You can do it. Just be sure to test it thoroughly, be ready to become best friends with Wireshark and tcpdump. :) Also I would hope that your organization already has an acceptable use policy governing what is and isn't allowed (giving you the authority to block the undesirable stuff).
You are absolutely right to fear that this could make your phone ring off the hook, but if you manage it well I think you'll find fewer complaints that you might think. It's hard for folks to complain if they've been given adequate warning that "X,Y and Z are not allowed on this network." We are big users of NAC and Policy, and we have done exactly what you describe in numerous places. We always test things first (on our IT staff where applicable), let it run for weeks/month just to shake out any issues, then roll it out to the users one floor or building at a time (usually with a week between deployments to give time for feedback). Depending on the nature of the change, we might also send out notification to the users in advance. Depending on your environment, be prepared to offer alternative solutions when you break people's workflow. This may not really apply in a residence hall, but if you plan to do this in places where folks are employed, be prepared to discover some not-best-practices solutions. For example, our policy here states that a normal desktop/laptop should not be used as a server (file share, website, etc.). For a long time it was just a policy we couldn't enforce, but NAC gives us the enforcement tools. As we start blocking these things, it flushes out all the folks who have been doing those things (most of them with the best of intentions). Instead of simply telling those people "you can't do that", we have offered them a better alternative (we provide enterprise-level file sharing and web hosting platforms, which they can use-they just have to ask for it). Recently we've begun using a hybrid approach of NAC/Policy and a firewall-we use NAC and Policy to contain devices to the appropriate VLAN and to block traffic within the subnet. The (routing) firewall governs what gets in or out of the subnet. We've found that firewall rules are a bit more flexible than NAC rules. The other thing that helps is a segmented approach to the network. We group similar devices together on the same subnet/VLAN-end user machines on one segment, printers on another, servers on another (actually we have lots of server segments-based on server type and tier). This makes for a more manageable ruleset on the firewalls. Aaron Taye Senior Network Engineer NCI Computer Services Contractor, TerpSys (r) From: John Kaftan [mailto:[email protected]] Sent: Friday, February 08, 2013 7:35 AM To: Enterasys Customer Mailing List Subject: [enterasys] Policy Dreamer We are just starting to dream about policy. We are using it as part of NAC in our residence halls but have not really played around with it beyond that. When I do packet captures I see the usual junk flying around our network, i.e. various broadcasts from MS or what have you. I see no reason why clients need to talk to each other at all. The only thing our users need is to be able to arp so they can find the gateway, DHCP, DNS, and access to whatever services we are providing for them centrally, e.g. printing, files, directory, internet, etc. Has anyone taken the lockdown approach where you only allow the protocols that are needed rather than blocking the ones that you don't like? My guess is that this approach is too restrictive and that phone rings too much, but "I have a dream...." -- John Kaftan IT Infrastructure Manager Utica College * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
