Network Access Control Pilot
We’re getting going (rather late in the year) with a pilot of a network access control system. Essentially, the system prevents network access to devices that don’t meet policy regarding virus scanners, malware detectors, and patches. When a computer boots up, the access control system dumps it onto an untrusted network. From there, the computer can only see sufficient resources to get itself patched and up to standards according to our security policy. Then, when the access control system is satisfied with the state of the computer, it flips it onto the trusted network, and the system gets a new address and starts working normally.
This kind of system requires some pervasive changes to our network infrastructure, and integrates to our machines at the login level, so we’re doing the pilot to make sure that it will do all the things we need from it before we commit to a rather large expense. The intent of it is to reduce the impact and slow the spread of an outbreak of viruses or malware caused by inadvertently unpatched software or out-of-date virus scanners or malware detectors.
Are you using Cisco’s MARS system?
We are working with Cisco NAC.
scott,
How did your pilot work out?
The pilot worked out fairly well as far as we took it, with several pilot users using it for a couple of weeks without problems, authenticating to our Novell environment, getting remediation applied while being locked out, and then getting access granted.
We have decided in the mean time to make some lower-level architectural changes to our networks for other reasons, and so we are putting the NAC deployment on hold until later this summer.