|
Thanks. I’ll take a look. -- nme P.S. Susan, I will get my nominations in order! From: Brian Desmond
[mailto:[EMAIL PROTECTED] NAC != .1x. The 3560 will certainly do the port based auth,
and I believe the 2950 will as well. I have the configs around. It’s pretty
well explained in the config guide, though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger Thanks all for the thoughts. I think that
the thing I will need to communicate to these folks is simply the tradeoffs and
the risks. They run many apps that force full admin rights on the workstations
and have concluded that this is an acceptable risk. We’ll see what they say. In
the end, I feel okay about it if they are fully cognizant of the risks and then
accept them. Maybe I’ll put something in about double the hourly rate for
cleanup ;-) -- nme P.S. Brian, could you elaborate on the
inexpensive NAC products? I see that IAS will be a RADIUS provider to 802.1x
switches. Is there a feature set within the IOS that can handle this (Catalyst
29xx and 35xx) or is it a separate device? From: Brian Desmond
[mailto:[EMAIL PROTECTED] They’re keeping me a little busy down at the
fun factory, so I’m up pretty late. Actually I just flew back in yesterday from
a client so I was handling backlog. How is .1x cost prohibitive. Have you looked at
the NAC products most major VPN providers have to handle your fears about
viruses and such? Also realize you don’t need to open a lot of the ports
representative of that sort of stuff. Lock it down by job role. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Thanks, Brian. Don’t you
sleep? It’s late in 802.1x is the direction
they are heading. Right now, it is cost-prohibitive. So the question is less
“can I control this access” but “should I”? Is that over-reacting? Again with the VPN. My
thoughts were to push it with an MSI, so I see how
to control its distribution. The question is should
I limit it to just the domain computers? How big is the risk? If the risk from
home computers is virus and malware, how do I justify preventing folks from
running it on their home Macs? Thanks. -- nme From: Brian Desmond
[mailto:[EMAIL PROTECTED] My suggestion is that you implement 802.1x port
auth to implement port based authentication. You can use this to implement
guest vlans with the policy routing you describe. Isn’t the Cisco VPN a MSI? Use Group Policy or
SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the
personal firewall built into it. I don’t see how you plan to prohibit OS X at
least – put it on the guest vlan if you must, but, realize that the marketing,
pr, etc people may live in a Mac world. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Hi: I am facing some IT policy questions and wanted to get
some perspectives. In each of these areas, I am trying determine how
restrictive I need to be. The client has four sites connected over high-speed
links. I have good backing from management but will undoubtedly get resistance
on some of these. The client is small, under 200 employees with most in
one office. Some small field offices are not managed (i.e., have workgroup
networks, often with a small server, but no AD). There are no SOX requirements
and the data are not sensitive (e.g., no credit cards). Almost entirely Windows
XP; all DC’s run W2k3. Any thoughts on these topics welcome. Connecting to the wired network.
They do not run any IDS or machine-based authentication. Given that, written
policy carries some weight. I want to require all non-domain machines to
connect only to a “public” VLAN that goes only to the Internet. I would apply
this even to staff “personal” computers, those of contractors (including me),
and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to
distribute the client only to domain-based machines. Others want the client for
their home computers, etc. Other Operating Systems. I don’t
want to allow other OS’s on the network, unless we manage them. But what is the
threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- -- -- -- -- -- -- |
