LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

September 2009

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS September 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: NAC for University managed machines?
From:	Cal Frye <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Wed, 9 Sep 2009 10:32:21 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

Presumably you can identify the university secured machines, whether by
user account or by subnet. Apply a different role to these machines that
accounts for WSUS, etc.

Back when we first implemented Perfigo, a faculty laptop was the first
infected system seen on our campus, so we were interested in applying
NAC to all ports, not just in ResNet. As we implement our new NAC
solution, we intend to extend NAC coverage to all user ports, including
VPN connections. I believe the nature of the threat has changed
sufficiently that unless your staff machines are really severely locked
down, you need that visibility into every system on your network.
--Cal Frye, Oberlin College.

Kim Casserly wrote:
> Do other universities enable NAC on wired ports that
> connect university-secured machines? For instance, what are your
> policies on lab computers, faculty/staff computers, etc.
>  
> We haven't enabled NAC on the academic side yet (only in the dorms), and
> we're worried that the NAC compliance rules we have for students may not
> work well with university managed computers. For instance, we have our
> university computers pointed at an internal WSUS server, but we don't
> want students using our WSUS server because when they graduate from the
> university (or leave the dorms), we don't think they will change their
> settings back to Windows Update instead of our WSUS.
>  
> A problem this would cause would be if a student were to log into a
> university machine that has purposely received a different set of
> updates (for instance, perhaps a computer lab has temporarily withheld a
> patch until they can properly test to make sure it doesn't interfere
> with specific apps), the machine would be required to have the "student
> requirements." The private enterprise probably doesn't run into these
> issues as much as larger universities, where all the different academic
> departments run disparate computer policies.
>  
> We are already aware of Profiler to identify non-compliant devices and
> things of that nature. I guess the main point of this post is to find
> out what your policy is for university computers, and whether there is
> anything on the NAC Appliance road-map to take Active Directory machine
> accounts into consideration (for instance, if AD user account
> has "student" group memberships and the computer object exists with
> "COSC computer lab" security group, then use Policy A, else just use
> Policy B).
>  
>  Thanks in advance.
> 


-- 
Celebrating the 150th anniversary of the publication of the Origin of
Species.
-- Cal Frye, Network Administrator, Oberlin College
   Mudd Library, x.56930 -- CIT will NEVER ask you for your password!

   www.calfrye.com,  www.pitalabs.com

"I am endlessly fascinated that playing football is considered a
training ground for leadership, but raising children isn't." -- Dee Dee
Myers.

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU