[unisog] Network Access Control

Doug Payne dwpayne at ist.uwaterloo.ca
Fri Feb 24 15:20:05 GMT 2006

On 23/02/2006 4:58 PM, David Millar wrote:
> We're planning a Network Access Control project.
> Has anyone encountered privacy (or any other) concerns about requiring the 
> installation of a software agent that reports on patch status, A/V status 
> and password strength, as a condition of nework access.
> Also, would anyone be willing to share statistics about the percentage of 
> machines that typically wind up in quarantine?

We're about to deploy a home-grown solution. It checks for the presence 
of AV, whether automated updates are enabled, and a couple of other 
things, for Windows systems only. Other OS's are ignored. But it's 
strictly by choice. Users that decline to run the executable are given 
restricted access, HTTP/HTTPS only. Users that run it and pass get 
"full" access. This is implemented on our home-grown authentication 
system, which is a freeBSD-based Web front-end, using our Active 
Directory environments (we have 2) as the back-end authentication 
database. The authentication system has been in place since day 1 of our 
wireless deployment.

So far in our pilot (about 20% of the campus for about a week) we have 
something like 65% of users agreeing to run the check (out of about 
1,200 different users in 3,600 different sessions). Of those that agreed 
to run the check, about 25% failed. 40% of the initial failures passed a 
subsequent check, presumably after fixing up their systems. We expect to 
see significant improvements once it's been in place for a while, both 
in the number of users that agree to do the check, and in the number 
that pass. It's not perfect, but so far it seems quite successful. Since 
it's locally written, we can enhance it over time as we see the need. 
For instance, we might add a requirement that the user run a personal 

Doug Payne
Manager, Network Development, IST
University of Waterloo

More information about the unisog mailing list