Information Technology Services
Clean Access
Network Admissions Control FAQ
What is Network Addmission Control?
Why Are We Introducing this
Solution Now?
What Networks Require
Certification?
How Does the
Certification Process Work?
How often do
I need to Re-Certify my computer?
What is Clean Access
Agent?
What Validation Checks are Being
Performed?
How Does Certification Work
for Macintosh Users?
How Does
Certification Work for Linux Users?
Xboxes, PlayStations, Wiis, etc.?
What is Temporary Access?
What Remediation
is Available?
What is a Virus?
What is Spyware?
What is Network Addmission Control?
Network Addmission Control (Cisco Clean Access) is a network
connection and compliance management solution that ensures that computers
connecting to the SUNYIT network are protected against malicious threats such as
viruses, worms, Trojans as well as known software vulnerabilities that have been
exploited. All systems using SUNYIT’s Residence Hall Networks or Wireless
Networks must authenticate through this system.
• Require authentication to the network
• Validate whether the system connecting to the network meets the minimum security standards.
• Quarantines the system until it meets the minimum security standards.
• Provides access to the remediation sites.
• Once the system is validated as “clean,” allows access to the network.
Why Are We Introducing this Solution Now?
Many computers have been infected by some type of virus. We
did not have a solution that could effectively quarantine systems until proven
“clean”; thus, many unprotected systems became infected as soon as they were
physically plugged into the network. The best way to prevent this from happening
is to insure that virus software and OS critical update/patches are current and
maintained. This will also benefit users who did connect systems that were
current with both OS patches and anti-virus software since they suffered delays
in Internet and other network access due to the excessive traffic caused by the
infected machines.
What Networks Require Certification?
We are deploying the validation solution to the Residential
and Wireless networks in the Fall of 2007.
How Does the Certification Process Work?
Users will redirect any Internet browser request to a web page
that instructs them to download and install the validation client known as the
“Cisco Clean Access Agent”. Once launched, the client downloads the validation
rules and processes them. If the workstation fails the test, it is allowed
Internet access only to the remediation sites for a period of about 2 hours.
Once corrected, full network access is provided.
How often do I need to Re-Certify my computer?
The certification timer is configured to expire every 7 days.
All clients will be logged out of the network every Monday morning at 4:00
AM.
What is the Clean Access Agent?
Clean
Access Agent is the client application that can check certain security settings
on any Microsoft Windows PC to make sure that the system is up-to-date with
required security patches and report this status to the Clean Access Server. No
information about the user or the content of user files is sent to the server.
Each user must use Clean Access Agent for his/her Microsoft Windows PC in order
to authenticate and use the SUNYIT Residential and wireless networks.
What Validation Checks are Being Performed?
Clean Access is configured to validate the following:
• Run
Nessus scans for known vulnerabilities.
• Check for current release of
approved anti-virus software and current virus definitions.
• Check for
current release of approved anti-spyware software and current anti-spyware
definitions.
• Check for current Windows OS Patches.
How Does Certification Work for Macintosh Users?
Macintosh users must install the Clean Access Agent. The only
validation check for Macintosh systems is the Nessus scan. Macintosh users must
install the client and validate using it.
How Does Certification Work for Linux Users?
Linux users must authenticate by logging in via a web page.
The only validation check for Linux systems is the Nessus scan. There is no
Linux client.
Xboxes, PlayStations, Wiis, etc.?
These devices must be registered with the HelpDesk in order to
connect to SUNYIT's network. Students should submit an RT ticket with the MAC
address of the gaming unit.
Devices such as PS2s and Xboxes need to be set up properly before they will
work on the SUNYIT’s Residential Network. All devices should be set to use DHCP
to get their network address. If you have questions about your device's
settings, refer to your manual or call the manufacturer's help
desk.
Note: SUNYIT’s HelpDesk offers no support for these
devices other than a live network connection.
What is Temporary Access?
The
Cisco Clean Access Agent will allow you "Temporary Access" if it detects that
your PC does not meet the minimum security standards. The Agent will give you a
link to a webpage that will describe why you did not meet the requirements, and
will contain instructions on what needs to be done. Until the security
requirements are met, your PC will NOT have full access to the Internet.
You
will not be able to browse any websites, except those listed below in the
"Exceptions" category.
Exceptions:
- Websites and Online services you
will have access to in Temporary Role.
- Permitted Validation Sites.
What Remediation is Available?
Authentication - If a user’s systems fails
authentication, the user is instructed to provide the correct SitNet network
username and password. If the user has forgotten his/her password, he/she is
instructed to call the help desk at 792-7440 for assistance.
Anti-Virus- If the user’s system fails the check for current anti-virus
software, the user is provided a link to download Symantec Anti-Virus software
from our site. SUNYIT provides Antivirus software to students, faculty and
staff.
NOTE: Norton AntiVirus 2007 is currently not accepted by Clean
Access.
Anti-Spyware - If the user’s system fails the check for current anti-spyware software, the user is provided a link to download Windows Defender or Spybot.
Microsoft Windows Security Patches - If the user’s system fails the check
for current critical OS patches, the user is instructed to click on the URL for
the Microsoft Windows update site and follow the instructions.
What is a Virus
A computer virus is
a small software program that spreads from one computer to another computer and
that interferes with computer operation. A computer virus may corrupt or delete
data on a computer, use an e-mail program to spread the virus to other
computers, or even delete everything on the hard disk.
Computer viruses are most easily spread by attachments in e-mail messages or by instant messaging messages. Therefore, you must never open an e-mail attachment unless you know who sent the message or unless you are expecting the e-mail attachment. Computer viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Computer viruses also spread by using downloads on the Internet. Computer viruses can be hidden in pirated software or in other files or programs that you may download.
What is Spyware?
Spyware is a
general term used to describe software that performs certain behaviors such as
advertising, collecting personal information, or changing the configuration of
your computer, generally without appropriately obtaining your consent first.
Spyware is often associated with software that displays advertisements
(called adware) or software that tracks personal or sensitive information.
That does not mean all software that provides ads or tracks your online
activities is bad. For example, you might sign up for a free music service, but
you "pay" for the service by agreeing to receive targeted ads. If you understand
the terms and agree to them, you may have decided that it is a fair tradeoff.
You might also agree to let the company track your online activities to
determine which ads to show you.
Other kinds of spyware make changes to your
computer that can be annoying and can cause your computer slow down or crash.
These programs can change your Web browser's home page or search page, or
add additional components to your browser you don't need or want. These programs
also make it very difficult for you to change your settings back to the way you
originally had them.
The key in all cases is whether or not you (or someone
who uses your computer) understand what the software will do and have agreed to
install the software on your computer.
There are a number of ways spyware or
other unwanted software can get on your computer. A common trick is to covertly
install the software during the installation of other software you want such as
a music or video file sharing program.
Whenever you install something on
your computer, make sure you carefully read all disclosures, including the
license agreement and privacy statement. Sometimes the inclusion of unwanted
software in a given software installation is documented, but it might appear at
the end of a license agreement or privacy statement.