[unisog] Network Access Control
Paul_Asadoorian at brown.edu
Fri Feb 24 17:36:38 GMT 2006
I would imagine that this is different, or even configurable, on network
access control systems, but is the agent persistent? (i.e. Does it stay
installed on the users computer once they are compliant?)
Paul Asadoorian, GCIA, GCIH
IT Securty Blog
On 2/24/06 12:07 PM, "PaulFM" <paulfm at me.umn.edu> wrote:
> The issue is that the program installed by Sony - created a new security hole
> in windows itself (number 2 on your list).
> My point is, do you want to be responsible if your program creates a security
> hole on a machine you don't manage? Keep in mind on corporate networks, the
> machines are corporate machines and the sysadmins manage those machines (so
> they are responsible for them anyway).
> Christopher Chow wrote:
>> Although I sympathize with your concerns about liability, I believe that
>> your analogy to the Sony Rootkit fiasco is unwarranted.
>> Sony got in trouble primarily because (1)installation was silent, secret
>> and without consent and (2)the software was poorly written
>> #1 in a network access control project would not be of concern because
>> you are giving full disclusure and presumably would have the backing of
>> university administration in addition to the IT division. Of course #2
>> could pose a problem and I understand how a required network access
>> solution would make it even stickier if compromises resulted from a
>> vulnerability in the agent.
>> However, the key idea is to not be alarmist either. Corporate IT
>> environments use packages like Tivoli, et al. to push software all the
>> time. And to inspect machines for compliance in much more draconian
>> fashion than what we are discussing in this thread. Of course, academia
>> is much more liberal and i'll grant you that --- but what really needs
>> to be weighed here is:
>> does the freedom to run an unpatched/unAV'd machine supercede network
>> access privileges? I would imagine not -- most universities have CISSP's
>> in place with IT staff to specifically turn off ports to offending
>> machines that spew packets. So it's a given that part of the duty is to
>> protect the network resources so that users can access things when they
>> need them.
>> And i find the privacy argument rather absurd. It's rather like the
>> argument against "Windows Genuine Advantage" in the sense that you are
>> saying we don't want Big Brother looking over our shoulder. why? What do
>> you have to hide? It's not even that you're looking for illegal content
>> (like Microsoft is) but you are simply checking compliance on security
>> precautions. If you have something so important to hide, why would you
>> connect it to a semipublic network! Would you even put it on a network?
>> Do you get my gist? You might even use a non-resident network access
>> control that loads the first time a user connects for a session, scans
>> the machine and unloads (say an activeX control or JS that grabs the mac
>> address) -- akin to the the type of access control that wireless
>> companies use to make sure that you're paying for wireless when you're
>> working at an airport hotspot, etc
>> I'll admit that I don't know the technical details of whether such an
>> alternative would fit the needs of the original poster. But please don't
>> bring Sony into this because the situations would be worlds apart. Sony
>> had its own financial interests in mind -- the user agent here would be
>> to protect the right of *all* users to access network resources.
>> Just because the higher ed arena embodies more liberal
>> PaulFM wrote:
>>> I have always disliked this sort of thing as you have now REQUIRED
>>> people to install YOUR software on their computer - This makes you
>>> responsible for anything that software does (Keep in mind that
>>> requiring can nullify any disclaimer - and since software almost
>>> always has disclaimers that the providers [software writers] are not
>>> responsible for any damage, YOU become responsible and cannot disclaim
>>> your way out of it as YOU required the software be installed).
>>> Just remember all the trouble SONY got in with the Copyright
>>> protection ROOTKIT on their CD's.
>>> Also - what OSes will you be shutting out (nothing runs on everything)?
>> unisog mailing list
>> unisog at lists.sans.org
More information about the unisog