UC Santa CruzResidential Networking
HomeResidential Networking - Practice Safe ComputingResidential Networking - Virus InformationStaff

Residential Networking
Phone: (831) 459-4638
Email: resnet@ucsc.edu

--------------

Legal Entertainment Sites
Register A Network Device
Computing Support
Cisco Clean Access Info
Network Policies
Info for New Students
Configuration Information
Wireless Information
Virus Repair Instructions
How to Disable File Sharing
Be Smart on the Net
Survey Results

--------------

Other UCSC Links
» General Info
» ITS Home
» Academics
» Administration
» Admissions
» News & Events
» Research

--------------

Sitemap | Feedback | Print

Terms and Conditions of Use

Maintained by resnet@ucsc.edu
Last Reviewed on Sep 6, 2006

© 2009 UC Santa Cruz

 

CCA Home > Clean Access Agent FAQ

Clean Access Agent FAQ

Key Terms

  • Network Access Procedure: The process of authentication and validation of your computer required for university network access.
  • Authentication: The process of verifying your access to the network by confirming your username and password and associating it with your computer.
  • Validation: The process of confirming that certain security measures are in place on your computer.
Q: What is Clean Access?
Q: What Networks Require Validation?
Q: Why Are We Introducing this Solution Now?
Q: How Does Validation Work?
Q: Where do the Cisco Clean Access Servers Fit in the Network?
Q: What is the Clean Access Agent?
Q: What Validation Checks are Being Performed?
Q: How Long Do the Validation Checks Take?
Q: What is the Process for Changing the Minimum Security Requirements?
Q: How Often Will I Be Revalidated?
Q: How Does Validation Work for Macintosh Users?
Q: How Does Validation Work for Linux Users?
Q: What is a Nessus Scan?
Q: What About Xboxes, PlayStations, etc.?
Q: What Remediation is Available?
Q: What Happens If an “Infected” System Behaves Badly on the Network?

Q: What is Clean Access?

A: Clean access is a solution provided by Cisco, Inc. that performs network validation. The software performs the following functions:

  • Require authentication to the network
  • Validate whether the system connecting to the network meets the minimum security standards.
  • Quarantines the system until it meets the minimum security standards.
  • Provides access to the remediation sites.
  • Once the system is validated as “clean,” allows access to the network.

Top of page

Q: What Networks Require Validation?

A: All ResNet users except those living at the University Inn, University Town Center and Family Student Housing.

Top of page

Q: Why Are We Introducing this Solution Now?

A: Each quarter student machines are introduced to the campus that potentially contain harmful viruses and malware. On move-in weekend in particular, worms and viruses attempt to spread to unpatched/vulnerable machines. ResNet determined that the best way to prevent this from happening is to insure that virus software and Operating System critical update/patches are current and maintained.

Top of page

Q: How Does Validation Work?

A: Similar to the "Computer Registration" form, this solution will redirect any Internet browser request to a web page that instructs the user to download and install the validation client known as the “Cisco Clean Access Agent”. Once launched, the client downloads the validation rules and processes them. If the workstation fails the test, it is allowed Internet access only to the remediation sites for a period of about 10 minutes.  Once corrected, full network access is provided.

Top of page

Q: Where do the Cisco Clean Access Servers Fit in the Network?

A: There is a management server, known as “Clean Access Manager” which provides the administration of the Cisco Clean Access-protected network. The enforcement servers are known as “Clean Access Servers.” We are configuring a Clean Access Server for every 2000 network ports. The Clean Access Servers receive the validation instructions from the Clean Access Manager and download these to each client installed on workstations which connect to the network.

We have configured the Clean Access Servers as routers in the university network. Access to the network is controlled via access control lists on the router. Thus, unauthenticated access is limited to very few network addresses; once authenticated and validated, Cisco Clean Access modifies the access controls to allow full access to the network.

Top of page

Q: What is the Clean Access Agent?

A: Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access Server. No information about the user or the content of user files is sent to the server. Each user must use Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use the university network.

Top of page

Q: What Validation Checks are Being Performed?

A: For Fall quarter we are configuring Cisco Clean Access to validate the following:

  • Automatic Updates is enabled and set to Automatic install
  • Check for one of the major antivirus products, and make sure it has recent updates.
  • Check for current Windows Critical Updates for Windows XP, 2000, ME, and 98 machines.

