Quick answer: yes.
Loooooooooong answer:
Yes, however it would be packetfence and not Nessus that would be making the
decision to rescan and when, you can set the necessary settings in the admin
GUI.
However there is one more piece to this puzzle that I think would be beneficial
to look into. That piece is PF's SNORT integration. I, of course, do not know
if you are familiar with snort but it is the gold standard for IDS systems. It
can watch the traffic of your clients and trigger events that PF can act on to
isolate misbehaving clients.
Thus telling you, in real time no less, if you have a client that is harming
your network.
Nessus scans can take a bit depending on how many rules you are using, however
you can run the scan in the background and give the client preliminary access
to the network for the duration of the scan, if you want.
Once you have the trifecta of PacketFence, NPA (via either Nessus or OpenVAS),
and SNORT you have a NAC system that rivals any other system in the world. No
kidding! I have had vendors from large companies look at my system and freak
out when they find out it is all open source and free.
Even my vendor who has deployed lots of Cisco ISE said that he wishes ISE had
some of the functions of PF.
This summer I am rolling out SNORT integration with our PF deployment, I am
going to be using a linux distro called Security Onion. SO is a ready-made IDS
on an installable live cd that comes with tons of features pre-installed and
configured.
I could go on and on about this stuff ... yeah, I'm kinda a nerd like that, but
you get the point.
The short answer with PF is always: "Yes." You can extend PF to do ANYTHING
but if what you are trying to do seems extraordinarily hard, you may want to
step back and ask if what you are doing is really a function of NAC or is it
something else?
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
From: Josh Bitto [mailto:[email protected]]
Sent: Monday, April 29, 2013 5:57 PM
To: [email protected]
Subject: Re: [PacketFence-users] Options for Packetfence
I was wondering if you knew off hand. Say I was using Nessus....I tried openvas
and it is really hard to get going (not much documentation on troubleshooting)
ok scenario......We are a private school and online school. Mostly kids access
our websites from home to do their work, but we have a private school on campus
as well. Kids and employees alike do bring their own laptop to school to work.
Now essentially scanning would be great for a first time thing, but suppose
they go home and do some bad stuff and them come back the next day with a
vulnerable machine. Do you know if Nessus has the ability to see said machine
and say hey there it is....let's see how you are.....nope don't like what you
have and then redirects to a notification to the user?
I'm sure there is a way to do this...I just need a quick answer of yes or no it
doesn't do something like that.
From: Sallee, Stephen (Jake) [mailto:[email protected]]
Sent: Monday, April 29, 2013 11:57 AM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [PacketFence-users] Options for Packetfence
Your first question about a landing page is essentially the captive portal
already available in packetfence. It is completely customizable.
Your next question is also already addressed. You will want to use Nessus or
OpenVAS. Both are excellent tools with Nessus being the gold standard in its
field. That field being vulnerability assessment.
Here is where some people will muddy the waters.
The NAC people will call what you are looking for, Network Posture Assessment,
or NAP if you are in the MS world. Why they felt the need to re-arrange the
letters I will never know. However, for true NPA you need a client on the host
that reports back to the mother ship what it finds.
That is great in an environment where you control the endpoint (IE: you own the
client HW, etc.) however, in a BYOD environment a client on the host is replete
with issues.
It is implicitly true in any system that the mother ship MUST trust the client.
Clients can be spoofed, fooled, made to lie, and impersonated all without the
NAC system's knowledge.
I do not trust any info I get from a system that I do now own, why would I
want to put my security in the hands of someone who is capable and willing to
lie to me?
This is where vulnerability assessment is preferable to NPA. VA scanners tell
me exactly what my clients are vulnerable to and can give info on how to patch
/ fix the problems. The client CANNOT lie since the scan is external to them.
OpenVAS and Nessus both integrate well with PF and (through PF) can present
the user with remediation pages giving them info on how to fix the issue(s) and
give them the option to rescan.
Best part? OpenVAS = free (as in beer). Also, if you are a non-profit or
educational entity Nessus will give you a single professional license for free.
Hope that helps.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
From: Josh Bitto [mailto:[email protected]]
Sent: Saturday, April 27, 2013 4:12 PM
To:
[email protected]<mailto:[email protected]>
Subject: [PacketFence-users] Options for Packetfence
Hello,
I'm diving into packetfence to see if this will be a viable solution for our
organization. I had a couple of questions that maybe someone could answer that
I can't seem to find or may have overlooked. I understand the basic concept of
unregistered devices going into a certain vlan and quarantined going in another
and so forth.
What I'm looking for is maybe a user friendly help page for users when they are
confronted for the first time with trying to get onto the network. Maybe a
webpage or notification about getting access to the network and the steps in
order to do that.
The other question I had is......is there a way to have packetfence evaluate
the device to match it up to a standard that can be set and inform the user
that this device either meets the policies set by IT admin's or letting them
know that they need either AV or updates...etc...
To kind of dumb it down...I want a user to be able to come on site....try to
connect to a guest vlan......packetfence screen the device for a set standard
of security....let the user know "hey you need to do updates" or "hey you have
some problems with your machine meeting our standards" to "hey you have met all
requirements follow these steps to obtain internet access.....
I'm trying to get away with having to create a lot of headache for the IT
department to be the middle man with users that only come on site maybe a
handful of times throughout the year. Which for a private school is the case.
We have a byod for our regular students, but the byod is becoming more of a
trend that we have to adapt to.
/end rant...
Joshua Bitto
Information Technologist
KCC
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
