Slashdot videos: Now with more Slashdot!
We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).
I manage a team of network admins at a university that uses the same software as CMU. The software does have agents available for Mac and Linux too.
Stupid question, what if your machine is a Mac or Linux box? This "Client Security Agent" seems to be a Windows-only beast. Whatever it is, it would be a cold day in hell before I let a university that I'm paying money to dictate that I have to have their software on my machine to use the Internet access that my tuition and fees are paying for!
Here's the problem. The IT staff has a number of conflicting expectations for the network. There are N-1 other students at the university also paying tuition and they also expect the network to work. School administration expects it to work, with priority given to academic purposes. While it isn't ideal to require that students trust our software to run on their computer, it allows the school's IT staff to ensure computers comply with policy (current AV, anti-spyware, etc), and that computers that are causing network problems can be quickly identified and the problem mitigated. (And believe me, a comprehensive network access system greatly speeds problem resolution, both for the network and the student.) Keeping bad computers off the network lets the network keep working for everyone else that didn't mess up their computer with malicious software. It'd be nice to somehow exempt students that know what they're doing from this intrusive, annoying process. But like many things, a few bad apples ruin it for everyone.
The software allows policies to be set for AV existence and version, anti-spyware, and OS version and updates. It also allows custom scans to be written to check for files and registry keys. No other info gets sent to the administrators other than if you have failed or passed such a scan. No one is spying on you, or cares that much about what's on your computer. They just want the network to work.
There are agentless NAC solutions available, but they are more annoying for the user and less correct for the administrators. Having no NAC really isn't a feasible option anymore for schools of any decent size, as they need to comply with CALEA and respond to RIAA, REN-ISAC, and other internal/external complaints. If you don't trust your school, and are that concerned about running untrusted code from a vendor picked by your school, then don't. Don't use the network, and have fun with your protest. The administrators aren't forcing this upon the students because they're unsympathetic to their concerns. But rather, because they need to serve all students well.