We got a Wii for Christmas. It has been going pretty much non-stop since the 24th when the kids opened it. Today Mack and I were playing Wii Sports bowling. I wound up and started to “throw” the ball, when I clipped the end of the couch with the Wiimote. It slipped out of my hand, swung up on the lanyard, and pegged me right in the cheekbone below my right eye. I am now sporting my first WiiShiner. I expected to get it in boxing, not bowling.
I had just read an article about czechnology on somebody else’s blog today, when we experienced a wonderful improvised and somewhat hackish solution in our own environment. I have been working with Lyle from Longview systems on setting up a pilot of a network access control infrastructure that locks computers out of the network at the switch until they meet the virus scanner, malware scanner and Windows patch currency policy.
The system we are looking at is of course designed for a Windows Server / Active Directory environment, so it is not obvious getting it working with a Novell environment. With Windows desktops and servers, the NAC will do pass-through authentication, so when you boot up, you are on the untrusted network, you authenticate to AD via pass-through on the NAC server, the NAC agent runs and verifies you meet policy, then flips you onto the trusted network, at which point you run your login script and go to work. With NetWare / Open Enterprise Server, you can’t defer the login script, and if you allow enough traffic from the untrusted network to the trusted network to get users authenticated, they can also access data on the server, because authentication and data access via Novell core protocol uses the same ports. Allowing data access while the workstation is still in the untrusted network defeats the purpose of the NAC.
When Lyle and I were discussing the conundrum, Lyle mentioned that you can change the security configuration on the NAC server between the time the user logs in and the time the NAC agent starts to check your workstation for policy compliance. That led to the idea that we could allow the user access to eDirectory from the untrusted network before they login, so that the login could work and the login script could run. Then, when the user had logged in and all the drive mapping had been done, the NAC agent starts up and the NAC server revokes access to eDirectory and NCP protocol, effectively blocking the user from using the mapped drives. Then, after remediation, the workstation flips into the trusted network, and grabs a new IP address. The Novell client stays connected, and all those drive mappings suddenly work again. A nice clean but hackish solution!
We’re getting going (rather late in the year) with a pilot of a network access control system. Essentially, the system prevents network access to devices that don’t meet policy regarding virus scanners, malware detectors, and patches. When a computer boots up, the access control system dumps it onto an untrusted network. From there, the computer can only see sufficient resources to get itself patched and up to standards according to our security policy. Then, when the access control system is satisfied with the state of the computer, it flips it onto the trusted network, and the system gets a new address and starts working normally.
This kind of system requires some pervasive changes to our network infrastructure, and integrates to our machines at the login level, so we’re doing the pilot to make sure that it will do all the things we need from it before we commit to a rather large expense. The intent of it is to reduce the impact and slow the spread of an outbreak of viruses or malware caused by inadvertently unpatched software or out-of-date virus scanners or malware detectors.
Last week we had training at work on “Service Excellence” which focussed on providing exemplary customer service, to both internal and external clients. While the content was interesting and of some value to all in attendance, that isn’t the topic of this post.
The topic of this post is something else that happened to me for the first time ever. In the group of 20 or so randomly selected employees, I was the most senior employee (in terms of service in the company, not age) by some five years (15 total in the company) over the next longest serving employee. That was very weird, especially since I sat in the middle of a group of 20-somethings who averaged about 1.5 years with the company. We have a lot of really long-term employees in the 20, 25 and even 30 years range, so it’s unusual for me at 15 to be the most senior in any given group of staff.
I feel pretty good about my 15 years here. I’ve learned a lot, worked with some really smart people and good clients, made decent money, and gotten to do some interesting work. I also have a good group at the moment, with some hard working and dedicated guys. So far so good.