[SAGE] windows patching, "network admission control"

[Eric Sorenson <eric@explosive.net>]

[ I originally posted this to comp.dcom.sys.cisco, reposting here
  to get feedback from a wider audience ]


In mopping up after Sasser and a Gaobot variant that exploited the LSASS
vulnerability, I've started looking around for ways to prevent unpatched
Windows machines from doing anything useful on the network. Cisco has this
"Self-Defending Network" thing that seems intended to address this problem;
specifically the "Network Admission Control" looks like a great idea --
from what I can tell sifting though the marketspeak it looks like they
give you a way to query a 'trust agent' installed on end-stations, and
adjust VLAN membership for an end-station's uplink port based on the results
of that query.  But it's clearly got a couple of problems:

1. It doesn't, as far as i can tell, actually exist yet.
2. Aside from that, there doesn't seem to be a way to address
   the problem of "rogue" machines (which, in our case, were really the
   main vector that spread the infection) which do not have the security
   agent installed on them; a random laptop brought in, or a self-installed
   Windows XP box that doesn't run the agent.
3. I don't have Cisco switches at my edge, and even if I did, many offices
   share an edge port via unmanaged hub, between a Linux or Solaris machine
   which I don't want to have to care about, and one or more Windows boxes,
   which I do.

Has anybody seen this software, or know how it addresses these issues?

Has anybody addressed this problem, through means other than those
Cisco sells?


-- 

    Eric Sorenson - EXPLOSIVE Networking - http://explosive.net