NAC

[NewOrder]

Has anyone looked at Network Access Control ? I ask this because a number of schools appear to be investing in devices/laptops for kids to take home and I'm wondering what is the most simplest way to allow them on to a school network. I want to make sure its simple secure and low maintenance.

What worries me is the rubbish etc that they will have on their devices and this needs to be stopped.

I remember a number of years a go a LEA gave out laptops to teachers over the summer. They all came back in and September was virus month.

I saw this quote

You Can't Control People.

Control What's On Your Network.

[GrumbleDook]

Yep, we are putting in a Cisco solution this year, and segmenting the WLAN into a hidden, ultra-controlled section for staff and curriculum laptops that need to be part of the domain, and having a public hotspot style section with only port 443 access to one set of servers running Sun's Secure Global Desktop as a web front end for our TS system. I know of a few other schools looking at similar.

[kmount]

Wish I had the cash to even look at the Sun Global Desktop letalone the rest!

[NewOrder]

2 things

1. Anything less complicated? Remeber a lot of heads will have seen situations where they hit a hotspot and connect to the Internet

and

2 They will expect that within the school and how will you give them access to materials on the network?

[stratisphere]

Here's our setup:

We have a Sonicwall SSLVPN box (which is responsible for remote access for out on the internet). (SSL VPN Secure Remote Access - Everywhere Access For Every Size Organization - SonicWALL, Inc.)

We also have 2 wireless networks. Like GrumbleDook's setup, one is hidden, secured etc etc for mostly tech access (dont have the resources in school to let staff use it yet).
Another one, again, like GrumbleDook's, is public. This is it's own little network setup up to use a little (but more than good enough!) desktop PC running linux routing only SSL (port 443). This then goes direct into another interface on our SSLVPN.

So basically if kids want to use wireless, they can but to only access their work via the remote access site.

We are experimenting with setting up a hotspot type system where the first time you connect, you have to authenticate via web browser. It then logs how long your using it etc etc. From that, we can then direct them to the correct proxy server (Wouldnt want to let them have unfiltered internet access now )

[torledo]

Yep, we are putting in a Cisco solution this year, and segmenting the WLAN into a hidden, ultra-controlled section for staff and curriculum laptops that need to be part of the domain, and having a public hotspot style section with only port 443 access to one set of servers running Sun's Secure Global Desktop as a web front end for our TS system. I know of a few other schools looking at similar.

GD - could you expand a liitle on the cisco solution you'll be using, will it be the CSA product and/or CCA (cisco clean access) ?

We've had a look at CSA in the past, at the time we were a bit unsure as the technology was quite new - at the time cisco also had the CTA (Cisco Trust Agent) and CCA appliances that we believed were also part of overall NAC solution in additon to selected AntiVirus products, 802.1x capable catalyst switches and Cisco ACS as the radius server.

It's difficult to know which bits you actually need for a NAC solution.

[spc-rocket]

Have a look at the Microsoft's offering of NAP (Network Access Protection) as well which does require at least one windows 2008 server but this can be installed on your existing 2003 inftrastrure so its not a big deal. Windows XP SP3 will come with a NAP client so that should make it easier to control the policies.

All these solutions relies on the 802.1x support on your infrastruture devices such as switches, routers and acccess points as well as WLAN controllers.

If you are just worried about kids plugging their own laptops then the simple 802.1x authentication is enough but if you are looking to find out and screen for dirty/healthy clients then you need NAC or NAP. These technology takes the 802.1x concept one step further by screening the clients for various other criteria such as the correct SP level, latest virus definitions and other conditions such as client being a member of domain and or in appropriate groups.

We are using the our main wireless system (for staff) using the 802.1x with MS IAS (Radius) server and hidden SSIDs. For 6th form students we offer free wifi on thier own laptops and this is again controlled using 802.1x (WPA/TKIP) and are re-directed to the web filtering/proxy server so the net access is controlled. In order to access their My Docs we use the easylink (webdav) and open 443 from the wireless VLAN to the corp network. This works very well and its secure as well.

HTH,

Ash.

[NewOrder]

Hi folks thanks for the replies. I'm now looking at a few NAC/Nap devices. I'll report back

[john]

May also be worth noting that Sophos V8 which is around the corner soon has some stuff like this in it as well as Drive restrictions and things I believe

[Geoff]

I use packetfence.

packetfence / home

[skowal]

If I may suggest...

For endpoint security (e.g. making sure that laptop/endpoint virus defs are up to date), Novell ZESM is a decent product. A real pain in the *** to install, but once running it's very stable.

[dave.81]

I am looking into this at the moment and want to get to grips with packetfence but have no time at moment maybe over the summer break.

Problem i have with OS stuff is i'm lazy and just want to install one package to do the lot, one day i'll get my head around it as i know there is a whole host of fun things out there in OS.