IT pros get in here

Discussion in 'OT Technology' started by lightsareout, Feb 18, 2009.

  1. lightsareout

    lightsareout New Member

    Joined:
    Aug 19, 2006
    Messages:
    5,913
    Likes Received:
    0
    Location:
    Murfreesboro, TN
    Working on a project for school. What is the most common method to scrub a computer before its allowed on the network? A NAC that denies access until its scrubbed?
     
  2. CodeX

    CodeX Guest

    soapy water?
     
  3. AeroSquid

    AeroSquid New Member

    Joined:
    Aug 17, 2005
    Messages:
    9,627
    Likes Received:
    0
    Location:
    KC
    don't let it join the domain
     
  4. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Mostly I don't think many people do that. You never assign a new PC a real 'external IP' so most people let fly on the internal network and install their patches and anti-virus, etc. from there. I could see having a sandbox network on double NAT or in a DMZ on NAT but... I'm not familar with what you're talking about being done. Maybe tools like Tivoli do that.

    I'm not very helpful but I'm trying.
     
  5. lightsareout

    lightsareout New Member

    Joined:
    Aug 19, 2006
    Messages:
    5,913
    Likes Received:
    0
    Location:
    Murfreesboro, TN
    that does help

    what we're doing is working with a hospital and making sure that when people take they're laptops home they didn't get any viruses or spyware on them that can infect the hospital network when they get back to work.
     
  6. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    I would think you would put those on a different subnet by MAC, scan them remotely if you could, and give them lower level access on the domain. But I'm pretty much talking out my ass here.

    I can tell you one thing... you would have to rigorously separate any network they connect to from the medical equipment and system LAN.
     
  7. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Really the worst thing that can happen is the virus starts deleting files on the file shares, assuming they have access. Ironically, that's usually not what a virus does though.

    The best approach is AV software deployed on the laptops, and no rights to install anything on them.
     
  8. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    http://www.cisco.com/en/US/products/ps6128/

    When deployed, Cisco NAC Appliance provides the following benefits:
    • Recognizes users, their devices, and their roles in the network. This first step occurs at the point of authentication, before malicious code can cause damage.
    • Evaluates whether machines are compliant with security policies. Security policies can include specific antivirus or antispyware software, OS updates, or patches. Cisco NAC Appliance supports policies that vary by user type, device type, or operating system.
    • Enforces security policies by blocking, isolating, and repairing noncompliant machines.
    Noncompliant machines are redirected into a quarantine area, where remediation occurs at the discretion of the administrator.
     
  9. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    It's like a Gulag for computers! How cute.
     
  10. CodeX

    CodeX Guest

    I hate that fucking garbage...

    My school used that, so I had to install some piece of shit AV program that screwed up my home networking for some goddamn reason. Every time I would get on the network at school I would have to go through a half hour process to fix windows networking once I got back home before it would be able to share files over my wireless network. Eventually I just stopped bothering with it entirely.

    Do not force people to use stupid shitty programs to use your network, defeats the entire purpose of it. Unless you think that is the way technology should be heading, I don't. I get very pissed off when I lose any bit of control over what is on my system.
     
  11. Chris

    Chris New Member

    Joined:
    Oct 27, 2003
    Messages:
    14,711
    Likes Received:
    0
    Location:
    Texas on my mind
    lol @ Cisco Clean Access hate
     
  12. trouphaz

    trouphaz New Member

    Joined:
    Sep 22, 2003
    Messages:
    2,666
    Likes Received:
    0

    you're talking about a different circumstance. in your case, you had your own personal PC that you were connecting to your school's network and had to follow their rules. in the thread starter's case, the laptops belong to the hospital. they have every right to enforce whatever sort of rules they want.
     
  13. CodeX

    CodeX Guest

    Felt like I was being raped at an airport terminal every time I tried to get on the schools network :rofl:

    Oh yeah, if its not their own computer then I guess I don't have a problem.
     
  14. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    your problems were
    a) you wanted to get out of the restricted area, and
    b) whoever configured it at your school didn't think your AV was good enough
    you probably aren't going to get them to change their mind about your AV but it's worth a shot. in this guy's case he doesn't (shouldn't) want anyone else's computer on his network so only the work laptops should connect. everything else should get shunted to the quarantined/dirty area where there's no access to computers or shared files. that's a HUGE bullseye for JCAHO during an audit.

    that "fucking garbage" required your computer to be compliant. if you don't like what you were required to do then hate on the school administration that decided what was required, or on the IT admins who implemented it. the solution is only bad if the people behind it made bad decisions.
     
  15. critter783

    critter783 OT Supporter

    Joined:
    Jul 15, 2005
    Messages:
    1,785
    Likes Received:
    0
    Clean Access is pretty expensive. Windows Server 2008 comes with Network Access Protection, which can do some of the stuff that Clean Access can do.
     
  16. r00tman

    r00tman Archiver of LOLs

    Joined:
    Sep 23, 2002
    Messages:
    1,989
    Likes Received:
    0
    Location:
    Toronto, ON █♣█
    rubbing alcohol.
     
  17. Limp_Brisket

    Limp_Brisket New Member

    Joined:
    Jan 2, 2006
    Messages:
    48,422
    Likes Received:
    0
    Location:
    Utah
    clean access does suck ass. several times i've seen it deny connection to my professors during class for no reason so they can't access their documents.

    the actual agent that's on your computer itself is retarded software.

    the last time i was at school with my eeepc the cisco clean access agent said i couldn't connect to the network because my av had to be updated, so it gave me temporary access to download the updates, the problem is it only gives you very specific access and it wasn't enough because my av update would fail everytime because it didn't have access to something it needed online (even though that particular anti-virus software IS supported). so i couldn't update my anti-virus and i couldn't connect to the internet without updating my anti-virus so i was basically in deadlock until i went home and updated it on my own connection.

    it's really shitty stuff, even the professors here don't like it.
     
  18. Limp_Brisket

    Limp_Brisket New Member

    Joined:
    Jan 2, 2006
    Messages:
    48,422
    Likes Received:
    0
    Location:
    Utah
    oh, and not to mention i was running wireshark one time for a homework assignment at home but had the cisco clean access agent in the system tray (since it usually starts on boot) and noticed that that thing spams broadcast packets nonstop even if you're not on the cisco clean access network.
     
  19. lightsareout

    lightsareout New Member

    Joined:
    Aug 19, 2006
    Messages:
    5,913
    Likes Received:
    0
    Location:
    Murfreesboro, TN
    We've been looking at Symantec NAC but that needs an enforcer appliance which we don't have the budget for.
     
  20. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I guess it has to, so that if you connect to the CAN without rebooting, it still hooks you up to the whatchathingy.
     
  21. IAMwhitey

    IAMwhitey New Member

    Joined:
    Nov 8, 2001
    Messages:
    1,010
    Likes Received:
    0
    Location:
    Pittsburgh, PA
    Being on the admin side of Clean Access... It is the shit! My company used to provide Internet/Network Access for a local college of approximately 1200 users. These kids would come to campus from home full of viruses, instantly every box would be infected and bring the network to a hault. Clean Access stopped this entirely as soon as it was implemented. Yeah it sucks for the end users, but all it really is enforcing is best practices.

    To the OP... I would enforce Windows Update on all laptops via Group Policy and deploy a good AV on all laptops.
     

Share This Page