----- "Michael Stanclift" <[log in to unmask]> wrote:

| Then what is the point of having NAC in the first place? We limit
| their access based on antivirus and update status... why not just let
| anyone on the network in any configuration?

Some of us (or at least I am) are wondering if NAC isn't completely pointless these days.

NAC was worth its weight in gold in forcing XP users to upgrade to XP SP2 which brought major security upgrades to the XP platform and helped us flush out a couple widespread viruses.  Now that XP is dying and Vista/Windows 7 are more secure than XP out of the box that is one less reason.

The effectiveness of Cisco NAC to be helpful in encouraging the use of antivirus is limited.  You either have to mandate that all users use a particular antivirus package or play the game of rapid disruptive Clean Access agent updates, managing custom rules or exempting particular users.

I personally believe that mandating a particular antivirus package upon our user owned systems is wrong.  In particular many of the antivirus bundles that can be purchased by universities are absolute CRAP.  I'm tired of hearing of cases where the help desk had to go grab some magic uninstall tool from Symantec to get the CCA agent to function again.  I will not run Symantec, McAfee or Sophos on my personal and work systems as they are all intrusive annoying software packages with noticeable performance problems.  If I was a student and was forced by NAC to install Symantec on my system the response from me would involve four letter words.

So that leaves Windows Updates.  How much time has been spent on trying to figure out why Windows and CCA disagree on what patches are installed?  When it comes down to it how much of that time spent was for nothing more then give the Help Desk and NAC admin the warm and fuzzy feeling that the report no longer is in red text?  Did it really cut down on the number of viruses on your network?  Can you even get accurate data on that?

What do we gain from NAC that isn't gained from user education efforts, DMCA enforcement and basic security monitoring of a network?  Cisco NAC is a miserable educational tool unless you prefer your education to involve pissing off users with incomprehensible behaviors from the agent and having them seethe at you and your help desk.

Cisco NAC as it stands is just a way to punish Windows users for using Windows.  Is Windows worth punishing for anymore in the age of Vista and beyond?  Are MAC users subjected to this?  No.  So 1 in 4 users on our campus is magically immune to all this.  Is Mac OS X inherently more secure than Vista/W7?  Nope.

We currently do nothing but Windows checks for the first couple months of a semester and turn the checks off as finals approach.  I "audit" antivirus packages in case I want to generate some statistics.  Other than that the real value we get out of NAC is user tracking and basic bandwidth limiting.  And I'm not so sure I even want to force the use of the CCA agent anymore.  Perhaps using it as an optional education tool would be better?  But who would choose to use such a thing?

We've had NAC for many years now but in my eyes its usefulness is fading.  Managing our NAC install is probably 1/5th of my job.  Does the benefit justify the upkeep cost?  I don't know anymore.


-- 
Bruce A. Locke
[log in to unmask]
HAB 50 - (845) 257-3809

Network Administrator
Computer Services
State University of New York at New Paltz