Network Access Control

MACHEAD

Our wonderful service providers at work (Northgate Managed Services) are about to introduce a restriction on access to our network services. This will be 'Symantek Network Access Control', it'll be for windows as well as Macintosh clients. They're being very tight lipped about the whole thing at the moment and when asked for info on it, they'll just fob you off with "The roll-out is still in the planning phase". Though the schools where they've already installed this only got about 3 days notice. I've done a quick 'Google' on this and it seems that in order for it to be installed on a Mac client or server, requires the inbuilt Macintosh firewall to be disabled!!! Anyone on here got any experience with this or further info? Deffo don't like the idea of disabling the firewall, plus only installed our shiny new (well previously owned) Mac server last month, and I don't want these windows heads comming in and feckin' it all up on us.

was.deevey

The NAC appliance should be preventing unauthorized internal access and will render the built in firewall redundant anyhow. (if its set up correctly!).

I'm guessing if its a company you have already got a hefty firewall preventing incoming external access from the interwebs so no need to worry about that side of things.

Whats your role in it, will you be managing any of the devices ? ... if so you should be recieving training PRIOR to any install of this kind and that should be aired to the hierarchy.

MACHEAD

Thanks for the reply, Northgate are a private company who are contracted to provide all IT services to sccondary schools and some primary schools up here in the 'North'. They have some history with Apple, in that under a previous incarnation they were stripped of their status as a reseller and AASP. Since then they seem to have something of an anti Apple atitude. Anyway some of us thankfully held on to our Macs (their policy was to replace all Macs with PC's) as the PC platform proved to be virtually useless for subjects such as Art & Design. Being a windows based system it's not the most secure so we found a way in to access the internet via their servers (with the Macs). Now they are impimenting this to restrict access. I understand the need for security, but put it simply I don't trust theirs. Although our platform is immune to the vast majority of malware out there, to purposely disable the Macintosh firewall and put trust in their windows based security doesn't exactly give me much confidence. They're rolling this out to some schools now, though only on windows based machines initally, I suppose we'll just have to wait and see what way it plays out. So far the chater on the technician's forum is not positive, it's causing all kinds of havoc. And when the teachers come back at the end of August (across nearly 5,000 schools) and find their machines 'quarantined' and can only be unlocked via a service call to Northgate, all hell's gonna break loose.
'Welcome to Windows' - now that was a sh1t3 idea!

was.deevey

Being a windows based system it's not the most secure so we found a way in to access the internet via their servers (with the Macs).

In fairness if you can get in with one OS, i'd imagine it would just take a little getting creative to get in with the other.

Although our platform is immune to the vast majority of malware out there, to purposely disable the Macintosh firewall and put trust in their windows based security doesn't exactly give me much confidence.

Unless you purposely have a need to start restricting INTERNAL access and ports, your mac firewall is doing jack at the moment anyhow.... you're already firewalled behind your internet connection (or should be)

Now they are implementing this to restrict access. I understand the need for security, but put it simply I don't trust theirs.

You don't need to trust NAC as a replacement for your mac firewall, your network firewall already does this, all the mac firewall is doing right now is giving you peace of mind, its a placebo

...NAC its there to make breaches in policy accountable.

The biggest breach in security is Northgates own IT staff, who will no-doubt have access to all the passwords to 5000 schools IT systems :rolleyes:

IMHO a IT security policy contract of this kind should be split between contractors as a failsafe.

Maybe I've got the wrong end of the stick, but I think you are being overly protective of your Macs

MACHEAD

was.deevey wrote: »

Maybe I've got the wrong end of the stick, but I think you are being overly protective of your Macs

Perhaps I may be yes, but I feel it's with good cause. Anyway we'll watch and see how it goes with other schools. There's no target date for the Mac roll out as yet. But if all else fails I see us having to access the interweb independantly (and unforntunately at our own cost). I can increase the raid capacity on our Mac server if necessary and run the Mac network on it's own for the depatrments that use Macs.

was.deevey

Perhaps I may be yes, but I feel it's with good cause. Anyway we'll watch and see how it goes with other schools. There's no target date for the Mac roll out as yet. But if all else fails I see us having to access the interweb independantly (and unfortunately at our own cost). I can increase the raid capacity on our Mac server if necessary and run the Mac network on it's own for the depatrments that use Macs.

I'll be honest and say its sounds like you are more concerned about losing internet access privileges than protecting or monitoring the dataflow on the network (which is what NAC is designed to do) ..

In any case it should be no biggie in terms of cost to plug in another switch directly into your internet router to allow the mac network direct Interweb access you can pick up a gigabit model for around 100 euro these days, however if NAC is being put in place, its most likely written policy's are also being put in place, NAC is simply there to enforce them and having a separate network may be in breach of policy (as its unmonitored).