Main Nav

Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP â€¢ DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL â€¢ 55 W. 13TH STREET â€¢ NEW YORK, NY 10011

+1 212 229-5300 x4728 â€¢ david.curry@newschool.edu

Comments

On Fri, Jan 04, 2013 at 02:43:30PM -0500, David Curry wrote: > looking for products, we couldn't find any. There are plenty of IDS/IPS systems > out there that can detect and block the traffic; that part's easy. But we've > been unable to find any products that can also do the other part--sending users > to some sort of quarantine/remediation portal so that they know why their > computer isn't working on the network anymore. This last part is critical to > us, as we do not run a 24x7 help desk, and we don't want to just silently drop > users' traffic with no explanation when there's nobody they can call to find > out what's happening. > > So finally, my question: Has anybody implemented something like this? If so, > would you be willing to share how you did it? > > Thanks, > --Dave If you are moving to 802.1x you can dynamically assign vlans based on the user. like so: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e... substitute cisco with another vendor, I'm sure they all do it. Then all you need is a tiny script that takes IDS events and flags the associated user records in LDAP. We never bothered with a remediation network on wireless, we just block their mac address and send them an email. It works well enough for us. -- -- Justin Azoff -- Network Security & Performance Analyst
Take a look at IDPs that support IF-MAP (Juniper, Cisco, etc. are either in the game or planning to be there soon).  Leveraging an orchestration server (InfoBlox term/name; or infranet controller if you're talking Juniper) and an dot-x implementation, malicious/bad activity detected by the IDP can trigger the flow of actions you describe.  Ideally, IF-MAP is platform agnostic but with so few players, it's tough to tell just how well that's working out. 

We're working toward a similar solution -- no posture check, watch for bad stuff at points of traffic consolidation, and take action accordingly -- using Juniper, InfoBlox, and GreatBay products.  The user community (and support desk) definitely does not miss the fat NAC client.

- Pat

Patrick N. Gorsuch Manager, Networks and Information Security Gallaudet University 202-651-5070 patrick.gorsuch@gallaudet.edu On 1/4/2013 2:43 PM, David Curry wrote:
Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu


Mr. Curry, I do not know if there is a solution like this sold by a particular vendor, but we are kind of doing what you are looking for in regards to peer to peer enforcement on our housing network, but it probably wouldn't be too hard to extrapolate this a little further: In our housing network we run an application called Integrity by RedLambda which is basically a fancy packetsniffer with a lot of p2p signatures. If this device sees peer 2 peer traffic, it sends an SNMP trap over to our NAC which causes the device to be moved into a quarantine vlan. There we hijack the DNS and redirect them to a page where the users have to log in with their username and password (ldap lookup) and they are shown what their device was found to be wrong with their network traffic. They can read what they did here, and finally are able to put themselves back on the network using a three strike system. (Every strike increases a timeout that the users have to wait though there are some opt-out methods for legitimate uses of p2p) Depending on your NAC you may be able to steer your users to a remediation portal that is configurable for what you are looking for. Our NAC at least lets us do so for AV/Updates. Extending this a little further should not be a problem. Ultimately, I think what you are looking at doing is being able to have your devices have some sort of multi-tiered access on the wireless (at least that's how we would like it): * Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) * Devices that cannot be fully validated, or are mobile devices should have some access to internal data, but not full access like a computer that is authenticated using a certificate and uses network traffic protection * Untrusted devices such as the laptop Joe student brings to your campus to just surf the web, or chew up your Internet bandwidth by watching Netflix on your wireless Hope that helps! Sven
Message from markm196@netscape.net

What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network? Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) Mark Monroe UMSL On 1/4/2013 2:41 PM, Hahues, Sven wrote: > Mr. Curry, > > I do not know if there is a solution like this sold by a particular vendor, but we are kind of doing what you are looking for in regards to peer to peer enforcement on our housing network, but it probably wouldn't be too hard to extrapolate this a little further: > > In our housing network we run an application called Integrity by RedLambda which is basically a fancy packetsniffer with a lot of p2p signatures. If this device sees peer 2 peer traffic, it sends an SNMP trap over to our NAC which causes the device to be moved into a quarantine vlan. There we hijack the DNS and redirect them to a page where the users have to log in with their username and password (ldap lookup) and they are shown what their device was found to be wrong with their network traffic. They can read what they did here, and finally are able to put themselves back on the network using a three strike system. (Every strike increases a timeout that the users have to wait though there are some opt-out methods for legitimate uses of p2p) > > Depending on your NAC you may be able to steer your users to a remediation portal that is configurable for what you are looking for. Our NAC at least lets us do so for AV/Updates. Extending this a little further should not be a problem. > > Ultimately, I think what you are looking at doing is being able to have your devices have some sort of multi-tiered access on the wireless (at least that's how we would like it): > > * Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) > * Devices that cannot be fully validated, or are mobile devices should have some access to internal data, but not full access like a computer that is authenticated using a certificate and uses network traffic protection > * Untrusted devices such as the laptop Joe student brings to your campus to just surf the web, or chew up your Internet bandwidth by watching Netflix on your wireless > > Hope that helps! > > Sven > >

Before being in higher ed, I was in the fed sector…..heavy duty R&D stuff.  We had wireless networks for both internal and “guest” use.  We didn’t use a NAC at all on the guest wireless.  The belief system was that the risk wasn’t really anything to do with the network – the risk is in the data……where it’s stored, how it’s stored/accessed, etc.  If a vendor brought in an infected system and connected to the wireless, the guest network was deemed a “use at your own risk” resource.  That being said – we did log everything that when on/through that network, but that was about it…..never really had any issues…..but then again, there was really nothing on that network that needed to be protected at the edge.  And if there *were* any resources of value that could be reached from the wireless edge – those systems were hardened and scanned for vulnerabilities on a VERY regular basis….

 

Just another $.02…..

 

M

 

Dave,

 

Have you looked into Palo Alto Networks? Palo Alto Networks’ award winning firewall (Gartner Report) integrates with many NAC solutions via our very robust API, which includes direct integration with Aruba’s Amigopod and Enterasys’ Mobile IAM to provide the protection you are seeking.

 

Here are a few links to learn more: http://media.paloaltonetworks.com/documents/aruba.pdf and http://media.paloaltonetworks.com/documents/enterasys.pdf

 

Palo Alto Networks - Malware Solution - Wildfire

 

And I also found this which might help  http://50.57.171.168/wp-content/media/2011-Gartner-Magic-Quadrant-NAC.pdf

 

I hope this helps.

