Living With NAC In An EDU World - Part Two

My last blog entry on our NAC experience at Purchase College resulted in the expected emails and phone calls from NAC vendors convinced that we would be ready to junk StillSecure's SafeAccess and adopt their products just because I used the line "while it's not going as well as we hoped, it is going better than we feared." Well folks while we do have a few bones to pick with StillSecure, which I'm not getting into today, most of our headaches are more about how NAC is harder in the EDU space than the real, read corporate, world.In the corporate world all your computers are members of your Active Directory domain, run your corporate standard Anti-virus and Anti-spyware applications and access your patch management server for OS and other updates. While a company with 500-1000 employees, like the college, might not have a comprehensive patch management system they'll have Microsoft's free WSUS and an anti-virus management server running Norton System Center, ePolicy Orchestrator or the like from their anti-virus vendor.

We in the EDU world have thousands of computers that aren't members of our domains, have any of a hundred different anti-virus and anti-spyware solutions if they have one at all and can be running Windows, Mac OS (9 or 10) and/or some obscure Linux distribution. So where support for Symantec, McAfee, Trend and CA will cover 99% of the corporate users here at a state school with an arts concentration support for Avast and AVG are equally important.

One vendor that called this week started his spiel bragging about how their agentless system would eliminate the pain our students had installing the SafeAccess agent. When I asked how his system remotely read the Windows registry to see if the latest virus definitions were installed when I didn't have administrator privileges on the system he had to get me an engineer who admitted an agent was required for unmanaged PCs like those in the EDU space.

When it comes to quarantining unhealthy systems corporate network managers can stick the occasional consultant or other guest in an access the internet only subnet protecting their servers and workers from their system. While you'd like them to remediate; truth is if they don't, they don't.

Our students would be perfectly happy if we gave them internet access in quarantine. If they can get to YouTube and "share" music via Gnutella they don't care if they can access the registration system from their dorms rooms, except of course during registration. If we didn't block internet access most students wouldn't remediate.

We have two big problems with our current solution. The first I classify as "Who'd a thunk it" when we tested the system over the summer we made sure it could support Windows 2000, XP and Vista and Mac OS X. As students started arriving we found more OS 9 systems than we expected and discovered that HP is pre-installing the 64bit version of Vista on consumer laptops. Since 64bit Vista still has a somewhat narrower set of drivers than the 32bit and should benefit machines with more than 4GB of memory we didn't test , and discovered that SafeAccess doesn't fully support the 64 bit version.

The second problem is remediation. Many of our students aren't up for installing service packs, anti-virus updates Etc. Through in the old antivirus software that sees service packs as viruses and the helpdesk is swamped. Once again the corporate folks, with fewer variables, have an easier row to hoe here.

The story's not over yet…