[unisog] Network Access Control

Isac Balder piis8 at yahoo.com
Fri Feb 24 19:58:00 GMT 2006



--- Paul Asadoorian <Paul_Asadoorian at brown.edu> wrote:

> I would imagine that this is different, or even
> configurable, on network

On a decent system yes.


> On 2/24/06 12:07 PM, "PaulFM" <paulfm at me.umn.edu>
> wrote:
> 
> > My point is, do you want to be responsible if your
> program creates a security
> > hole on a machine you don't manage?  Keep in mind
> on corporate networks, the
> > machines are corporate machines and the sysadmins
> manage those machines (so
> > they are responsible for them anyway).

A good access control application will not require an
agent.  You can simply never garuantee an agent on
every device.  Can you say "blackbox" network
appliance that is critical to your network but needs
an IP.

Now what is done with those agentless devices is
another story.  Do nothing, throttle bandwidth to
sippy-cup 10mb access, redirection to "guest" dmz /
vlan, full denial, limited access to known servers,
etc., etc.

A NAC agent is simply like a Vulnerability scanner
domain password.  It allows you to get more detail but
is not a requirement.

And of course have legal check the liability waiver 
you will use for those personal devices that consent
to full contact and use to agent.



I.B.

"Say hello to all the apples on the ground"

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the unisog mailing list