 

 

Best regards,

 

Martin Golizio   |   Regional Sales Manager

Office: 609.858.5531 | Mobile: 609.638.1326

www.paloaltonetworks.com

 

 

David:
 
This could be done with the system we have but it would be a long haul for you to get there.  It would pretty much mean a single vendor for Wireless, NAC, and SIEM and possibly IPS.  We are there accept for the SIEM.  I looked at trying to squeeze in a SEIM with our last network upgrade but I really don't have the resources to manage such a device once installed.  We'd need a dedicated security guy and we don't have that.
 
The SEIM is not a trivial charge plus adding head count made me steer clear. 
 
With our vendor (Enterasys) the IPS would send events to SEIM and the SEIM would tell the NAC to put the person in quarantine.  The NAC would redirect users to a portal that told them that they were quarantined and why and how to fix it.
 
They also have an IPS which I am sure they would prefer that you use but I think you could pull it off with any IPS that has syslog although integration would be a challenge.
 
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 
 
The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool.  We have a cyber-securty program and I know the students are playing around on our network with the ethical hacker skills they are picking up.  I would love to be able to shut them down immediately when they try that stuff.  It would show them that we really mean business and are serious security as an institution.
 


 
Touching on a few points in this thread... responses inline

On 1/4/2013 2:43 PM, David Curry wrote:
Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out

We also started with a "heavy handed, gatekeeper" NAC deployment.  The gatekeeper aspect is what results in the most negative user reaction, and it just gets worse when you periodically re-evaluate and force remediation/quarantine on policy violations.  Over the years we have downplayed the remediation aspect, but we do insist on the initial registration and agent.  This firmly associates the user with the host/device in question, and the agent registers all of the network interfaces (wired/wireless/etc). 

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves.

Yes, and the "misbehavior" is typically identified only by IP address (by your IDS/IPS/firewall/SIEM/etc).  Now you need to associate that back to the user.  If you now quarantine the device, you have to insure that you quarantine the WHOLE device (wired and wireless connections). 

Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed

This is essentially what we are doing, although there is not that much "automated" quarantine action directly from the findings.  We evaluate the IDS/IPS/etc information and have a manual process to perform the quarantine action, and it also has a side database to track the reasons (and device/user history).  It could be scripted to a greater degree of automation for "highly reliable" indications of compromise, but we're not there yet.  The Helpdesks (campus and student/resnet) have Senior Techs that have access to clear the quarantine status after they are addressed.

We would like some sort of "self-service, 3-strike" self-remediation available, but again, we're not there yet.  If I had more programming staff and hours available I'd love to address that, but we're a skeleton crew with more than enough irons on the fire already.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

It's based on Bradford, and works across our wired (Cisco, Procurve, Brocade) and wireless (Aruba) networks, and we cover both Resnet and campus.  We have been running with "remediation" disabled for the last few years, but employ their "quarantine" (dead-end) for the cases such as above.  We also tweaked the quarantine vlan to allow continued access to our web site, helpdesk, email, so as not to completely cutoff the victim user.

The "quarantine" however trumps everything else... you can quarantine an unregistered MAC address... regardless of where they connect.  It's not dependent upon registration or having an installed agent to handle the magic. 

On 1/4/2013 4:04 PM, Mark Monroe wrote:
What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network?

We allow pretty flexible BYOD at this point, and tweaked the NAC registration to support the wider variety of devices.  Most anything that has a browser can be registered quickly, and we don't push any agents to wireless devices.  We just authenticate and register the device to the user. 

Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network)
 
We do role-based security that is assigned by device (initially inherited from the user, but devices can be individually changed).  Phones/PDAs/etc get their own default role... but currently we don't really have any restrictions different from default campus network access.  The role-based security translates to a vlan on the wired network, or a role at the Aruba controller.

On 1/5/2013 1:31 PM, John Kaftan wrote:
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 

There is the initial "pain" here as well, but we have minimized much of it (the somewhat kludgy captive registration portal) by pushing new devices into our "setup" wireless SSID.  This leverages XpressConnect to configure the device for our wireless (wpa2/enterprise), and as a bonus will install the NAC agent if it isn't already present.  This essentially bypasses the registration portal, the agent pops up for authentication credentials, does a scan, and registers the device.

The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool. 

As noted above, the "quarantine" trumps everything.  If we can get a MAC address, we can quarantine it.  Our NAC tracks MAC/IP/switchport connections for even unregistered (rogue) devices so this is fairly easy to do.

Jeff
Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

On Fri, Jan 04, 2013 at 02:43:30PM -0500, David Curry wrote: > looking for products, we couldn't find any. There are plenty of IDS/IPS systems > out there that can detect and block the traffic; that part's easy. But we've > been unable to find any products that can also do the other part--sending users > to some sort of quarantine/remediation portal so that they know why their > computer isn't working on the network anymore. This last part is critical to > us, as we do not run a 24x7 help desk, and we don't want to just silently drop > users' traffic with no explanation when there's nobody they can call to find > out what's happening. > > So finally, my question: Has anybody implemented something like this? If so, > would you be willing to share how you did it? > > Thanks, > --Dave If you are moving to 802.1x you can dynamically assign vlans based on the user. like so: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e... substitute cisco with another vendor, I'm sure they all do it. Then all you need is a tiny script that takes IDS events and flags the associated user records in LDAP. We never bothered with a remediation network on wireless, we just block their mac address and send them an email. It works well enough for us. -- -- Justin Azoff -- Network Security & Performance Analyst
Take a look at IDPs that support IF-MAP (Juniper, Cisco, etc. are either in the game or planning to be there soon).  Leveraging an orchestration server (InfoBlox term/name; or infranet controller if you're talking Juniper) and an dot-x implementation, malicious/bad activity detected by the IDP can trigger the flow of actions you describe.  Ideally, IF-MAP is platform agnostic but with so few players, it's tough to tell just how well that's working out. 

We're working toward a similar solution -- no posture check, watch for bad stuff at points of traffic consolidation, and take action accordingly -- using Juniper, InfoBlox, and GreatBay products.  The user community (and support desk) definitely does not miss the fat NAC client.

- Pat

Patrick N. Gorsuch Manager, Networks and Information Security Gallaudet University 202-651-5070 patrick.gorsuch@gallaudet.edu On 1/4/2013 2:43 PM, David Curry wrote:
Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu


Mr. Curry, I do not know if there is a solution like this sold by a particular vendor, but we are kind of doing what you are looking for in regards to peer to peer enforcement on our housing network, but it probably wouldn't be too hard to extrapolate this a little further: In our housing network we run an application called Integrity by RedLambda which is basically a fancy packetsniffer with a lot of p2p signatures. If this device sees peer 2 peer traffic, it sends an SNMP trap over to our NAC which causes the device to be moved into a quarantine vlan. There we hijack the DNS and redirect them to a page where the users have to log in with their username and password (ldap lookup) and they are shown what their device was found to be wrong with their network traffic. They can read what they did here, and finally are able to put themselves back on the network using a three strike system. (Every strike increases a timeout that the users have to wait though there are some opt-out methods for legitimate uses of p2p) Depending on your NAC you may be able to steer your users to a remediation portal that is configurable for what you are looking for. Our NAC at least lets us do so for AV/Updates. Extending this a little further should not be a problem. Ultimately, I think what you are looking at doing is being able to have your devices have some sort of multi-tiered access on the wireless (at least that's how we would like it): * Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) * Devices that cannot be fully validated, or are mobile devices should have some access to internal data, but not full access like a computer that is authenticated using a certificate and uses network traffic protection * Untrusted devices such as the laptop Joe student brings to your campus to just surf the web, or chew up your Internet bandwidth by watching Netflix on your wireless Hope that helps! Sven
Message from markm196@netscape.net

What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network? Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) Mark Monroe UMSL On 1/4/2013 2:41 PM, Hahues, Sven wrote: > Mr. Curry, > > I do not know if there is a solution like this sold by a particular vendor, but we are kind of doing what you are looking for in regards to peer to peer enforcement on our housing network, but it probably wouldn't be too hard to extrapolate this a little further: > > In our housing network we run an application called Integrity by RedLambda which is basically a fancy packetsniffer with a lot of p2p signatures. If this device sees peer 2 peer traffic, it sends an SNMP trap over to our NAC which causes the device to be moved into a quarantine vlan. There we hijack the DNS and redirect them to a page where the users have to log in with their username and password (ldap lookup) and they are shown what their device was found to be wrong with their network traffic. They can read what they did here, and finally are able to put themselves back on the network using a three strike system. (Every strike increases a timeout that the users have to wait though there are some opt-out methods for legitimate uses of p2p) > > Depending on your NAC you may be able to steer your users to a remediation portal that is configurable for what you are looking for. Our NAC at least lets us do so for AV/Updates. Extending this a little further should not be a problem. > > Ultimately, I think what you are looking at doing is being able to have your devices have some sort of multi-tiered access on the wireless (at least that's how we would like it): > > * Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) > * Devices that cannot be fully validated, or are mobile devices should have some access to internal data, but not full access like a computer that is authenticated using a certificate and uses network traffic protection > * Untrusted devices such as the laptop Joe student brings to your campus to just surf the web, or chew up your Internet bandwidth by watching Netflix on your wireless > > Hope that helps! > > Sven > >

Before being in higher ed, I was in the fed sector…..heavy duty R&D stuff.  We had wireless networks for both internal and “guest” use.  We didn’t use a NAC at all on the guest wireless.  The belief system was that the risk wasn’t really anything to do with the network – the risk is in the data……where it’s stored, how it’s stored/accessed, etc.  If a vendor brought in an infected system and connected to the wireless, the guest network was deemed a “use at your own risk” resource.  That being said – we did log everything that when on/through that network, but that was about it…..never really had any issues…..but then again, there was really nothing on that network that needed to be protected at the edge.  And if there *were* any resources of value that could be reached from the wireless edge – those systems were hardened and scanned for vulnerabilities on a VERY regular basis….

 

Just another $.02…..

 

M

 

Dave,

 

Have you looked into Palo Alto Networks? Palo Alto Networks’ award winning firewall (Gartner Report) integrates with many NAC solutions via our very robust API, which includes direct integration with Aruba’s Amigopod and Enterasys’ Mobile IAM to provide the protection you are seeking.

 

Here are a few links to learn more: http://media.paloaltonetworks.com/documents/aruba.pdf and http://media.paloaltonetworks.com/documents/enterasys.pdf

 

Palo Alto Networks - Malware Solution - Wildfire

 

And I also found this which might help  http://50.57.171.168/wp-content/media/2011-Gartner-Magic-Quadrant-NAC.pdf

 

I hope this helps.

 

 

Best regards,

 

Martin Golizio   |   Regional Sales Manager

Office: 609.858.5531 | Mobile: 609.638.1326

www.paloaltonetworks.com

 

 

David:
 
This could be done with the system we have but it would be a long haul for you to get there.  It would pretty much mean a single vendor for Wireless, NAC, and SIEM and possibly IPS.  We are there accept for the SIEM.  I looked at trying to squeeze in a SEIM with our last network upgrade but I really don't have the resources to manage such a device once installed.  We'd need a dedicated security guy and we don't have that.
 
The SEIM is not a trivial charge plus adding head count made me steer clear. 
 
With our vendor (Enterasys) the IPS would send events to SEIM and the SEIM would tell the NAC to put the person in quarantine.  The NAC would redirect users to a portal that told them that they were quarantined and why and how to fix it.
 
They also have an IPS which I am sure they would prefer that you use but I think you could pull it off with any IPS that has syslog although integration would be a challenge.
 
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 
 
The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool.  We have a cyber-securty program and I know the students are playing around on our network with the ethical hacker skills they are picking up.  I would love to be able to shut them down immediately when they try that stuff.  It would show them that we really mean business and are serious security as an institution.
 


 
Touching on a few points in this thread... responses inline

On 1/4/2013 2:43 PM, David Curry wrote:
Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out

We also started with a "heavy handed, gatekeeper" NAC deployment.  The gatekeeper aspect is what results in the most negative user reaction, and it just gets worse when you periodically re-evaluate and force remediation/quarantine on policy violations.  Over the years we have downplayed the remediation aspect, but we do insist on the initial registration and agent.  This firmly associates the user with the host/device in question, and the agent registers all of the network interfaces (wired/wireless/etc). 

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves.

Yes, and the "misbehavior" is typically identified only by IP address (by your IDS/IPS/firewall/SIEM/etc).  Now you need to associate that back to the user.  If you now quarantine the device, you have to insure that you quarantine the WHOLE device (wired and wireless connections). 

Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed

This is essentially what we are doing, although there is not that much "automated" quarantine action directly from the findings.  We evaluate the IDS/IPS/etc information and have a manual process to perform the quarantine action, and it also has a side database to track the reasons (and device/user history).  It could be scripted to a greater degree of automation for "highly reliable" indications of compromise, but we're not there yet.  The Helpdesks (campus and student/resnet) have Senior Techs that have access to clear the quarantine status after they are addressed.

We would like some sort of "self-service, 3-strike" self-remediation available, but again, we're not there yet.  If I had more programming staff and hours available I'd love to address that, but we're a skeleton crew with more than enough irons on the fire already.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

It's based on Bradford, and works across our wired (Cisco, Procurve, Brocade) and wireless (Aruba) networks, and we cover both Resnet and campus.  We have been running with "remediation" disabled for the last few years, but employ their "quarantine" (dead-end) for the cases such as above.  We also tweaked the quarantine vlan to allow continued access to our web site, helpdesk, email, so as not to completely cutoff the victim user.

The "quarantine" however trumps everything else... you can quarantine an unregistered MAC address... regardless of where they connect.  It's not dependent upon registration or having an installed agent to handle the magic. 

On 1/4/2013 4:04 PM, Mark Monroe wrote:
What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network?

We allow pretty flexible BYOD at this point, and tweaked the NAC registration to support the wider variety of devices.  Most anything that has a browser can be registered quickly, and we don't push any agents to wireless devices.  We just authenticate and register the device to the user. 

Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network)
 
We do role-based security that is assigned by device (initially inherited from the user, but devices can be individually changed).  Phones/PDAs/etc get their own default role... but currently we don't really have any restrictions different from default campus network access.  The role-based security translates to a vlan on the wired network, or a role at the Aruba controller.

On 1/5/2013 1:31 PM, John Kaftan wrote:
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 

There is the initial "pain" here as well, but we have minimized much of it (the somewhat kludgy captive registration portal) by pushing new devices into our "setup" wireless SSID.  This leverages XpressConnect to configure the device for our wireless (wpa2/enterprise), and as a bonus will install the NAC agent if it isn't already present.  This essentially bypasses the registration portal, the agent pops up for authentication credentials, does a scan, and registers the device.

The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool. 

As noted above, the "quarantine" trumps everything.  If we can get a MAC address, we can quarantine it.  Our NAC tracks MAC/IP/switchport connections for even unregistered (rogue) devices so this is fairly easy to do.

Jeff
Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

On Fri, Jan 04, 2013 at 02:43:30PM -0500, David Curry wrote: > looking for products, we couldn't find any. There are plenty of IDS/IPS systems > out there that can detect and block the traffic; that part's easy. But we've > been unable to find any products that can also do the other part--sending users > to some sort of quarantine/remediation portal so that they know why their > computer isn't working on the network anymore. This last part is critical to > us, as we do not run a 24x7 help desk, and we don't want to just silently drop > users' traffic with no explanation when there's nobody they can call to find > out what's happening. > > So finally, my question: Has anybody implemented something like this? If so, > would you be willing to share how you did it? > > Thanks, > --Dave If you are moving to 802.1x you can dynamically assign vlans based on the user. like so: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e... substitute cisco with another vendor, I'm sure they all do it. Then all you need is a tiny script that takes IDS events and flags the associated user records in LDAP. We never bothered with a remediation network on wireless, we just block their mac address and send them an email. It works well enough for us. -- -- Justin Azoff -- Network Security & Performance Analyst
Take a look at IDPs that support IF-MAP (Juniper, Cisco, etc. are either in the game or planning to be there soon).  Leveraging an orchestration server (InfoBlox term/name; or infranet controller if you're talking Juniper) and an dot-x implementation, malicious/bad activity detected by the IDP can trigger the flow of actions you describe.  Ideally, IF-MAP is platform agnostic but with so few players, it's tough to tell just how well that's working out. 

We're working toward a similar solution -- no posture check, watch for bad stuff at points of traffic consolidation, and take action accordingly -- using Juniper, InfoBlox, and GreatBay products.  The user community (and support desk) definitely does not miss the fat NAC client.

- Pat

Patrick N. Gorsuch Manager, Networks and Information Security Gallaudet University 202-651-5070 patrick.gorsuch@gallaudet.edu On 1/4/2013 2:43 PM, David Curry wrote:
Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu


Mr. Curry, I do not know if there is a solution like this sold by a particular vendor, but we are kind of doing what you are looking for in regards to peer to peer enforcement on our housing network, but it probably wouldn't be too hard to extrapolate this a little further: In our housing network we run an application called Integrity by RedLambda which is basically a fancy packetsniffer with a lot of p2p signatures. If this device sees peer 2 peer traffic, it sends an SNMP trap over to our NAC which causes the device to be moved into a quarantine vlan. There we hijack the DNS and redirect them to a page where the users have to log in with their username and password (ldap lookup) and they are shown what their device was found to be wrong with their network traffic. They can read what they did here, and finally are able to put themselves back on the network using a three strike system. (Every strike increases a timeout that the users have to wait though there are some opt-out methods for legitimate uses of p2p) Depending on your NAC you may be able to steer your users to a remediation portal that is configurable for what you are looking for. Our NAC at least lets us do so for AV/Updates. Extending this a little further should not be a problem. Ultimately, I think what you are looking at doing is being able to have your devices have some sort of multi-tiered access on the wireless (at least that's how we would like it): * Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) * Devices that cannot be fully validated, or are mobile devices should have some access to internal data, but not full access like a computer that is authenticated using a certificate and uses network traffic protection * Untrusted devices such as the laptop Joe student brings to your campus to just surf the web, or chew up your Internet bandwidth by watching Netflix on your wireless Hope that helps! Sven
Message from markm196@netscape.net

What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network? Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) Mark Monroe UMSL On 1/4/2013 2:41 PM, Hahues, Sven wrote: > Mr. Curry, > > I do not know if there is a solution like this sold by a particular vendor, but we are kind of doing what you are looking for in regards to peer to peer enforcement on our housing network, but it probably wouldn't be too hard to extrapolate this a little further: > > In our housing network we run an application called Integrity by RedLambda which is basically a fancy packetsniffer with a lot of p2p signatures. If this device sees peer 2 peer traffic, it sends an SNMP trap over to our NAC which causes the device to be moved into a quarantine vlan. There we hijack the DNS and redirect them to a page where the users have to log in with their username and password (ldap lookup) and they are shown what their device was found to be wrong with their network traffic. They can read what they did here, and finally are able to put themselves back on the network using a three strike system. (Every strike increases a timeout that the users have to wait though there are some opt-out methods for legitimate uses of p2p) > > Depending on your NAC you may be able to steer your users to a remediation portal that is configurable for what you are looking for. Our NAC at least lets us do so for AV/Updates. Extending this a little further should not be a problem. > > Ultimately, I think what you are looking at doing is being able to have your devices have some sort of multi-tiered access on the wireless (at least that's how we would like it): > > * Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) > * Devices that cannot be fully validated, or are mobile devices should have some access to internal data, but not full access like a computer that is authenticated using a certificate and uses network traffic protection > * Untrusted devices such as the laptop Joe student brings to your campus to just surf the web, or chew up your Internet bandwidth by watching Netflix on your wireless > > Hope that helps! > > Sven > >

Before being in higher ed, I was in the fed sector…..heavy duty R&D stuff.  We had wireless networks for both internal and “guest” use.  We didn’t use a NAC at all on the guest wireless.  The belief system was that the risk wasn’t really anything to do with the network – the risk is in the data……where it’s stored, how it’s stored/accessed, etc.  If a vendor brought in an infected system and connected to the wireless, the guest network was deemed a “use at your own risk” resource.  That being said – we did log everything that when on/through that network, but that was about it…..never really had any issues…..but then again, there was really nothing on that network that needed to be protected at the edge.  And if there *were* any resources of value that could be reached from the wireless edge – those systems were hardened and scanned for vulnerabilities on a VERY regular basis….

 

Just another $.02…..

 

M

 

Dave,

 

Have you looked into Palo Alto Networks? Palo Alto Networks’ award winning firewall (Gartner Report) integrates with many NAC solutions via our very robust API, which includes direct integration with Aruba’s Amigopod and Enterasys’ Mobile IAM to provide the protection you are seeking.

 

Here are a few links to learn more: http://media.paloaltonetworks.com/documents/aruba.pdf and http://media.paloaltonetworks.com/documents/enterasys.pdf

 

Palo Alto Networks - Malware Solution - Wildfire

 

And I also found this which might help  http://50.57.171.168/wp-content/media/2011-Gartner-Magic-Quadrant-NAC.pdf

 

I hope this helps.

 

 

Best regards,

 

Martin Golizio   |   Regional Sales Manager

Office: 609.858.5531 | Mobile: 609.638.1326

www.paloaltonetworks.com

 

 

David:
 
This could be done with the system we have but it would be a long haul for you to get there.  It would pretty much mean a single vendor for Wireless, NAC, and SIEM and possibly IPS.  We are there accept for the SIEM.  I looked at trying to squeeze in a SEIM with our last network upgrade but I really don't have the resources to manage such a device once installed.  We'd need a dedicated security guy and we don't have that.
 
The SEIM is not a trivial charge plus adding head count made me steer clear. 
 
With our vendor (Enterasys) the IPS would send events to SEIM and the SEIM would tell the NAC to put the person in quarantine.  The NAC would redirect users to a portal that told them that they were quarantined and why and how to fix it.
 
They also have an IPS which I am sure they would prefer that you use but I think you could pull it off with any IPS that has syslog although integration would be a challenge.
 
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 
 
The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool.  We have a cyber-securty program and I know the students are playing around on our network with the ethical hacker skills they are picking up.  I would love to be able to shut them down immediately when they try that stuff.  It would show them that we really mean business and are serious security as an institution.
 


 
Touching on a few points in this thread... responses inline

On 1/4/2013 2:43 PM, David Curry wrote:
Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out

We also started with a "heavy handed, gatekeeper" NAC deployment.  The gatekeeper aspect is what results in the most negative user reaction, and it just gets worse when you periodically re-evaluate and force remediation/quarantine on policy violations.  Over the years we have downplayed the remediation aspect, but we do insist on the initial registration and agent.  This firmly associates the user with the host/device in question, and the agent registers all of the network interfaces (wired/wireless/etc). 

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves.

Yes, and the "misbehavior" is typically identified only by IP address (by your IDS/IPS/firewall/SIEM/etc).  Now you need to associate that back to the user.  If you now quarantine the device, you have to insure that you quarantine the WHOLE device (wired and wireless connections). 

Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed

This is essentially what we are doing, although there is not that much "automated" quarantine action directly from the findings.  We evaluate the IDS/IPS/etc information and have a manual process to perform the quarantine action, and it also has a side database to track the reasons (and device/user history).  It could be scripted to a greater degree of automation for "highly reliable" indications of compromise, but we're not there yet.  The Helpdesks (campus and student/resnet) have Senior Techs that have access to clear the quarantine status after they are addressed.

We would like some sort of "self-service, 3-strike" self-remediation available, but again, we're not there yet.  If I had more programming staff and hours available I'd love to address that, but we're a skeleton crew with more than enough irons on the fire already.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

It's based on Bradford, and works across our wired (Cisco, Procurve, Brocade) and wireless (Aruba) networks, and we cover both Resnet and campus.  We have been running with "remediation" disabled for the last few years, but employ their "quarantine" (dead-end) for the cases such as above.  We also tweaked the quarantine vlan to allow continued access to our web site, helpdesk, email, so as not to completely cutoff the victim user.

The "quarantine" however trumps everything else... you can quarantine an unregistered MAC address... regardless of where they connect.  It's not dependent upon registration or having an installed agent to handle the magic. 

On 1/4/2013 4:04 PM, Mark Monroe wrote:
What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network?

We allow pretty flexible BYOD at this point, and tweaked the NAC registration to support the wider variety of devices.  Most anything that has a browser can be registered quickly, and we don't push any agents to wireless devices.  We just authenticate and register the device to the user. 

Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network)
 
We do role-based security that is assigned by device (initially inherited from the user, but devices can be individually changed).  Phones/PDAs/etc get their own default role... but currently we don't really have any restrictions different from default campus network access.  The role-based security translates to a vlan on the wired network, or a role at the Aruba controller.

On 1/5/2013 1:31 PM, John Kaftan wrote:
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 

There is the initial "pain" here as well, but we have minimized much of it (the somewhat kludgy captive registration portal) by pushing new devices into our "setup" wireless SSID.  This leverages XpressConnect to configure the device for our wireless (wpa2/enterprise), and as a bonus will install the NAC agent if it isn't already present.  This essentially bypasses the registration portal, the agent pops up for authentication credentials, does a scan, and registers the device.

The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool. 

As noted above, the "quarantine" trumps everything.  If we can get a MAC address, we can quarantine it.  Our NAC tracks MAC/IP/switchport connections for even unregistered (rogue) devices so this is fairly easy to do.

Jeff

Dave,

 

Have you looked into Palo Alto Networks? Palo Alto Networks’ award winning firewall (Gartner Report) integrates with many NAC solutions via our very robust API, which includes direct integration with Aruba’s Amigopod and Enterasys’ Mobile IAM to provide the protection you are seeking.

 

Here are a few links to learn more: http://media.paloaltonetworks.com/documents/aruba.pdf and http://media.paloaltonetworks.com/documents/enterasys.pdf

 

Palo Alto Networks - Malware Solution - Wildfire

 

And I also found this which might help  http://50.57.171.168/wp-content/media/2011-Gartner-Magic-Quadrant-NAC.pdf

 

I hope this helps.

 

 

Best regards,

 

Martin Golizio   |   Regional Sales Manager

Office: 609.858.5531 | Mobile: 609.638.1326

www.paloaltonetworks.com

 

 

David:
 
This could be done with the system we have but it would be a long haul for you to get there.  It would pretty much mean a single vendor for Wireless, NAC, and SIEM and possibly IPS.  We are there accept for the SIEM.  I looked at trying to squeeze in a SEIM with our last network upgrade but I really don't have the resources to manage such a device once installed.  We'd need a dedicated security guy and we don't have that.
 
The SEIM is not a trivial charge plus adding head count made me steer clear. 
 
With our vendor (Enterasys) the IPS would send events to SEIM and the SEIM would tell the NAC to put the person in quarantine.  The NAC would redirect users to a portal that told them that they were quarantined and why and how to fix it.
 
They also have an IPS which I am sure they would prefer that you use but I think you could pull it off with any IPS that has syslog although integration would be a challenge.
 
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 
 
The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool.  We have a cyber-securty program and I know the students are playing around on our network with the ethical hacker skills they are picking up.  I would love to be able to shut them down immediately when they try that stuff.  It would show them that we really mean business and are serious security as an institution.
 


 
Touching on a few points in this thread... responses inline

On 1/4/2013 2:43 PM, David Curry wrote:
Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out

We also started with a "heavy handed, gatekeeper" NAC deployment.  The gatekeeper aspect is what results in the most negative user reaction, and it just gets worse when you periodically re-evaluate and force remediation/quarantine on policy violations.  Over the years we have downplayed the remediation aspect, but we do insist on the initial registration and agent.  This firmly associates the user with the host/device in question, and the agent registers all of the network interfaces (wired/wireless/etc). 

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves.

Yes, and the "misbehavior" is typically identified only by IP address (by your IDS/IPS/firewall/SIEM/etc).  Now you need to associate that back to the user.  If you now quarantine the device, you have to insure that you quarantine the WHOLE device (wired and wireless connections). 

Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed

This is essentially what we are doing, although there is not that much "automated" quarantine action directly from the findings.  We evaluate the IDS/IPS/etc information and have a manual process to perform the quarantine action, and it also has a side database to track the reasons (and device/user history).  It could be scripted to a greater degree of automation for "highly reliable" indications of compromise, but we're not there yet.  The Helpdesks (campus and student/resnet) have Senior Techs that have access to clear the quarantine status after they are addressed.

We would like some sort of "self-service, 3-strike" self-remediation available, but again, we're not there yet.  If I had more programming staff and hours available I'd love to address that, but we're a skeleton crew with more than enough irons on the fire already.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

It's based on Bradford, and works across our wired (Cisco, Procurve, Brocade) and wireless (Aruba) networks, and we cover both Resnet and campus.  We have been running with "remediation" disabled for the last few years, but employ their "quarantine" (dead-end) for the cases such as above.  We also tweaked the quarantine vlan to allow continued access to our web site, helpdesk, email, so as not to completely cutoff the victim user.

The "quarantine" however trumps everything else... you can quarantine an unregistered MAC address... regardless of where they connect.  It's not dependent upon registration or having an installed agent to handle the magic. 

On 1/4/2013 4:04 PM, Mark Monroe wrote:
What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network?

We allow pretty flexible BYOD at this point, and tweaked the NAC registration to support the wider variety of devices.  Most anything that has a browser can be registered quickly, and we don't push any agents to wireless devices.  We just authenticate and register the device to the user. 

Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network)
 
We do role-based security that is assigned by device (initially inherited from the user, but devices can be individually changed).  Phones/PDAs/etc get their own default role... but currently we don't really have any restrictions different from default campus network access.  The role-based security translates to a vlan on the wired network, or a role at the Aruba controller.

On 1/5/2013 1:31 PM, John Kaftan wrote:
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 

There is the initial "pain" here as well, but we have minimized much of it (the somewhat kludgy captive registration portal) by pushing new devices into our "setup" wireless SSID.  This leverages XpressConnect to configure the device for our wireless (wpa2/enterprise), and as a bonus will install the NAC agent if it isn't already present.  This essentially bypasses the registration portal, the agent pops up for authentication credentials, does a scan, and registers the device.

The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool. 

As noted above, the "quarantine" trumps everything.  If we can get a MAC address, we can quarantine it.  Our NAC tracks MAC/IP/switchport connections for even unregistered (rogue) devices so this is fairly easy to do.

Jeff
Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu

On Fri, Jan 04, 2013 at 02:43:30PM -0500, David Curry wrote: > looking for products, we couldn't find any. There are plenty of IDS/IPS systems > out there that can detect and block the traffic; that part's easy. But we've > been unable to find any products that can also do the other part--sending users > to some sort of quarantine/remediation portal so that they know why their > computer isn't working on the network anymore. This last part is critical to > us, as we do not run a 24x7 help desk, and we don't want to just silently drop > users' traffic with no explanation when there's nobody they can call to find > out what's happening. > > So finally, my question: Has anybody implemented something like this? If so, > would you be willing to share how you did it? > > Thanks, > --Dave If you are moving to 802.1x you can dynamically assign vlans based on the user. like so: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e... substitute cisco with another vendor, I'm sure they all do it. Then all you need is a tiny script that takes IDS events and flags the associated user records in LDAP. We never bothered with a remediation network on wireless, we just block their mac address and send them an email. It works well enough for us. -- -- Justin Azoff -- Network Security & Performance Analyst
Take a look at IDPs that support IF-MAP (Juniper, Cisco, etc. are either in the game or planning to be there soon).  Leveraging an orchestration server (InfoBlox term/name; or infranet controller if you're talking Juniper) and an dot-x implementation, malicious/bad activity detected by the IDP can trigger the flow of actions you describe.  Ideally, IF-MAP is platform agnostic but with so few players, it's tough to tell just how well that's working out. 

