The Snort appliance you are thinking of is from Sourcefire (http://www.sourcefire.com/)
However, what I think most of us would be looking for (at least what I would be looking for) is a way for the agent to be polled/check-in to verify the status of the system. So instead of having to completely kick off a user after say 7 days to have them go back through posture assessment and be disrupted during the process, the CAM could poll the agent and have it check the system again and only if the system was dirty would it drop it back into the Unauth Role. Having there be some sort of IDS/IPS that could talk back to the CAM about an infected machine is an interesting idea. You would have to be VERY careful about false positives kicking people off. Depending on the checks you are executing though it might work wonders (detecting P2P apps...) --Jeremy On Wed, Mar 4, 2009 at 11:08, Daniel Sichel <[email protected]> wrote: >> What about "post-traffic police" and/or "post-re-checking" without > kicking user and machine out by clearing "Certified Device List"? > > I hate to be a pig about this, but how about Snort? (Sorry, but pig > jokes are mandatory when discussing Snort.) It is purpose built for that > function and has a lively support community, and is maintained by people > who stay pretty in touch with the latest hacks. It is VERY widely used > and I am pretty sure some commercial products use it. I even seem to > recall a salesman telling me about a Snort appliance although I am sorry > to say I can't recall the name of the product. > > Dan Sichel > Ponderosa Telephone >
