I'm interested to know people's thoughts on the Unified Access Control conept. The concept being that LAN users will have to be authenticated and their PC's security audited before gaining resource access.

Do you think it will be popular?
Do you think it will become standard to have all LAN users go through authenitcation/auditing before gaining resources?
What industries will be the first to take up the technology? Which will not consider it for some time?

What could be done to improve the technology? what is it missing?

Discuss...

I have many very small sites (300) that are too small to run their own AAA.  Using Dot1X is a without a local radius could be a problem.  I like the idea of protecting the data center with the IC and firewall rules.  We are putting in two ISG2000's between our data center and our MPLS WAN that could serve as a good pinchpoint.  Seems like it would reduce all the switch management.

By the way, would love to see a combination 5GT&Router with inbuilt CSU and Frame Relay support.  Add an optional WXC accelerator module and we'd have the perfect small site security box.

-=Dan=-
Dan Smart
Enterprise Security
Vulcan Materials Company

The only way this concept will really work is if there is a solution for allowing 'guests' who do not have a client (thin as it may be installed).  We've cooked up a solution and have a published patent on the subject matter.  We will be showing a CLIENTLESS/AGENTLESS solution integrated with Juniper SSG at the J-Partner Summit next week so stay tuned...

Best regards,
Gary

Gary S. Miliefsky, CISSP
Founder & CTO
NetClarity
http://www.netclarity.net

Humm...  Interesting...

My key issue is to NOT create a self inflicted denial of service event if the endpoint enforcement fails for some reason.  Yes, we may need to block access to SOX audited systems, but normal point of sale activities MUST continue.

Look forward to hearing more on your solution.

-=Dan=-

I belive the the IC is a good solution especially if you have switches, routers, etc from different vendors, but let me ask what is the IC going to do with attacks across the layer-2 switches. Imagine two pc's connected to a layer two switch and they are both in the same subnet. So the firewall will not give him access if his pc is infectect, however he will be able to infect those pc's directly connecting to his layer-2 switch without giving the firewall chance to even see such traffic. which is not the case with layer-2 NAC from other vendors.

We solve this deployment problem by providing the ability to set firewall policy on the endpoint.  We have a small firewall build in our Infranet Agent called Host Enforcer.  HE allow you to set a policy that will not allow other users on the same L2 network talk to you.  That solves the problem of controlling access between local machines.

Denzil