|
Key
Terms
- Network Access Procedure: The
process of authentication and validation of your computer required
for university network access.
- Authentication: The
process of verifying your access to the network by confirming
your username and password and associating it with your computer.
- Validation: The process
of confirming that certain security measures are in place on your
computer.
Q: What is Clean Access?
A: Clean access is a solution provided by Cisco, Inc. that performs
network validation. The software performs the following functions:
- Require authentication to the network
- Validate whether the system connecting to
the network meets the minimum security standards.
- Quarantines the system until it meets the
minimum security standards.
- Provides access to the remediation sites.
- Once the system is validated as "clean," allows
access to the network.
Q: What Networks Require
Validation?
A: We are deploying the validation solution to the student residential
network in the fall semester 2005.
Q: Why Are
We Introducing this Solution Now?
A: Each semester, student machines are introduced to the campus
that potentially contains harmful viruses and malware. On move-in
weekend in particular, worms and viruses attempt to spread to un-patched/vulnerable
machines. USP IT determined that the best way to prevent this
from happening is to insure that virus software and Operating System
critical update/patches are current and maintained.
Q: How Does Validation Work?
A: Similar to the "Computer Registration" form, this solution
will redirect any Internet browser request to a web page that instructs
the user to download and install the validation client known as
the "Cisco Clean Access Agent". Once launched, the client downloads
the validation rules and processes them. If the workstation
fails the test, it is allowed Internet access only to the remediation
sites for a period of about 1 Hour. Once corrected, full network
access is provided.
Q: What is the Clean
Access Agent?
A: Clean Access Agent is the client application that can check certain
security settings on any Microsoft Windows PC to make sure that
the system is up-to-date with required security patches and report
this status to the Clean Access Server. No information about
the user or the content of user files is sent to the server. Each
user must use Clean Access Agent for his/her Microsoft Windows PC
in order to authenticate and use the university network.
Q: What
Validation Checks are Being Performed?
A: For Fall semesters, we are configuring Cisco Clean Access to
validate the following:
- Automatic Updates is enabled and set to either
Download and prompt or Automatic install
- Check for a current release of Symantec, McAfee
or Trend-Micro Antivirus software and current virus definitions.
- Check for current Windows Critical Updates
for Windows XP, 2000.
Q: How Long
Do the Validation Checks Take?
A: In our pilots to date, the checks take between 30 and 60 seconds.
Q:
What is the Process for Changing the Minimum Security Requirements?
A: As new critical Microsoft updates become available, the security
requirements will be updated to reflect the new patches. Typically,
we will not immediately set the validation check for the new patches,
but allow some time (typically a week) for people to update
their systems in due course. If vulnerability is reported or the
threat of a virus storm or worm attack emerges, we will update the
validation check immediately in reaction to the threat.
Please note that we may cancel all network connections for a particular
subnet in response to an attack. Again, we will send email
and will only resort to these actions in very urgent conditions.
Q: How Often Will I
Be Revalidated?
A: We plan to configure the validation timer for every 7 days. Initial
plans are for early Monday mornings.
Q: What Remediation is
Available?
A: Authentication Failure. If a user's systems fails
authentication, the user is instructed to provide the correct university
Email username and password. If the user has forgotten his/her
password, he/she is instructed to contact USP IT.
Antivirus
Failure.
USP provides McAfee Antivirus Corporate edition free to students.
It is required that all PCs connected to the campus network be running
Antivirus software. Other allowed Anti-Virus clients include McAfee,
AVG and Trend Micro Antivirus, however, limited support is provided.
If the user's system fails the check for current Antivirus software,
the user is provided a download for Symantec Antivirus.
Microsoft
Windows Patch Failure.
If the user's system fails the check for current critical Operating
System patches, the user is instructed to click on the URL for the
Microsoft Windows update site and follow the instructions.
Q:
What Happens If an "Infected" System Behaves Badly on the Network?
A: The validation solution can not prevent all infections. Also,
we have experienced denial of service attacks originating from within
the university network. For those subnets controlled by Clean
Access Servers, the process will be to disconnect the offending
system using the Clean Access Manager management console. Unless
the system is demonstrating a vulnerability for which there is no
patch, there should be no need to block the physical switch port,
as the user will not be able to reconnect until the problem is corrected.
Back to Home
Installing
Cisco Clean Access
Installing
The Clean Access Agent
FAQ's
Windows Update
|
