Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco Security Agent / Network Admission Control

Reply
Thread Tools

Cisco Security Agent / Network Admission Control

 
 
Eric Sorenson
Guest
Posts: n/a
 
      05-10-2004
In mopping up after Sasser and a Gaobot variant that exploited the LSASS
vulnerability, I've started looking around for ways to prevent unpatched
Windows machines from doing anything useful on the network. Cisco has this
"Self-Defending Network" thing that seems intended to address this problem;
specifically the "Network Admission Control" looks like a great idea --
from what I can tell sifting though the marketspeak it looks like they
give you a way to query a 'trust agent' installed on end-stations, and
adjust VLAN membership for an end-station's uplink port based on the results
of that query. But it's clearly got a couple of problems:

1. It doesn't, as far as i can tell, actually exist yet.
2. Aside from that, there doesn't seem to be a way to address
the problem of "rogue" machines (which, in our case, were really the
main vector that spread the infection) which do not have the security
agent installed on them; a random laptop brought in, or a self-installed
Windows XP box that doesn't run the agent.
3. I don't have Cisco switches at my edge, and even if I did, many offices
share an edge port via unmanaged hub, between a Linux or Solaris machine
which I don't want to have to care about, and one or more Windows boxes,
which I do.

Has anybody seen this software, or know how it addresses these issues?

Has anybody addressed this problem, through means other than those
Cisco sells?

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
 
Reply With Quote
 
 
 
 
Richard Deal
Guest
Posts: n/a
 
      05-10-2004

"Eric Sorenson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In mopping up after Sasser and a Gaobot variant that exploited the LSASS
> vulnerability, I've started looking around for ways to prevent unpatched
> Windows machines from doing anything useful on the network. Cisco has this
> "Self-Defending Network" thing that seems intended to address this

problem;
> specifically the "Network Admission Control" looks like a great idea --
> from what I can tell sifting though the marketspeak it looks like they
> give you a way to query a 'trust agent' installed on end-stations, and
> adjust VLAN membership for an end-station's uplink port based on the

results
> of that query. But it's clearly got a couple of problems:
>
> 1. It doesn't, as far as i can tell, actually exist yet.
> 2. Aside from that, there doesn't seem to be a way to address
> the problem of "rogue" machines (which, in our case, were really the
> main vector that spread the infection) which do not have the security
> agent installed on them; a random laptop brought in, or a

self-installed
> Windows XP box that doesn't run the agent.
> 3. I don't have Cisco switches at my edge, and even if I did, many offices
> share an edge port via unmanaged hub, between a Linux or Solaris

machine
> which I don't want to have to care about, and one or more Windows

boxes,
> which I do.
>
> Has anybody seen this software, or know how it addresses these issues?
>
> Has anybody addressed this problem, through means other than those
> Cisco sells?
>
> --
> Eric Sorenson - Systems / Network Administrator, MIS - Transmeta

Corporation
>


Eric,

There is some work with honeypots on this. Please visit this URL:
http://www.honeyd.org/worms.php

Cheers!

Richard


 
Reply With Quote
 
 
 
 
Eric Sorenson
Guest
Posts: n/a
 
      05-11-2004
Richard Deal <rdeal2 @ cfl.rr.com> wrote:

> There is some work with honeypots on this. Please visit this URL:
> http://www.honeyd.org/worms.php


Thanks for the link, that's interesting work. But it doesn't really seem
relevant to the idea of enforcing corporate patchlevel policy on an
enterprise LAN.

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
 
Reply With Quote
 
Steve McKee
Guest
Posts: n/a
 
      05-11-2004
Hi there,
Admission Control is coming but for now check out Zone Alarms inititative
(look for various vendor switch suport and 802.1x ) :
See :
Zone Labs Integrity can enforce policy by integrating with a broad array of
network access devices from vendors such as Check Point, Cisco, Nortel,
Enterasys, Aventail and Foundry. Integrity integrates with more than 200
other network access devices from more than two dozen leading vendors
supporting the industry standard 802.1x Extensible Authentication Protocol
(EAP). EAP integration protects enterprise PCs, regardless of how they
access the enterprise network, from spreading infections or allowing
intrusions because they lack required security, or because client
enforcement has been disabled.

Key Network-Access Protection features:

Total Client Lockdown
Administrative "lock down" on all Integrity clients, post-deployment,
provides security that cannot be altered or disabled, even by end users with
local administrative privileges on the endpoint.

Cooperative EnforcementT technology integrates with leading VPNs,
802.1x/EAP-compliant network access devices and antivirus solutions to
further harden and enforce network security. It allows administrators to
audit, inventory and enforce critical network access criteria on employee
PCs, including:

a.. Patches and service packs installed
b.. Antivirus running and updated
c.. Applications present or absent



Antivirus Integration
Offers a broader menu of anti-virus enforcement options. Integrity
synchronizes with leading anti-virus products to ensure that policy
enforcement rules are always up-to-date. From a reference PC it can
automatically gather signature file updates for Symantec, McAfee, Trend
Micro, Computer Associates or Sophos anti-virus products and immediately
deploy new policies requiring end users to install the updates. This unique
Integrity benefit virtually eliminates administrative time to manually
gather and update policy data


LAN/WAN Integration
Over 200 enterprise switches, wireless access points, and other
network access devices that support the 802.1x/EAP authentication standard.

For companies that have not yet upgraded to 802.1x-compliant
equipment, Integrity also provides LAN policy enforcement without requiring
gateway integration.


"Eric Sorenson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Richard Deal <rdeal2 @ cfl.rr.com> wrote:
>
> > There is some work with honeypots on this. Please visit this URL:
> > http://www.honeyd.org/worms.php

>
> Thanks for the link, that's interesting work. But it doesn't really seem
> relevant to the idea of enforcing corporate patchlevel policy on an
> enterprise LAN.
>
> --
> Eric Sorenson - Systems / Network Administrator, MIS - Transmeta

Corporation






 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Admission Control For WLAN (DHCP, Service Controller) ? irvine4ever84@gmail.com C++ 1 04-08-2007 10:51 PM
call admission control kk Cisco 0 03-10-2005 04:35 PM
Faking Network Admission Control Agents - Is possible? orazon@gmail.com Cisco 0 12-13-2004 09:23 PM



Advertisments