Gentle administrators,
I have been following the P2P argument with interest as it has recently 
become an issue (again) here at my University.
At the moment, P2P is hammering our Proxies to death and we are 
receiving a few copyright breach notices.
In this country it is a $5M fine for the institution (for each 
instance)  and our glorious leaders panic about things like this. ;-)
We (The University of Newcastle Australia) use Clean Access as a NAC 
device for compartmentalisation rather than a pre-connection scanner.
We are a relatively new installation and have so far baulked at hard 
parts of Clean Access because of some of the issues stated by Bruce A. 
Locke bellow.
We are still struggling with the short comings of the lack of single 
sign on and sign off, especially in our common student lab devices.
Most of our devices connect via MAC filters and this suites us for the 
moment as we are still in the process of upgrading our switching 
infrastructure.
We use the CA login process for our student residences but we don't do 
posture checking there (yet). ;-)
We have started addressing the P2P issue on several fronts, as all our 
port 80 traffic must travel through our proxy caches we are going to 
re-direct requests to trackers ( about 30 to start with)
to a "naughty naughty child" local page. We realise that there are over 
900 trackers but our aim is to minimise the traffic rather than kill it 
completely.
We are going to bandwidth limit P2P traffic on a layer 7 device on the 
edge and block the trackers at the boarder firewall.
We also looking at a nice feature in Sophos anti virus software called 
"application control" where the central AV server  can set Sophos to 
block particular programs, and one of the
classifications is File sharing. ( PS we have written into our 
conditions of use document that P2P software is not allowed on campus).
I suppose my point in this is that there is more than one way to skin 
this polymorphous cat..... (P2P)
I personally think that you should be able to dictate what get placed on 
your network, but state it very clearly and loudly at the outset and 
make the users sign a Conditions of use Document
so they can't argue the fact later..... chaos is never fun for the poor 
clowns left to clean up after the fact ....

ta

Bruce A. Locke wrote:
> ----- "Michael Stanclift" <[log in to unmask]> wrote:
>
> | Then what is the point of having NAC in the first place? We limit
> | their access based on antivirus and update status... why not just let
> | anyone on the network in any configuration?
>
> Some of us (or at least I am) are wondering if NAC isn't completely pointless these days.
>
> NAC was worth its weight in gold in forcing XP users to upgrade to XP SP2 which brought major security upgrades to the XP platform and helped us flush out a couple widespread viruses.  Now that XP is dying and Vista/Windows 7 are more secure than XP out of the box that is one less reason.
>
> The effectiveness of Cisco NAC to be helpful in encouraging the use of antivirus is limited.  You either have to mandate that all users use a particular antivirus package or play the game of rapid disruptive Clean Access agent updates, managing custom rules or exempting particular users.
>
> I personally believe that mandating a particular antivirus package upon our user owned systems is wrong.  In particular many of the antivirus bundles that can be purchased by universities are absolute CRAP.  I'm tired of hearing of cases where the help desk had to go grab some magic uninstall tool from Symantec to get the CCA agent to function again.  I will not run Symantec, McAfee or Sophos on my personal and work systems as they are all intrusive annoying software packages with noticeable performance problems.  If I was a student and was forced by NAC to install Symantec on my system the response from me would involve four letter words.
>
> So that leaves Windows Updates.  How much time has been spent on trying to figure out why Windows and CCA disagree on what patches are installed?  When it comes down to it how much of that time spent was for nothing more then give the Help Desk and NAC admin the warm and fuzzy feeling that the report no longer is in red text?  Did it really cut down on the number of viruses on your network?  Can you even get accurate data on that?
>
> What do we gain from NAC that isn't gained from user education efforts, DMCA enforcement and basic security monitoring of a network?  Cisco NAC is a miserable educational tool unless you prefer your education to involve pissing off users with incomprehensible behaviors from the agent and having them seethe at you and your help desk.
>
> Cisco NAC as it stands is just a way to punish Windows users for using Windows.  Is Windows worth punishing for anymore in the age of Vista and beyond?  Are MAC users subjected to this?  No.  So 1 in 4 users on our campus is magically immune to all this.  Is Mac OS X inherently more secure than Vista/W7?  Nope.
>
> We currently do nothing but Windows checks for the first couple months of a semester and turn the checks off as finals approach.  I "audit" antivirus packages in case I want to generate some statistics.  Other than that the real value we get out of NAC is user tracking and basic bandwidth limiting.  And I'm not so sure I even want to force the use of the CCA agent anymore.  Perhaps using it as an optional education tool would be better?  But who would choose to use such a thing?
>
> We've had NAC for many years now but in my eyes its usefulness is fading.  Managing our NAC install is probably 1/5th of my job.  Does the benefit justify the upkeep cost?  I don't know anymore.
>
>
>   

-- 
Bruce Hodge
Communications Specialist Data
University Of Newcastle
Callaghan NSW 2308
[log in to unmask]
Ph +61 2492 15563 
Mb 0408610293