 |
 |
CMU (Central Michigan) uses such a product: http://www.bradfordnetworks.com/network_sentry When registering on the CMU network, the Bradford agent runs checks for latest service packs, specific Windows updates that are of concern, up to date antivirus definitions, and so on. To exit network quarantine, the device must pass all tests. Shaun Leininger Information Technology Professional Department of Anthropology 517-884-0388 From: Steve Bogdanski [mailto:[log in to unmask]] Sent: Tuesday, February 19, 2013 9:59 AM To: [log in to unmask] Subject: Re: [MSUNAG] UPnP Router Vulnerability It seems that the only technical solution that could be implemented by campus would be some sort of policy server (like NPS in Windows Server) that would check the connecting system against certain requirements as part of the SSL VPN connection. However that would be rather expensive I'd assume and not something work the cost at this time. -Steve Bogdanski >>> "Isaac, Jeremy" <[log in to unmask]> 2/19/2013 9:49 AM >>> Most of these are very good points. The only problem is trying to get users that have work to do from home accepting the extra restrictions imposed on them. Right now, an SSL VPN works well for those that need it and it doesn't add any headache on either end. Perhaps we could go a different route (I think I saw a hardware solution out there that replaces the home user's router), but this is where we are. I probably should have worded the original post a little differently, anyway. I'm really just trying to get this information out there, since I haven't seen a blurb about this on MSUNAG. I'm open to what other people are doing to either inform users of this problem or other mitigating steps. -----Original Message----- From: Dennis Boone [mailto:[log in to unmask]] Sent: Monday, February 18, 2013 5:17 PM To: [log in to unmask] Subject: Re: [MSUNAG] UPnP Router Vulnerability > While an SSL VPN connection initiated by a PC does not make the campus > network visible to other machines in the case where the machine isn't > otherwise compromised, it's only a matter of time before some user's > machine is infected and allows some unknown third party to see into a > network they wouldn't otherwise have access to. You weren't trusting those machines staff and students have at home, were you? You weren't trusting those home routers to be secure in the first place, were you? You weren't trusting stuff more because it was on the campus network, were you? You weren't assuming there are no consumer-grade routers on the campus network, were you? You weren't trusting machines in the VPN address space more than anything else coming from off campus, were you? If your trust model is sane, a another home router vulnerability will make roughly zero difference to you. If your trust model isn't sane, fixing a home router vulnerability will make roughly zero difference to you. De