LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

September 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS September 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Agent 3.5.6
From:	Simon Bell <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Tue, 6 Sep 2005 16:50:20 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (51 lines)

Correct, disabling this feature will "break" NAT devices. This was true in versions 3.3 and 3.4 (routers not working). However when L3 was enabled it opened the door for NAT routers. The reason it didn't work before is not that the router didn't get an IP, but that you couldn't validate the router. In previous versions, the default gateway had to be a CAS before you could login. I'm assuming that this "new udp packet" is the new method the agent uses to  check for the CAS behind l3 hops. Here at GSU we are very happy to see this feature. While setting the CAS discovery to 127.0.0.1 works, it doesn't take much on the end user side to reenable it (simply delete the reg key). While this doesn't prevent bridged APs, we don't consider this quite the security hole now since a user would still be required to login before getting onto our network.

Simon

>>> [log in to unmask] 9/6/2005 4:16 PM >>>
So, are you saying that users can not "hide" behind a nat router if L3
is disabled? It seems to me that they would be able to hide because all
the Clean Access server will see is the mac and IP of the "WAN"
interface of the router and will pass all traffic from that mac.
Wouldn't be true either way?

Jeff

-----Original Message-----
From: Simon Bell [mailto:[log in to unmask]] 
Sent: Tuesday, September 06, 2005 3:46 PM
To: [log in to unmask] 
Subject: Re: [PERFIGO] Agent 3.5.6

yes, it must be enabled. Upgrading by default disables it. "L3
capability will be disabled by default after upgrade or new install of
3.5(5), and enabling the feature will require an update and reboot of
the Clean Access Server." Having L3 enabled by default opens a
tremendous security hole with users of routers. Due to the nature of
NAT, only 1 user has to validate behind the router thus any other
devices are allowed out. This problem is compounded when users bring
wireless nat routers up.

Simon


>>> [log in to unmask] 9/6/2005 1:41 PM >>>
We are also having trouble with Agent 3.5.6 and the use of routers.
When
the user behind a wired or wireless router updates to v3.5.5, the
"login"
remains greyed out, and they are unable to do the automatic upgrade to
v3.5.6 and cannot log in afterwards.  They were fine under version
3.5.4!

This may be due to the new default stance for v3.5.5 servers is that
support
for multi-hop L3 is off by default.  Does anyone know if this must be
specifically enabled to allow the use of wireless or wired routers on a
managed network?

-Bill
Network Security Administrator
Housing Technology
Colorado State University

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU