[unisog] Network Access Control

Christopher Chow c-chow at md.northwestern.edu
Fri Feb 24 01:23:33 GMT 2006

Paul --

Although I sympathize with your concerns about liability, I believe that 
your analogy to the Sony Rootkit fiasco is unwarranted.

Sony got in trouble primarily because (1)installation was silent, secret 
and without consent and (2)the software was poorly written

#1 in a network access control project would not be of concern because 
you are giving full disclusure and presumably would have the backing of 
university administration in addition to the IT division. Of course #2 
could pose a problem and I understand how a required network access 
solution would make it even stickier if compromises resulted from a 
vulnerability in the agent.

However, the key idea is to not be alarmist either. Corporate IT 
environments use packages like Tivoli, et al.  to push software all the 
time. And to inspect machines for compliance in much more draconian 
fashion than what we are discussing in this thread. Of course, academia 
is much more liberal and i'll grant you that --- but what really needs 
to be weighed here is:

does the freedom to run an unpatched/unAV'd machine supercede network 
access privileges? I would imagine not -- most universities have CISSP's 
  in place with IT staff to specifically turn off ports to offending 
machines that spew packets. So it's a given that part of the duty is to 
protect the network resources so that users can access things when they 
  need them.

And i find the privacy argument rather absurd. It's rather like the 
argument against "Windows Genuine Advantage" in the sense that you are 
saying we don't want Big Brother looking over our shoulder. why? What do 
you have to hide? It's not even that you're looking for illegal content 
(like Microsoft is) but you are simply checking compliance on security 
precautions. If you have something so important to hide, why would you 
connect it to a semipublic network! Would you even put it on a network? 
Do you get my gist? You might even use a non-resident network access 
control that loads the first time a user connects for a session, scans 
the machine and unloads (say an activeX control or JS that grabs the mac 
address) -- akin to the the type of access control that wireless 
companies use to make sure that you're paying for wireless when you're 
working at an airport hotspot, etc

I'll admit that I don't know the technical details of whether such an 
alternative would fit the needs of the original poster. But please don't 
bring Sony into this because the situations would be worlds apart. Sony 
had its own financial interests in mind -- the user agent here would be 
to protect the right of *all* users to access network resources.

Just because the higher ed arena embodies more liberal
PaulFM wrote:
> I have always disliked this sort of thing as you have now REQUIRED people to 
> install YOUR software on their computer - This makes you responsible for 
> anything that software does (Keep in mind that requiring can nullify any 
> disclaimer - and since software almost always has disclaimers that the 
> providers [software writers] are not responsible for any damage, YOU become 
> responsible and cannot disclaim your way out of it as YOU required the 
> software be installed).
> Just remember all the trouble SONY got in with the Copyright protection 
> ROOTKIT on their CD's.
> Also - what OSes will you be shutting out (nothing runs on everything)?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5337 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20060223/43c54a8c/smime.bin

More information about the unisog mailing list