[26994] in resnet
Re: Do we still need Network Access Control?
daemon@ATHENA.MIT.EDU (Christopher Hickernell)
Fri Nov 4 15:35:27 2011
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_CAF03826CDC19848A698E99DC608B54702D22A47vEXMB1clarionlo_"
MIME-Version: 1.0
Message-ID: <CAF03826CDC19848A698E99DC608B54702D22A47@vEXMB1.clarion.local>
Date: Fri, 4 Nov 2011 19:31:58 +0000
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Christopher Hickernell <chickernell@clarion.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <755A73D3547BAE429728E2EC2AEDC605E39A36FBA3@EXMAIL.csuchico.edu>
--_000_CAF03826CDC19848A698E99DC608B54702D22A47vEXMB1clarionlo_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
We purchased Cisco NAC (Clean Access) a couple years ago planning to implem=
ent its full posture assessment features. But after some brainstorming and=
pilot programs we decided that enforcing Anti-Virus and patching would pro=
duce more work for support staff with minimal return on security. Malware =
is still a problem on ResNet-it produces most of our service calls. But tr=
aditional anti-virus programs are not effective at detecting and removing m=
alware. There could be a benefit to using NAC to enforce real-time malware=
products be installed on user's computers. In most cases it is easily rem=
oved using Malwarebytes or Adaware type products.
So we decided to implement Cisco NAC to leverage the authentication and con=
trol features. By requiring users to periodically log onto the network giv=
es me greater visibility into the types of active devices. It also gives m=
e a single point of control. I am able to block network access for specifi=
c users/devices regardless of where they try to connect. The user is prese=
nt a webpage with instructions of what they need to do to have their networ=
k access restored-may have been because of copyright infringement or connec=
ting a wireless router in their room.
For us NAC still has good value as authentication and control, but not for =
posture assessment.
Christopher Hickernell, CCNA, MCSE
Network Support Specialist, ResNet Manager
Clarion University of Pennsylvania
Center for Computing Services
G-13 Still Hall, Clarion, PA 16214
chickernell@clarion.edu | 814.393.2218
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Richter, =
Ryan
Sent: Friday, November 04, 2011 1:25 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Do we still need Network Access Control?
Hi folks,
In the wake of 2003 with Blaster and other worms spreading through unpatche=
d systems like wildfire we made the decision to purchase a Network Access C=
ontrol product (Cisco's Clean Access). In the following years, with OS patc=
h and antivirus enforcement, malware was definitely less of a problem. CCA =
did its job.
But these days, with operating systems automatically downloading and instal=
ling patches by default, Windows firewall on by default, do you think a Net=
work Access Control solution is still necessary? The cost and support of th=
ese solutions is not trivial.
Malware continues to be a relatively small issue in our residence halls, bu=
t I'm no longer sure it's because of our NAC policies, or because of better=
operating systems.
Has anyone ditched their NAC solution and tested these waters?
If you don't have NAC in your residence halls, what's it like? Is malware a=
big problem?
Thanks and happy Friday,
-Ryan
Ryan Richter
IT Support Services
California State University, Chico
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_CAF03826CDC19848A698E99DC608B54702D22A47vEXMB1clarionlo_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"Section1">
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">We purchased Cisco NAC=
(Clean Access) a couple years ago planning to implement its full posture a=
ssessment features. But after some brainstorming and pilot programs w=
e decided that enforcing Anti-Virus and patching
would produce more work for support staff with minimal return on security.=
Malware is still a problem on ResNet—it produces most of our s=
ervice calls. But traditional anti-virus programs are not effective a=
t detecting and removing malware. There could be
a benefit to using NAC to enforce real-time malware products be installed =
on user’s computers. In most cases it is easily removed using M=
alwarebytes or Adaware type products.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">So we decided to imple=
ment Cisco NAC to leverage the authentication and control features. B=
y requiring users to periodically log onto the network gives me greater vis=
ibility into the types of active devices.
It also gives me a single point of control. I am able to block netwo=
rk access for specific users/devices regardless of where they try to connec=
t. The user is present a webpage with instructions of what they need =
to do to have their network access restored—may
have been because of copyright infringement or connecting a wireless route=
r in their room.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">For us NAC still has g=
ood value as authentication and control, but not for posture assessment.<o:=
p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><b><span style=3D"color:#1F497D">Christopher</span><=
/b><span style=3D"color:#1F497D"> Hickernell, CCNA, MCSE<o:p></o:p></span><=
/p>
<p class=3D"MsoNormal"><i><span style=3D"color:#1F497D">Network Support Spe=
cialist, ResNet Manager<o:p></o:p></span></i></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Clarion University of =
Pennsylvania<i><o:p></o:p></i></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Center for Computing S=
ervices<i><o:p></o:p></i></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">G-13 Still Hall, Clari=
on, PA 16214<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">chickernell@clarion.ed=
u | 814.393.2218<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif"">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:"Tahoma","sans-serif""> Resnet F=
orum [mailto:RESNET-L@LISTSERV.ND.EDU]
<b>On Behalf Of </b>Richter, Ryan<br>
<b>Sent:</b> Friday, November 04, 2011 1:25 PM<br>
<b>To:</b> RESNET-L@LISTSERV.ND.EDU<br>
<b>Subject:</b> Do we still need Network Access Control?<o:p></o:p></span><=
/p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Hi folks,<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">In the wake of 2003 with Blaster and other worms spr=
eading through unpatched systems like wildfire we made the decision to purc=
hase a Network Access Control product (Cisco’s Clean Access). In the =
following years, with OS patch and antivirus
enforcement, malware was definitely less of a problem. CCA did its job.<o:=
p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">But these days, with operating systems automatically=
downloading and installing patches by default, Windows firewall on by defa=
ult, do you think a Network Access Control solution is still necessary? The=
cost and support of these solutions
is not trivial.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Malware continues to be a relatively small issue in =
our residence halls, but I’m no longer sure it’s because of our=
NAC policies, or because of better operating systems.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Has anyone ditched their NAC solution and tested the=
se waters?<o:p></o:p></p>
<p class=3D"MsoNormal">If you don’t have NAC in your residence halls,=
what’s it like? Is malware a big problem?<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Thanks and happy Friday,<o:p></o:p></p>
<p class=3D"MsoNormal">-Ryan<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><span style=3D"color:gray">Ryan Richter<o:p></o:p></=
span></p>
<p class=3D"MsoNormal"><span style=3D"color:gray">IT Support Services<o:p><=
/o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:gray">California State Universi=
ty, Chico<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;font-family:"Ti=
mes New Roman","serif"">____________________________________=
_______________ You are subscribed to the ResNet-L mailing list.
<o:p></o:p></span></p>
<p>To subscribe, unsubscribe or search the archives, go to http://LISTSERV.=
ND.EDU/archives/resnet-l.html _____________________________________________=
______
<o:p></o:p></p>
</div>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_CAF03826CDC19848A698E99DC608B54702D22A47vEXMB1clarionlo_--
