a little, you can always stick a snort 
probe at a key point in your infrastructure.
Then make decisions as to whether the user should be segregated  from 
the main network, based on the information gathered about what their 
machine is actually doing. Also means theres no extra burden on the 
users... and anything that makes the users life simper , generally means 
less hastle for the people supporting that user .