[unisog] Printers, printers, printers

Nagel, Lonnie lnagel at SFCCMO.EDU
Wed Dec 12 13:31:38 GMT 2007


We installed a NAC appliance last summer.   This box guarantees that no
one plugs into the network with anything that is not:

	a.) included in a mac address list of exceptions (solves the
printer 		problem) or

	b.) authenticated as all others must pass thru several checks
(AV, 		Updates, etc) and then have an AD logon to access the
network. 
 
This has worked really well for us and I feel reasonably certain that I
know of every device attached to the network.

* Lonnie Nagel * Network Manager * State Fair Community College *
Sungard Higher Education Managed Services * 3201 W 16th Street *
* Sedalia, MO  65301 * 660-596-7314 * lnagel at sfccmo.edu *
www.sungardhe.com *
 
CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.
 
 
-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Tuesday, December 11, 2007 4:12 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Printers, printers, printers

On Tue, 11 Dec 2007 16:46:11 EST, "Gaddis, Jeremy L." said:
> On 12/11/07, Martin Manjak <MManjak at uamail.albany.edu> wrote:
> > I'm curious as to what other schools are doing with respect managing
> > printers. Some of the issues and challenges include:
> >
> > I'm very interested in what types of controls people may have in
place
> > to address any of the above?
> 
> We put printers on their own subnets, with ACLs in place that prevent
> "printer traffic" except from authorized print servers.  The same set
> of ACLs prevents access to the management interface except from
> authorized managers.

How do you enforce that for printers that people/depts buy for
themselves,
or do you have total control over the network, so they can't connect
*anything*
without your OK?



More information about the unisog mailing list