Right. We're aware that Cisco isn't the only player in this field. In
fact, I think they're pretty late to the party. Michael, I'd love to
get you started. More off line.
As Sherry pointed out, We do want to move in this direction. But, as
anyone who knows me can attest, our progress will be careful,
methodical, and fairly slow.
The idea isn't to block everything by default and only let in stuff that
conforms to some security standard. Rather, what we want to be able to
do is block stuff that we know is a problem *before* it causes trouble.
So, a Palm device probably wouldn't have any trouble connecting (for
now). but, a Windows box that hasn't been patched recently, should be
required to apply those patches before it can connect to the rest of our
network. At least, that's the direction we'd like to move.
Craig
Michael Sinatra wrote:
> Sherry M. Rogers wrote:
>
>> Greg,
>>
>> It isn't as far-fetched as it sounds, but certainly we will be moving
>> ahead in small, careful steps. This is the direction the industry is
>> moving. Take a look at the following url describing Cisco's plans - this
>> is functionality which will be part of all their network access devices.
>> The endpoint devices can be rerouted to a quarantine VLAN for
>> remediation.
>> Though currently only functional for the windows platform, they have
>> ambitious plans for the future.
>>
>> http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html
>>
>
>
> I'd be very careful with this. I have been in some discussions with
> cisco on this topic, and while they have ambitious plans, it's not at
> all clear that they will be able to deliver on what we--and many of the
> other universities I have talked to--really need: an *extensible*
> quarantine system.
>
> More importantly, a cisco proprietary solution won't work across campus,
> where multiple vendor gear interoperates. It's not just an OS issue--it
> also involves network gear, and the worst thing is that cisco's *own*
> product lines are inconsistent in their feature sets! (I can discuss
> this at further length offline, if you really want to get me started.) :)
>
> The good news is that there are standards-based approaches to this
> problem, and the technology seems to be moving in a direction that will
> make such a system Sherry describes feasible in the next few years.
> However, it does mean that we will all have to do things a bit
> differently than we currently do, and some people will have to do a lot
> of work to get the system implemented. But I do think it's possible,
> and based on conversations I am having with other campuses, there is a
> lot of interest in doing it. And Greg, I am sure that the system would
> have to have safeguards for certain types of devices and to prevent
> false-positives.
>
> michael
>
> ------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> For information about Micronet, including subscribing to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web site:
> <http://micronet.berkeley.edu/>.
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Fri Jul 9 12:11:26 2004
This archive was generated by hypermail 2.1.8 : Fri Jul 09 2004 - 12:11:27 PDT