[unisog] Printers, printers, printers

Anthony Maszeroski maszeroskia3 at scranton.edu
Wed Dec 12 20:45:21 GMT 2007


Did you implement the Cisco NAC profiler? :

http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806b7d4e.html

I'm really eager to hear about any Higher Ed experience with it.

Nagel, Lonnie wrote:
> Sure,
> We installed the Cisco NAC (Network Access Control)appliance which
> consists of NAC Server box and a NAC Management box.  Keep in mind that
> the entire solution is software based but does require it's own server
> boxes.  (At least 2).  
> 
> The basic premise is that you move all open/unused ports into a VLAN
> that was set up specifically for this purpose and use the appliance as
> the subnet gateway.  
> 
> Once a user plugs a device into one of these ports he is immediately
> redirected to the NAC server appliance which will initially require the
> user to download and install the NAC client.  After that is done the
> user's platform is subjected to the configured access requirements of
> the server.  These might include things like making sure that the user
> has a qualified AV program installed, making sure that that AV program
> has current updates, making sure that the user has up to date Microsoft
> Updates.  You can set up as many or a few requirements as you wish all
> the way up to implementing a Nessus scan to verify that the platform is
> virus/worm free to begin with. 
> 
> All of this functionality is enforced by the server box and configured
> by the management box. You can get as granular as you wish.  We started
> out slow and are only requiring current AV and AV updates for now.
> 
> The server box also integrates with your AD (and or radius) server so
> that once the user platform has passed all the requirements, he is then
> required to authenticate onto the network.
> 
> There are also mac filters that you can set up on the server so that
> none of this is required for specific devices (ie network printers,
> access points, etc.) The server interface also shows a current listing
> of all logged in users, users that are having trouble logging in, and
> users that are in different roles such as quarantine which allows
> limited access in order to let the user do a self-remediation by getting
> the proper upgrades/updates from various sites (Norton, McAfee,
> Microsoft, etc,).
> 
> The entire process works pretty slick although the learning curve is a
> little steep.  (especially on the initial install - you might want to
> look at having a VAR assist)
> 
> This product (as are many Cisco products) was purchased by Cisco and
> enhanced from there.  I believe it's original name was Perfigo. 
> 
> There are other NAC packages available - notably I would have really
> liked to look harder at a product called Bradford Campus Manager which
> does not require the client download. We are a Cisco shop however and
> the entire package was purchased along with a major network upgrade so
> the pricing was favorable.  (although still expensive - I think you
> might want to prepare yourself for the 25 - 50K range if you want to get
> into a setup like this).
> 
> Hope this answers many of your questions - get back to me if you need
> more.
> 
> * Lonnie Nagel * Network Manager * State Fair Community College *
> Sungard Higher Education Managed Services * 3201 W 16th Street *
> * Sedalia, MO  65301 * 660-596-7314 * lnagel at sfccmo.edu *
> www.sungardhe.com *
>  
> CONFIDENTIALITY: This e-mail (including any attachments) may contain
> confidential, proprietary and privileged information, and unauthorized
> disclosure or use is prohibited. If you received this e-mail in error,
> please notify the sender and delete this e-mail from your system.
>  
>  
> 
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Rick Hayter
> Sent: Wednesday, December 12, 2007 1:06 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Printers, printers, printers
> 
> Nagel, Lonnie wrote:
>> We installed a NAC appliance last summer. [...] 
> 
> Care to share a little more information about your NAC?
> 

-- 
- Anthony Maszeroski, CCNA
-----------------------------------
Information Security Manager
The University of Scranton
email : maszeroskia3 at scranton.edu
phone : 570-941-4226
-----------------------------------


More information about the unisog mailing list