[26993] in resnet
Re: Do we still need Network Access Control?
daemon@ATHENA.MIT.EDU (Doughty, Marc)
Fri Nov 4 14:31:27 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=20cf307f32b210513804b0ecdf83
Message-ID: <CAEPWjzsV5=NhDX=EzK3aEgTy48qCKejCStgS1c+E2DSExh=x4w@mail.gmail.com>
Date: Fri, 4 Nov 2011 14:28:27 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Doughty, Marc" <marc_doughty@BROWN.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <755A73D3547BAE429728E2EC2AEDC605E39A36FBA3@EXMAIL.csuchico.edu>
--20cf307f32b210513804b0ecdf83
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Greetings,
This is a bigger question than I can answer all at once, but there is a
'healthy balance'. A lot of organizations switched to 'all ports blocked
between subnets by default' model after Sasser/Blaster, and they've never
reverted even though the threat profile is completely different now.
Here's my 'happy medium' suggestion:
1. A 'secure services' server subnet where all servers meet certain
security criteria (all services require authentication, regular security
testing, local software firewalls enabled, automated patching). Anyone on
campus should be able to access this subnet on any port. This allows
services to be easily brought online and guarantees that internal blockage
won't cause any head-scratchers.
2. Subnets -cannot- talk to each other, they can only reach the 'secure
services subnet'. This limits 'cross-infection' to a single subnet. Someone
comes in with Sasser-like infection? It's not getting very far. Clients
obviously should have baseline security measures like AV software and local
firewalls enabled.
3. An 'insecure services' server subnet where everything is blocked by
default, only specific 'pinholes' from client subnets to these servers are
opened. This would be where you host those pesky folks who 'need to run a
server' but don't want to comply with baseline security measures, or
vendor-maintained products that you're not able to fully trust.
If you build-out like this, the need for NAC drops, since the damage caused
by a worm would be quite in scope (to unpatched or firewall-less machines
on a single subnet).
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way
vessel."
On Fri, Nov 4, 2011 at 1:24 PM, Richter, Ryan <rrichter@csuchico.edu> wrote=
:
> Hi folks,****
>
> ** **
>
> In the wake of 2003 with Blaster and other worms spreading through
> unpatched systems like wildfire we made the decision to purchase a Networ=
k
> Access Control product (Cisco=92s Clean Access). In the following years, =
with
> OS patch and antivirus enforcement, malware was definitely less of a
> problem. CCA did its job.****
>
> ** **
>
> But these days, with operating systems automatically downloading and
> installing patches by default, Windows firewall on by default, do you thi=
nk
> a Network Access Control solution is still necessary? The cost and suppor=
t
> of these solutions is not trivial.****
>
> ** **
>
> Malware continues to be a relatively small issue in our residence halls,
> but I=92m no longer sure it=92s because of our NAC policies, or because o=
f
> better operating systems.****
>
> ** **
>
> Has anyone ditched their NAC solution and tested these waters?****
>
> If you don=92t have NAC in your residence halls, what=92s it like? Is mal=
ware
> a big problem?****
>
> ** **
>
> Thanks and happy Friday,****
>
> -Ryan****
>
> ** **
>
> Ryan Richter****
>
> IT Support Services****
>
> California State University, Chico****
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html____________________________=
_______________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--20cf307f32b210513804b0ecdf83
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Greetings,<br>=A0=A0=A0 This is a bigger question than I can answer all at =
once, but there is a 'healthy balance'. A lot of organizations swit=
ched to 'all ports blocked between subnets by default' model after =
Sasser/Blaster, and they've never reverted even though the threat profi=
le is completely different now.<br>
<br>Here's my 'happy medium' suggestion:<br><br>1. A 'secur=
e services' server subnet where all servers meet certain security crite=
ria (all services require authentication, regular security testing, local s=
oftware firewalls enabled, automated patching). Anyone on campus should be =
able to access this subnet on any port. This allows services to be easily b=
rought online and guarantees that internal blockage won't cause any hea=
d-scratchers.<br>
<br>2. Subnets -cannot- talk to each other, they can only reach the 'se=
cure services subnet'. This limits 'cross-infection' to a singl=
e subnet. Someone comes in with Sasser-like infection? It's not getting=
very far. Clients obviously should have baseline security measures like AV=
software and local firewalls enabled.<br>
<br>3. An 'insecure services' server subnet where everything is blo=
cked by default, only specific 'pinholes' from client subnets to th=
ese servers are opened. This would be where you host those pesky folks who =
'need to run a server' but don't want to comply with baseline s=
ecurity measures, or vendor-maintained products that you're not able to=
fully trust.<br clear=3D"all">
<br>If you build-out like this, the need for NAC drops, since the damage ca=
used by a worm would be quite in scope (to unpatched or firewall-less machi=
nes on a single subnet).<br><br>- Marc Doughty<br>"If you aren't s=
ure who is the give-way vessel, you are the give-way vessel."<br>
<br><br><div class=3D"gmail_quote">On Fri, Nov 4, 2011 at 1:24 PM, Richter,=
Ryan <span dir=3D"ltr"><<a href=3D"mailto:rrichter@csuchico.edu">rricht=
er@csuchico.edu</a>></span> wrote:<br><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div link=3D"blue" vlink=3D"purple" lang=3D"EN-US"><div><p class=3D"MsoNorm=
al">Hi folks,<u></u><u></u></p><p class=3D"MsoNormal"><u></u>=A0<u></u></p>=
<p class=3D"MsoNormal">In the wake of 2003 with Blaster and other worms spr=
eading through unpatched systems like wildfire we made the decision to purc=
hase a Network Access Control product (Cisco=92s Clean Access). In the foll=
owing years, with OS patch and antivirus enforcement, malware was definitel=
y less of a problem. CCA did its job.<u></u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal">But thes=
e days, with operating systems automatically downloading and installing pat=
ches by default, Windows firewall on by default, do you think a Network Acc=
ess Control solution is still necessary? The cost and support of these solu=
tions is not trivial.<u></u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal">Malware =
continues to be a relatively small issue in our residence halls, but I=92m =
no longer sure it=92s because of our NAC policies, or because of better ope=
rating systems.<u></u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal">Has anyo=
ne ditched their NAC solution and tested these waters?<u></u><u></u></p><p =
class=3D"MsoNormal">If you don=92t have NAC in your residence halls, what=
=92s it like? Is malware a big problem?<u></u><u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal">Thanks a=
nd happy Friday,<u></u><u></u></p><p class=3D"MsoNormal">-Ryan<u></u><u></u=
></p><p class=3D"MsoNormal"><u></u>=A0<u></u></p><p class=3D"MsoNormal"><sp=
an style=3D"color:gray">Ryan Richter<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"color:gray">IT Support Services<u></u=
><u></u></span></p><p class=3D"MsoNormal"><span style=3D"color:gray">Califo=
rnia State University, Chico<u></u><u></u></span></p></div></div>__________=
_________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></blockquote></div><br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--20cf307f32b210513804b0ecdf83--