We're working toward a similar solution -- no posture check, watch for bad stuff at points of traffic consolidation, and take action accordingly -- using Juniper, InfoBlox, and GreatBay products.  The user community (and support desk) definitely does not miss the fat NAC client.

- Pat

Patrick N. Gorsuch Manager, Networks and Information Security Gallaudet University 202-651-5070 patrick.gorsuch@gallaudet.edu On 1/4/2013 2:43 PM, David Curry wrote:
Hello,

We're currently in the process of re-designing our wireless network to split it into a guest side and a "secure" side, add a guest management system, replace the captive portal sign-on with 802.1X authentication on the secure side, etc. As part of this project, we're also taking a look at our use of Network Access Control and thinking about what we're really trying to accomplish. At the moment, we use a "permanent agent" based NAC on PCs and Macs connecting to the wireless network, but the only policy we enforce is that the computer must have antivirus running with up-to-date signatures. If the connecting computer doesn't pass that check, we put it into a remediation VLAN.

Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out because malware has changed, and an argument can perhaps even be made that now that Windows and Mac OS X come with built-in firewalls and whatnot, the requirement to have antivirus installed is obsolete. And then there's the fact that the majority of devices on our wireless network now are not PCs and Macs anyway, and our existing NAC doesn't do anything with those. So, given all that plus some of the push-back we've received from our user community about the NAC requirement in general and this specific NAC in particular, we started thinking...

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves. Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed (with a captive portal or whatever) that his/her computer may be infected with malware and provided with advice/tools on cleaning it up. This seemed easy enough, but when we started looking for products, we couldn't find any. There are plenty of IDS/IPS systems out there that can detect and block the traffic; that part's easy. But we've been unable to find any products that can also do the other part--sending users to some sort of quarantine/remediation portal so that they know why their computer isn't working on the network anymore. This last part is critical to us, as we do not run a 24x7 help desk, and we don't want to just silently drop users' traffic with no explanation when there's nobody they can call to find out what's happening.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

Thanks,
--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu


Mr. Curry, I do not know if there is a solution like this sold by a particular vendor, but we are kind of doing what you are looking for in regards to peer to peer enforcement on our housing network, but it probably wouldn't be too hard to extrapolate this a little further: In our housing network we run an application called Integrity by RedLambda which is basically a fancy packetsniffer with a lot of p2p signatures. If this device sees peer 2 peer traffic, it sends an SNMP trap over to our NAC which causes the device to be moved into a quarantine vlan. There we hijack the DNS and redirect them to a page where the users have to log in with their username and password (ldap lookup) and they are shown what their device was found to be wrong with their network traffic. They can read what they did here, and finally are able to put themselves back on the network using a three strike system. (Every strike increases a timeout that the users have to wait though there are some opt-out methods for legitimate uses of p2p) Depending on your NAC you may be able to steer your users to a remediation portal that is configurable for what you are looking for. Our NAC at least lets us do so for AV/Updates. Extending this a little further should not be a problem. Ultimately, I think what you are looking at doing is being able to have your devices have some sort of multi-tiered access on the wireless (at least that's how we would like it): * Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) * Devices that cannot be fully validated, or are mobile devices should have some access to internal data, but not full access like a computer that is authenticated using a certificate and uses network traffic protection * Untrusted devices such as the laptop Joe student brings to your campus to just surf the web, or chew up your Internet bandwidth by watching Netflix on your wireless Hope that helps! Sven
Message from markm196@netscape.net

What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network? Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) Mark Monroe UMSL On 1/4/2013 2:41 PM, Hahues, Sven wrote: > Mr. Curry, > > I do not know if there is a solution like this sold by a particular vendor, but we are kind of doing what you are looking for in regards to peer to peer enforcement on our housing network, but it probably wouldn't be too hard to extrapolate this a little further: > > In our housing network we run an application called Integrity by RedLambda which is basically a fancy packetsniffer with a lot of p2p signatures. If this device sees peer 2 peer traffic, it sends an SNMP trap over to our NAC which causes the device to be moved into a quarantine vlan. There we hijack the DNS and redirect them to a page where the users have to log in with their username and password (ldap lookup) and they are shown what their device was found to be wrong with their network traffic. They can read what they did here, and finally are able to put themselves back on the network using a three strike system. (Every strike increases a timeout that the users have to wait though there are some opt-out methods for legitimate uses of p2p) > > Depending on your NAC you may be able to steer your users to a remediation portal that is configurable for what you are looking for. Our NAC at least lets us do so for AV/Updates. Extending this a little further should not be a problem. > > Ultimately, I think what you are looking at doing is being able to have your devices have some sort of multi-tiered access on the wireless (at least that's how we would like it): > > * Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network) > * Devices that cannot be fully validated, or are mobile devices should have some access to internal data, but not full access like a computer that is authenticated using a certificate and uses network traffic protection > * Untrusted devices such as the laptop Joe student brings to your campus to just surf the web, or chew up your Internet bandwidth by watching Netflix on your wireless > > Hope that helps! > > Sven > >

Before being in higher ed, I was in the fed sector…..heavy duty R&D stuff.  We had wireless networks for both internal and “guest” use.  We didn’t use a NAC at all on the guest wireless.  The belief system was that the risk wasn’t really anything to do with the network – the risk is in the data……where it’s stored, how it’s stored/accessed, etc.  If a vendor brought in an infected system and connected to the wireless, the guest network was deemed a “use at your own risk” resource.  That being said – we did log everything that when on/through that network, but that was about it…..never really had any issues…..but then again, there was really nothing on that network that needed to be protected at the edge.  And if there *were* any resources of value that could be reached from the wireless edge – those systems were hardened and scanned for vulnerabilities on a VERY regular basis….

 

Just another $.02…..

