On Sep 9, 2009, at 10:14 AM, Kim Casserly wrote:
Do other universities enable NAC on wired ports that connect
university-secured machines? For instance, what are your policies on
lab computers, faculty/staff computers, etc.
We haven't enabled NAC on the academic side yet (only in the dorms),
and we're worried that the NAC compliance rules we have for students
may not work well with university managed computers.. For instance,
we have our university computers pointed at an internal WSUS server,
but we don't want students using our WSUS server because when they
graduate from the university (or leave the dorms), we don't think
they will change their settings back to Windows Update instead of
our WSUS.
A problem this would cause would be if a student were to log into a
university machine that has purposely received a different set of
updates (for instance, perhaps a computer lab has temporarily
withheld a patch until they can properly test to make sure it
doesn't interfere with specific apps), the machine would be required
to have the "student requirements." The private enterprise probably
doesn't run into these issues as much as larger universities, where
all the different academic departments run disparate computer
policies.
We are already aware of Profiler to identify non-compliant devices
and things of that nature. I guess the main point of this post is to
find out what your policy is for university computers, and whether
there is anything on the NAC Appliance road-map to take Active
Directory machine accounts into consideration (for instance, if AD
user account has "student" group memberships and the computer object
exists with "COSC computer lab" security group, then use Policy A,
else just use Policy B).
Thanks in advance.
Kim,
If your university computers are already members of the domain and
receive updates from WSUS, what benefit do you hope to get from NAC?
The only thing that springs to mind is the AV and AS rules, which
could work, but there are probably better ways to do that.
We are using NAC on almost all parts of our network. Our university
owned personal use machines are not part of a domain and we do not
currently have a centrally managed patch system. Staff and faculty
are placed into different NAC roles from students based on LDAP
(Novell LDAP) attributes, but the role requirements are almost
identical. Lab machines, special purpose computers, printers, and
other network devices are exempted from NAC or placed in specific
roles by MAC address. Machines that are exempted from CCA must have
compensating controls, e.g. lab machines are updated regularly by
staff, require network login, and are locked down with Deep Freeze.
For university owned computers, we are beginning to move towards an AD
environment with managed computers that will leverage LANDesk for
patching, requirement verification, and application deployment. As we
migrate computers, we will either exempt them from NAC or they will be
placed in a specific role where the primary requirement is "must have
LANDesk installed."
Hope that helps,
Michael Grinnell
Senior Information Security Engineer
The American University