Top of page

Q: How Long Do the Validation Checks Take?

A: Generally between 15 and 30 seconds.

Top of page

Q: What is the Process for Changing the Minimum Security Requirements?

A: As new critical Microsoft updates become available, the security requirements will be updated to reflect the new patches. Typically, we will not immediately set the validation check for the new patches, but allow some time (typically a week)  for people to update their systems in due course. If a vulnerability is reported or the threat of a virus storm or worm attack emerges, we will update the validation check immediately in reaction to the threat. We will send email to all ResNet users to communicate the update.

Please note that we may cancel all network connections for a particular subnet in response to an attack. Again, we will send email and will only resort to these actions in very urgent conditions.

Top of page

Q: How Often Will I Be Revalidated?

A: We plan to configure the validation timer for every 7 days. Initial plans are for early Monday mornings.

Top of page

Q: How Does Validation Work for Macintosh Users?

A: Currently Macintosh users must authenticate by logging in via a web page. The only validation check for Macintosh systems is the Nessus scan.  At this point there is no client which is downloaded to Macintosh systems. The network connection timer is set for Macintosh systems; however, there is no icon that can be right-clicked to logout and subsequently login again.

Top of page

Q: How Does Validation Work for Linux Users?

A: Linux users must authenticate by logging in via a web page. The only validation check for Linux systems is the Nessus scan. There is no client which is downloaded to Linux systems. The network connection timer is set for Linux systems; however, there is no icon that can be right-clicked to logout and subsequently login again.

Top of page

Q: What is a Nessus Scan?

A: Nessus plug-ins are very much like virus signatures in a common virus scanner application. Each plug-in is written to test for a specific vulnerability. These can be written to actually exploit the vulnerability or just test for known vulnerable software versions.

Plug-ins can be written in most any language but usually are written in the Nessus Attack Scripting Language (NASL). NASL is Nessus' own language, specifically designed for vulnerability test writing.

Each plug-in is written to test for a specific known vulnerability and/or industry best practices. NASL plug-ins typically test by sending very specific code to the target and comparing the results against stored vulnerable values.

Nessus can scan some of the well known worm backdoors. For example, W32.Dabber propagates by exploiting a vulnerability in the FTP server component of W32.Sasser.Worm and its variants. It installs a backdoor on infected hosts and tries to listen on port 9898. If the attempt fails, W32Dabber.A tries to listen on ports 9899 through 9999 in sequence until it finds an open port. Nessus will look for the open port if the machine is infected.

Top of page

Q: What About Xboxes, PlayStations, etc.?

A: Please visit the registration page to activate your game console. Enter your name and password and MAC Address of the console. Within two days, your console will be placed in the Gaming Role. The Gaming Role provides network access to console related services ONLY (i.e. if your register your PC for this role you won't have web, email or IM services).

Top of page

Q: What Remediation is Available?

A: Authentication Failure. If a user’s systems fails authentication, the user is instructed to provide the correct university Email username and password.  If the user has forgotten his/her password, he/she is instructed to call the ITS HelpDesk at x9-4357 or visit them in Kerr Hall Room 60 to get their password reset.

AntiVirus Failure. UCSC provides McAfee VirusScan® Enterprise free to students. It is required that all PCs connected to ResNet be running AntiVirus software. Other antivirus software is allowed, however, support is limited to only McAfee. If the user’s system fails the check for current AntiVirus software, the user is provided a download for McAfee VirusScan® Enterprise.

Microsoft Windows Patch Failure. If the user’s system fails the check for current critical Operating System patches, the user is instructed to click on the URL for the Microsoft Windows update site and follow the instructions.

Top of page

Q: What Happens If an “Infected” System Behaves Badly on the Network?

A: The validation solution can not prevent all infections. Also, we have experienced denial of service attacks originating from within the university network. For those subnets controlled by Clean Access Servers, the process will be to disconnect the offending system using the Clean Access Manager management console. Unless the system is demonstrating a vulnerability for which there is no patch, there should be no need to block the physical switch port, as the user will not be able to reconnect until the problem is corrected.

Top of page