On 4/26/2012 4:13 PM, Mark Duling wrote: > I think many have found enforcing remediation of NAC to be problematic > with an increasingly protected and sophisticated user base. Whether > or not to do posture assessment and enforce remediation seems to me to > be the main determinant of how much one needs to spend, rather than > the vendor of the solution chosen.
We are at somewhat of a crossroads, and about to embark on an experiment... We were an early Perfigo customer, following the fallout from Slammer/Blaster/Nachi/etc. We carried over to the Cisco takeover, and stuck with Cisco until the release of Windows Vista, which was not supported by our CCA version (and not maintenance-upgradeable either, it was a large re-licensing/repurchase path, and the "new" version did not support all of our "old" switches, so there was a 6-figure "update" projected). We then went with Bradford. After an initial learning curve / implementation smoothing, it took the place of CCA rather well, and relaxed the Cisco end-to-end dependence that CCA required. It did a spectacular job of network tracking and management (it's hard to tie a time, MAC, IP, hostname, switchport, and userID together in one place, and searchable to boot). The "posture assessment" worked well for OS / AV, but in today's world, that is hardly sufficient given the plethora of exploit kits targeting Flash, Java, Acrobat, Shockwave, etc. The "remediation" is the klunky part, and if you enforce it brute-force captive-portal style, you are due for some serious feedback if not outright outrage. The current versions of the software allow for "delayed" forced remediation, so you get an obvious indication that you are out of compliance (icon in system tray bleeps at you like the windows update one does) for a configurable number of days before remediation is enforced. But just "getting out of remediation" is somewhat un-intuitive. You have to remediate yourself, more or less, but the icon remains "at-risk" until you navigate to the portal page and initiate a re-scan (users typically expect that to reflect their status in "real-time" and get confused when it doesn't change after they patch). We ditched forced remediation over a year ago, but still very much use the tracking, and even do role-based port security based on registration to separate various user groups, printers, special devices, and so forth on their own vlans. For security incidents, e.g., IPS/IDS detected infections, you still have the "quarantine" mechanism available to you. Quarantine overrides everything and keeps infected machines in their own captive portal, regardless of where they connect; and if the device is registered, it carries over to every network interface on the box (e.g., wired, wireless laptop). Our current "experiment" is looking at IBM's Tivoli Endpoint Manager (a.k.a. BigFix) to handle the remediation cases for university-owned equipment. With the BigFix agent in place on the machine, you can have it do the remediation steps automatically (you just push the needed "fixlets" to the device yourself). We hope this will provide the "missing link" in the whole policy / posturing / endpoint compliance picture while incorporating the common third-party applications as well. Will see how it goes :) If anybody else has "been there, done that, go the T-Shirt" I'd be interested in any stories you can share, good, bad, or otherwise. Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.