 

M

 

Dave,

 

Have you looked into Palo Alto Networks? Palo Alto Networks’ award winning firewall (Gartner Report) integrates with many NAC solutions via our very robust API, which includes direct integration with Aruba’s Amigopod and Enterasys’ Mobile IAM to provide the protection you are seeking.

 

Here are a few links to learn more: http://media.paloaltonetworks.com/documents/aruba.pdf and http://media.paloaltonetworks.com/documents/enterasys.pdf

 

Palo Alto Networks - Malware Solution - Wildfire

 

And I also found this which might help  http://50.57.171.168/wp-content/media/2011-Gartner-Magic-Quadrant-NAC.pdf

 

I hope this helps.

 

 

Best regards,

 

Martin Golizio   |   Regional Sales Manager

Office: 609.858.5531 | Mobile: 609.638.1326

www.paloaltonetworks.com

 

 

David:
 
This could be done with the system we have but it would be a long haul for you to get there.  It would pretty much mean a single vendor for Wireless, NAC, and SIEM and possibly IPS.  We are there accept for the SIEM.  I looked at trying to squeeze in a SEIM with our last network upgrade but I really don't have the resources to manage such a device once installed.  We'd need a dedicated security guy and we don't have that.
 
The SEIM is not a trivial charge plus adding head count made me steer clear. 
 
With our vendor (Enterasys) the IPS would send events to SEIM and the SEIM would tell the NAC to put the person in quarantine.  The NAC would redirect users to a portal that told them that they were quarantined and why and how to fix it.
 
They also have an IPS which I am sure they would prefer that you use but I think you could pull it off with any IPS that has syslog although integration would be a challenge.
 
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 
 
The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool.  We have a cyber-securty program and I know the students are playing around on our network with the ethical hacker skills they are picking up.  I would love to be able to shut them down immediately when they try that stuff.  It would show them that we really mean business and are serious security as an institution.
 


 
Touching on a few points in this thread... responses inline

On 1/4/2013 2:43 PM, David Curry wrote:
Back when we first implemented NAC (this is the second product), requiring antivirus software was a major factor in keeping malware out of our network. But as we all know, it's not that simple anymore--just having antivirus isn't enough to keep the malware out

We also started with a "heavy handed, gatekeeper" NAC deployment.  The gatekeeper aspect is what results in the most negative user reaction, and it just gets worse when you periodically re-evaluate and force remediation/quarantine on policy violations.  Over the years we have downplayed the remediation aspect, but we do insist on the initial registration and agent.  This firmly associates the user with the host/device in question, and the agent registers all of the network interfaces (wired/wireless/etc). 

Why don't we get rid of the NAC all together? And instead, we'll just let any device connect to the network (provided the user authenticates), and let it do whatever it wants, right up until the point at which it misbehaves.

Yes, and the "misbehavior" is typically identified only by IP address (by your IDS/IPS/firewall/SIEM/etc).  Now you need to associate that back to the user.  If you now quarantine the device, you have to insure that you quarantine the WHOLE device (wired and wireless connections). 

Instead of running the NAC system, we'll run some kind of intrusion detection system that's looking for malicious traffic. If it sees some, it will block the traffic from that device, and move the device into a "quarantine" or "remediation" VLAN where the user can be informed

This is essentially what we are doing, although there is not that much "automated" quarantine action directly from the findings.  We evaluate the IDS/IPS/etc information and have a manual process to perform the quarantine action, and it also has a side database to track the reasons (and device/user history).  It could be scripted to a greater degree of automation for "highly reliable" indications of compromise, but we're not there yet.  The Helpdesks (campus and student/resnet) have Senior Techs that have access to clear the quarantine status after they are addressed.

We would like some sort of "self-service, 3-strike" self-remediation available, but again, we're not there yet.  If I had more programming staff and hours available I'd love to address that, but we're a skeleton crew with more than enough irons on the fire already.

So finally, my question: Has anybody implemented something like this? If so, would you be willing to share how you did it?

It's based on Bradford, and works across our wired (Cisco, Procurve, Brocade) and wireless (Aruba) networks, and we cover both Resnet and campus.  We have been running with "remediation" disabled for the last few years, but employ their "quarantine" (dead-end) for the cases such as above.  We also tweaked the quarantine vlan to allow continued access to our web site, helpdesk, email, so as not to completely cutoff the victim user.

The "quarantine" however trumps everything else... you can quarantine an unregistered MAC address... regardless of where they connect.  It's not dependent upon registration or having an installed agent to handle the magic. 

On 1/4/2013 4:04 PM, Mark Monroe wrote:
What is the best way people have found to do this without letting ipads or tablets or personal laptops getting on that wireless network?

We allow pretty flexible BYOD at this point, and tweaked the NAC registration to support the wider variety of devices.  Most anything that has a browser can be registered quickly, and we don't push any agents to wireless devices.  We just authenticate and register the device to the user. 

Institution owned devices such as laptops or PCs are able to get on the same as your wired clients (eg. Internal Network)
 
We do role-based security that is assigned by device (initially inherited from the user, but devices can be individually changed).  Phones/PDAs/etc get their own default role... but currently we don't really have any restrictions different from default campus network access.  The role-based security translates to a vlan on the wired network, or a role at the Aruba controller.

On 1/5/2013 1:31 PM, John Kaftan wrote:
I have been thinking about the same thing.  For us registration takes 10 + min the first time because they have to register, get scanned, load the agent, get scanned again and then go through our network use agreement etc.  It is very heavy on the front end, i.e. guilty until proven innocent.  I'd rather let them on and then just spank them if they are doing something bad. 

There is the initial "pain" here as well, but we have minimized much of it (the somewhat kludgy captive registration portal) by pushing new devices into our "setup" wireless SSID.  This leverages XpressConnect to configure the device for our wireless (wpa2/enterprise), and as a bonus will install the NAC agent if it isn't already present.  This essentially bypasses the registration portal, the agent pops up for authentication credentials, does a scan, and registers the device.

The other thing we are missing is that we are not catching other questionable behavior such as folks trying to hack our network.  With this system we could quarantine someone if they did a Netscan or hit the admin account on our DCs or anything that we don't like.  It would be amazingly powerful and secure and cool. 

As noted above, the "quarantine" trumps everything.  If we can get a MAC address, we can quarantine it.  Our NAC tracks MAC/IP/switchport connections for even unregistered (rogue) devices so this is fairly easy to do.

Jeff
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.