Cisco Security Agent / Network Admission Control

Discussion in 'Cisco' started by Eric Sorenson, May 10, 2004.

  1. In mopping up after Sasser and a Gaobot variant that exploited the LSASS
    vulnerability, I've started looking around for ways to prevent unpatched
    Windows machines from doing anything useful on the network. Cisco has this
    "Self-Defending Network" thing that seems intended to address this problem;
    specifically the "Network Admission Control" looks like a great idea --
    from what I can tell sifting though the marketspeak it looks like they
    give you a way to query a 'trust agent' installed on end-stations, and
    adjust VLAN membership for an end-station's uplink port based on the results
    of that query. But it's clearly got a couple of problems:

    1. It doesn't, as far as i can tell, actually exist yet.
    2. Aside from that, there doesn't seem to be a way to address
    the problem of "rogue" machines (which, in our case, were really the
    main vector that spread the infection) which do not have the security
    agent installed on them; a random laptop brought in, or a self-installed
    Windows XP box that doesn't run the agent.
    3. I don't have Cisco switches at my edge, and even if I did, many offices
    share an edge port via unmanaged hub, between a Linux or Solaris machine
    which I don't want to have to care about, and one or more Windows boxes,
    which I do.

    Has anybody seen this software, or know how it addresses these issues?

    Has anybody addressed this problem, through means other than those
    Cisco sells?

    --
    Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
    Eric Sorenson, May 10, 2004
    #1
    1. Advertising

  2. Eric Sorenson

    Richard Deal Guest

    "Eric Sorenson" <> wrote in message
    news:...
    > In mopping up after Sasser and a Gaobot variant that exploited the LSASS
    > vulnerability, I've started looking around for ways to prevent unpatched
    > Windows machines from doing anything useful on the network. Cisco has this
    > "Self-Defending Network" thing that seems intended to address this

    problem;
    > specifically the "Network Admission Control" looks like a great idea --
    > from what I can tell sifting though the marketspeak it looks like they
    > give you a way to query a 'trust agent' installed on end-stations, and
    > adjust VLAN membership for an end-station's uplink port based on the

    results
    > of that query. But it's clearly got a couple of problems:
    >
    > 1. It doesn't, as far as i can tell, actually exist yet.
    > 2. Aside from that, there doesn't seem to be a way to address
    > the problem of "rogue" machines (which, in our case, were really the
    > main vector that spread the infection) which do not have the security
    > agent installed on them; a random laptop brought in, or a

    self-installed
    > Windows XP box that doesn't run the agent.
    > 3. I don't have Cisco switches at my edge, and even if I did, many offices
    > share an edge port via unmanaged hub, between a Linux or Solaris

    machine
    > which I don't want to have to care about, and one or more Windows

    boxes,
    > which I do.
    >
    > Has anybody seen this software, or know how it addresses these issues?
    >
    > Has anybody addressed this problem, through means other than those
    > Cisco sells?
    >
    > --
    > Eric Sorenson - Systems / Network Administrator, MIS - Transmeta

    Corporation
    >


    Eric,

    There is some work with honeypots on this. Please visit this URL:
    http://www.honeyd.org/worms.php

    Cheers!

    Richard
    Richard Deal, May 10, 2004
    #2
    1. Advertising

  3. Richard Deal <rdeal2 @ cfl.rr.com> wrote:

    > There is some work with honeypots on this. Please visit this URL:
    > http://www.honeyd.org/worms.php


    Thanks for the link, that's interesting work. But it doesn't really seem
    relevant to the idea of enforcing corporate patchlevel policy on an
    enterprise LAN.

    --
    Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
    Eric Sorenson, May 11, 2004
    #3
  4. Eric Sorenson

    Steve McKee Guest

    Hi there,
    Admission Control is coming but for now check out Zone Alarms inititative
    (look for various vendor switch suport and 802.1x ) :
    See :
    Zone Labs Integrity can enforce policy by integrating with a broad array of
    network access devices from vendors such as Check Point, Cisco, Nortel,
    Enterasys, Aventail and Foundry. Integrity integrates with more than 200
    other network access devices from more than two dozen leading vendors
    supporting the industry standard 802.1x Extensible Authentication Protocol
    (EAP). EAP integration protects enterprise PCs, regardless of how they
    access the enterprise network, from spreading infections or allowing
    intrusions because they lack required security, or because client
    enforcement has been disabled.

    Key Network-Access Protection features:

    Total Client Lockdown
    Administrative "lock down" on all Integrity clients, post-deployment,
    provides security that cannot be altered or disabled, even by end users with
    local administrative privileges on the endpoint.

    Cooperative EnforcementT technology integrates with leading VPNs,
    802.1x/EAP-compliant network access devices and antivirus solutions to
    further harden and enforce network security. It allows administrators to
    audit, inventory and enforce critical network access criteria on employee
    PCs, including:

    a.. Patches and service packs installed
    b.. Antivirus running and updated
    c.. Applications present or absent



    Antivirus Integration
    Offers a broader menu of anti-virus enforcement options. Integrity
    synchronizes with leading anti-virus products to ensure that policy
    enforcement rules are always up-to-date. From a reference PC it can
    automatically gather signature file updates for Symantec, McAfee, Trend
    Micro, Computer Associates or Sophos anti-virus products and immediately
    deploy new policies requiring end users to install the updates. This unique
    Integrity benefit virtually eliminates administrative time to manually
    gather and update policy data


    LAN/WAN Integration
    Over 200 enterprise switches, wireless access points, and other
    network access devices that support the 802.1x/EAP authentication standard.

    For companies that have not yet upgraded to 802.1x-compliant
    equipment, Integrity also provides LAN policy enforcement without requiring
    gateway integration.


    "Eric Sorenson" <> wrote in message
    news:...
    > Richard Deal <rdeal2 @ cfl.rr.com> wrote:
    >
    > > There is some work with honeypots on this. Please visit this URL:
    > > http://www.honeyd.org/worms.php

    >
    > Thanks for the link, that's interesting work. But it doesn't really seem
    > relevant to the idea of enforcing corporate patchlevel policy on an
    > enterprise LAN.
    >
    > --
    > Eric Sorenson - Systems / Network Administrator, MIS - Transmeta

    Corporation
    Steve McKee, May 11, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    368
  2. kk

    call admission control

    kk, Mar 10, 2005, in forum: Cisco
    Replies:
    0
    Views:
    421
  3. CMX

    MCSE admission

    CMX, Jul 10, 2004, in forum: MCSE
    Replies:
    12
    Views:
    1,053
  4. EVS
    Replies:
    0
    Views:
    1,609
  5. EVS
    Replies:
    0
    Views:
    1,703
Loading...

Share This Page