[unisog] Network Access Control
dwpayne at ist.uwaterloo.ca
Fri Feb 24 15:20:05 GMT 2006
On 23/02/2006 4:58 PM, David Millar wrote:
> We're planning a Network Access Control project.
> Has anyone encountered privacy (or any other) concerns about requiring the
> installation of a software agent that reports on patch status, A/V status
> and password strength, as a condition of nework access.
> Also, would anyone be willing to share statistics about the percentage of
> machines that typically wind up in quarantine?
We're about to deploy a home-grown solution. It checks for the presence
of AV, whether automated updates are enabled, and a couple of other
things, for Windows systems only. Other OS's are ignored. But it's
strictly by choice. Users that decline to run the executable are given
restricted access, HTTP/HTTPS only. Users that run it and pass get
"full" access. This is implemented on our home-grown authentication
system, which is a freeBSD-based Web front-end, using our Active
Directory environments (we have 2) as the back-end authentication
database. The authentication system has been in place since day 1 of our
So far in our pilot (about 20% of the campus for about a week) we have
something like 65% of users agreeing to run the check (out of about
1,200 different users in 3,600 different sessions). Of those that agreed
to run the check, about 25% failed. 40% of the initial failures passed a
subsequent check, presumably after fixing up their systems. We expect to
see significant improvements once it's been in place for a while, both
in the number of users that agree to do the check, and in the number
that pass. It's not perfect, but so far it seems quite successful. Since
it's locally written, we can enhance it over time as we see the need.
For instance, we might add a requirement that the user run a personal
Manager, Network Development, IST
University of Waterloo
More information about the unisog