Thanks to everyone who participates in this list.  It is an invaluable 
resource.

I'm trying to reason with some of our constituents about the potential 
benefits of enforcing some minimum requirements with CCA.  Of course they 
don't think it should apply to them. I would appreciate some of your input 
on these topics that they have posed to me.  I have my own responses, but 
am keen to hear if any of you have dealt with the same questions and how 
you responded - citations of sources greatly valued.  Feel free to email 
me directly and/or post to the list. I would suggest the list because I 
think we have all had to deal with users who say "sure, but I don't need 
that - I'm a POWER user!"  Cisco folks please feel free to point me to 
relevant documents on Cisco's website - I've been looking there and have 
found some documents, but not much.


Many thanks,

Eric Weakland, CISSP
Director, Network Security
Office of Information Technology 
American University
[log in to unmask]
202.885.2241



Problems with Additional "Background" Applications
--------------------------------------------------

Applications that run in background can interfere with other user
applications in many ways.  We mention only a few possibilities:
siphoning off system resources, generating conflicts with other
applications, or simply by containing bugs that cause system problems.
We recognize that the computing office will make decisions to minimize 
such impacts,
be we remain concerned.


Privacy Concerns
----------------

A software client that validates network access raises serious privacy
concerns, since it necessarily records users' IP addresses and makes
possible a trace of their network activity. We understand that the 
computing office has
no intention of enabling such functionality.  Nevertheless, such a
trace could be performed without much difficulty.  We therefore wish
to learn what procedures will be implemented to prevent any such abuses.


Security Trade-Offs
-------------------

The proposed client software is supposed to ensure that required
security practices are implemented.  Even if the security requirements
are appropriately selected, it appears that the client software itself
may pose a small security risk to the user's machine.  Users would be
required to permit a certain amount of network traffic to pass across
whatever security firewalls and protections they had installed on
their own machines, which appears to weaken such security regimes.


Forcing Incompatible Updates
----------------------------

We move finally to our greatest concern: forced updates. We are
naturally sympathetic to the idea that almost all users should have
installed antivirus software and have updated to current virus
defintions.  However system updates and patches raise the possibility
of serious incompatibilities.  Updates, service packs, and patches
sometimes produce incompatibilities that programmers need time to
resolve.  For example, each of the Windows XP service packs were
incompatible with some applications.  Requiring a system update in
order to be validated for network access raises the possibility that a
user may have to go for a time without access to a vital software
application on their machine. Such problems could lead to a slowdown
in vital research practices.