[27002] in resnet
Re: Do we still need Network Access Control?
daemon@ATHENA.MIT.EDU (Kathleen Brown)
Mon Nov 7 15:14:13 2011
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CC9D89.847F6493"
Message-ID: <1971DADBD6BB534298F22483F7D960F605B9730D@exchange01.anselm.edu>
Date: Mon, 7 Nov 2011 15:12:03 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Kathleen Brown <kbrown@ANSELM.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: A<E026853FAE2E5E47BE78B287F89DAF9E048EBC@SUEX10-mbx-03.ad.syr.edu>
This is a multi-part message in MIME format.
------_=_NextPart_001_01CC9D89.847F6493
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
I agree that access control and compliance checking, are two separate
topics. We have access control (Bradford Campus Manager >> Network
Sentry) and it does a very fine job of "no more UFO's" on the network.
Everything that plugs in or uses the airspace here, whether provisioned
user or guest, needs to identify itself and this feature alone is huge.
From that we can refine what we check at the door. The product is now
quite versatile but we just have it doing a few things such as disable
network bridging, etc. It checks for the presence and update status of
any of 30 or so AV or endpoint protection clients, and offers Microsoft
Security Essentials if say a Guest user has nothing. We have a
different security scan for each of Fac/Staff, students, and Guests.
Campus users need to register just once per semester, and Registratiion
is separate from Authentication.
=20
Whoever mentioned AV being ineffective we agree, we went to Symantec
Endpoint Protection earlier this year. Lots of good vendors out there.
Kathy
=20
=20
=20
Kathleen Brown, Network Support Specialist
CompTIA Network+ Certified
Network Services - Office of Information Technology
Saint Anselm College=20
100 St. Anselm Drive
Manchester, NH 03102
(603) 641-7128
kbrown@anselm.edu <mailto:kbrown@anselm.edu> =20
=20
P Please consider the environment before printing this email.
________________________________
=20
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of
Randall C Grimshaw
Sent: Friday, November 04, 2011 4:43 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: Do we still need Network Access Control?
=20
Fry Day Indeed.
I think we need to discuss Access Control and Compliance Checking
separately.
With Access Control you have the ability to identify and quarantine
machines on your network. Where this is accomplished is a difficult
architectural question, but it needs to be a tool in your quiver - not
just for malware, but also abuse / illegal activity.
Compliance checking is becoming less of an issue in my opinion... in
part because the 'bad guys' are financially motivated to keep the
network up. And in part because users are migrating to mobile computing
appliances. When IDS systems identify a compromised system, you are back
to the Access Control issue.
=20
Randall Grimshaw rgrimsha@syr.edu
=20
________________________________
From: Resnet Forum [RESNET-L@LISTSERV.ND.EDU] on behalf of Richter, Ryan
[rrichter@csuchico.edu]
Sent: Friday, November 04, 2011 1:24 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Do we still need Network Access Control?
Hi folks,
=20
In the wake of 2003 with Blaster and other worms spreading through
unpatched systems like wildfire...
=20
Has anyone ditched their NAC solution and tested these waters?
If you don't have NAC in your residence halls, what's it like? Is
malware a big problem?
=20
Thanks and happy Friday,
-Ryan
=20
Ryan Richter
IT Support Services
California State University, Chico
___________________________________________________ You are subscribed
to the ResNet-L mailing list.=20
To subscribe, unsubscribe or search the archives, go to
http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________=20
___________________________________________________ You are subscribed
to the ResNet-L mailing list.=20
To subscribe, unsubscribe or search the archives, go to
http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________=20
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
------_=_NextPart_001_01CC9D89.847F6493
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 12 =
(filtered medium)"><!--[if !mso]><style id=3DowaParaStyle>v\:* =
{behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Webdings;
panose-1:5 3 1 2 1 5 9 6 7 3;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:"Bookman Old Style";
panose-1:2 5 6 4 5 5 5 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
span.emailstyle17
{mso-style-name:emailstyle17;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
style=3D'font-family:"Arial","sans-serif";color:#1F497D'>I agree that =
access control and compliance checking, are two separate topics. =
We have access control (Bradford Campus Manager >> Network Sentry) =
and it does a very fine job of "no more UFO's" on the =
network. Everything that plugs in or uses the airspace here, =
whether provisioned user or guest, needs to identify itself and this =
feature alone is huge. From that we can refine what we check at =
the door. The product is now quite versatile but we just have it =
doing a few things such as disable network bridging, etc. It =
checks for the presence and update status of any of 30 or so AV or =
endpoint protection clients, and offers Microsoft Security Essentials if =
say a Guest user has nothing. We have a different security scan =
for each of Fac/Staff, students, and Guests. Campus users need to =
register just once per semester, and Registratiion is separate from =
Authentication.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p=
></span></p><p class=3DMsoNormal><span =
style=3D'font-family:"Arial","sans-serif";color:#1F497D'>Whoever =
mentioned AV being ineffective we agree, we went to Symantec Endpoint =
Protection earlier this year. Lots of good vendors out =
there.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-family:"Arial","sans-serif";color:#1F497D'>Kathy<o:p></o:p>=
</span></p><p class=3DMsoNormal><span =
style=3D'font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p=
></span></p><p class=3DMsoNormal><span =
style=3D'font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p=
></span></p><p class=3DMsoNormal><span =
style=3D'font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p=
></span></p><div><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;color:navy'>Kathleen Brown, Network Support =
Specialist</span><span style=3D'color:#1F497D'><o:p></o:p></span></p><p =
class=3DMsoNormal><span style=3D'font-size:10.0pt;color:navy'>CompTIA =
Network+ Certified</span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;color:navy'>Network Services - Office of =
Information Technology</span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;color:navy'>Saint Anselm College </span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;color:navy'>100 St. Anselm Drive</span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;color:navy'>Manchester, NH 03102</span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;color:navy'>(603) 641-7128</span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;color:navy'><a =
href=3D"mailto:kbrown@anselm.edu"><span =
style=3D'color:navy'>kbrown@anselm.edu</span></a></span><span =
style=3D'color:navy'> </span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'> <o:p></o:p></span></p><p =
class=3DMsoNormal><b><span =
style=3D'font-size:14.0pt;font-family:Webdings;color:#99CC00'>P</span></b=
><span style=3D'font-size:8.0pt;font-family:"Trebuchet =
MS","sans-serif";color:#99CC00'> </span><span =
style=3D'font-size:8.0pt;font-family:"Bookman Old =
Style","serif";color:gray'>Please consider the environment before =
printing this email.</span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><div class=3DMsoNormal =
align=3Dcenter style=3D'text-align:center'><span =
style=3D'font-family:"Times New Roman","serif";color:#1F497D'><hr =
size=3D2 width=3D"100%" align=3Dcenter></span></div></div><p =
class=3DMsoNormal><span =
style=3D'font-family:"Arial","sans-serif";color:#1F497D'><o:p> </o:p=
></span></p><div><div style=3D'border:none;border-top:solid #B5C4DF =
1.0pt;padding:3.0pt 0in 0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> =
Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] <b>On Behalf Of =
</b>Randall C Grimshaw<br><b>Sent:</b> Friday, November 04, 2011 4:43 =
PM<br><b>To:</b> RESNET-L@LISTSERV.ND.EDU<br><b>Subject:</b> Re: Do we =
still need Network Access Control?<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p> </o:p></p><div><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
Fry Day Indeed.<br><br>I think we need to discuss Access Control and =
Compliance Checking separately.<br><br>With Access Control you have the =
ability to identify and quarantine machines on your network. Where this =
is accomplished is a difficult architectural question, but it needs to =
be a tool in your quiver - not just for malware, but also abuse / =
illegal activity.<br><br>Compliance checking is becoming less of an =
issue in my opinion... in part because the 'bad guys' are financially =
motivated to keep the network up. And in part because users are =
migrating to mobile computing appliances. When IDS systems identify a =
compromised system, you are back to the Access Control =
issue.<o:p></o:p></span></p><div><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
<o:p> </o:p></span></p><div><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
Randall Grimshaw <a =
href=3D"mailto:rgrimsha@syr.edu">rgrimsha@syr.edu</a><o:p></o:p></span></=
p></div><div><p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
<o:p></o:p></span></p></div></div><div><div class=3DMsoNormal =
align=3Dcenter style=3D'text-align:center'><span =
style=3D'font-size:12.0pt;font-family:"Times New =
Roman","serif";color:black'><hr size=3D2 width=3D"100%" =
align=3Dcenter></span></div><div id=3DdivRpF1373><p class=3DMsoNormal =
style=3D'margin-bottom:12.0pt'><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
From:</span></b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
Resnet Forum [RESNET-L@LISTSERV.ND.EDU] on behalf of Richter, Ryan =
[rrichter@csuchico.edu]<br><b>Sent:</b> Friday, November 04, 2011 1:24 =
PM<br><b>To:</b> RESNET-L@LISTSERV.ND.EDU<br><b>Subject:</b> Do we still =
need Network Access Control?</span><span =
style=3D'font-size:12.0pt;font-family:"Times New =
Roman","serif";color:black'><o:p></o:p></span></p></div><div><div><p =
class=3DMsoNormal><span style=3D'color:black'>Hi =
folks,<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:black'> <o:p></o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:black'>In the wake of 2003 with =
Blaster and other worms spreading through unpatched systems like =
wildfire...<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:black'> <o:p></o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:black'>Has anyone ditched their =
NAC solution and tested these waters?<o:p></o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:black'>If you don’t have =
NAC in your residence halls, what’s it like? Is malware a big =
problem?<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:black'> <o:p></o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:black'>Thanks and happy =
Friday,<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:black'>-Ryan<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'color:black'> <o:p></o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:gray'>Ryan Richter</span><span =
style=3D'color:black'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:gray'>IT Support Services</span><span =
style=3D'color:black'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:gray'>California State University, Chico</span><span =
style=3D'color:black'><o:p></o:p></span></p></div><p =
class=3DMsoNormal><span style=3D'font-size:12.0pt;font-family:"Times New =
Roman","serif";color:black'>_____________________________________________=
______ You are subscribed to the ResNet-L mailing list. =
<o:p></o:p></span></p><p><span style=3D'color:black'>To subscribe, =
unsubscribe or search the archives, go to =
http://LISTSERV.ND.EDU/archives/resnet-l.html =
___________________________________________________ =
<o:p></o:p></span></p></div></div></div><p class=3DMsoNormal><span =
style=3D'font-size:12.0pt;font-family:"Times New =
Roman","serif"'>___________________________________________________ You =
are subscribed to the ResNet-L mailing list. <o:p></o:p></span></p><p>To =
subscribe, unsubscribe or search the archives, go to =
http://LISTSERV.ND.EDU/archives/resnet-l.html =
___________________________________________________ =
<o:p></o:p></p></div></body></html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
------_=_NextPart_001_01CC9D89.847F6493--
