On Jan 23, 12:02pm, "Travis H." wrote:
} On 9/2/06, John Nemeth <jnemeth@victoria.tc.ca> wrote:
} >      This is where things like Cisco's NAC (Network Admission Control)
} > comes into play.  Basically, it prevents machines from connecting to
} > the network if they aren't running the latest patches, anti-virus, etc.
} > (whatever you put into your policy).  It can either block the machine
} > completely or quarantine it in a subnet where it can only get updates.
} > There may be other products that do similar things, but I'm not aware
} > of any.
} 
} I think you could write this up in a script using nmap and authpf.

     How would nmap query a system to find out the date of the
anti-virus signature file?

} > Of
} > course, there is the issue of authenticating users and making sure they
} > don't try to fake the credentials of a different user.  I think some of
} > the other options are better for that.
} 
} Yeah, well nowadays there's so many PCs relative to the number of
} users, and it's reasonable to assume one user per workstation.

     Even so how do you find out who that user is?

} I think Kerberos is designed with this assumption.  Certainly

     I don't think so.  However, NFS is designed to talk to multi-user
systems.  Basic NFS assumes that the system is secure and will
authenticate its users.  This is a bad assumption in a client/server
environment.

} network security devices like firewalls are.  A person with
} physical access can probably get any other user's privileges
} anyway.

     Perhaps.

}-- End of excerpt from "Travis H."