Subject: | |
From: | |
Reply To: | |
Date: | Fri, 9 Dec 2005 22:29:51 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Excellent news considering how many of our student users are using this little trick to avoid the checks.
---
Jason Richardson
Enterprise Systems Support
Northern Illinois University
>>> [log in to unmask] 12/09/05 2:08 PM >>>
Atif/Rajesh-
That¹s great news... Saw that the release is up, will the release notes be
posted today as well?
--
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883
On 12/9/05 2:43 PM, "Atif Azim (atif)" <[log in to unmask]> wrote:
> Just an FYI.
>
> In the new CCA release (ver 3.6) there is a feature that has been added to
> combat this particular problem.
> This release will be available shortly.
>
> From the new release notes:
>
> ---------------->>>
>
> New Feature: OS Detection
>
> By default, the system uses the User-Agent string from the HTTP header to
> determine the client OS. Release 3.6.0 provides additional detection options
> to include using the platform information from JavaScript, or OS
> fingerprinting from the TCP/IP handshake to determine the client OS. This
> feature is intended to prevent users from changing identification of their
> client operating systems through manipulation HTTP information.
> This affects the following web console pages:
>
> €There is a new update entry for "Current Version of OS Detection Fingerprint"
> under Device Management > Clean Access > Clean Access Agent > Updates.
>
> €There is a new OS Detection link and page under Device Management > CCA
> Servers > Manage [CAS_IP] > Authentication > OS Detection "
>
> ----------------->>>
>
> Regards,
> Atif
>
>
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of King, Michael
> Sent: Thursday, December 08, 2005 8:00 AM
> To: [log in to unmask]
> Subject: Re: New problem
>
> True,
>
> But what if your device doesn't have Java installed? What if the workaround
> is to disable/remove java now?
>
> They might be better off using the Host Fingerprinting from NMAP
>
>>
>>
>>
>> From: Perfigo SecureSmart and CleanMachines Discussion List
>> [mailto:[log in to unmask]] On Behalf Of Mike Binns
>> Sent: Thursday, December 08, 2005 10:34 AM
>> To: [log in to unmask]
>> Subject: Re: New problem
>>
>>
>>
>> Students on our campus figured this out immediately during our pilot on
>> campus Its the User Agent they change, and its really easy. I plan to combat
>> it by looking for "linux" machines and verifying they really are using some
>> other method. there are only one or two people actually running linux on
>> campus. If i find people doing this i will probably clear them from the auth
>> list and if they do it again, is just refer them to the network director for
>> a nice chat :).
>>
>>
>>
>> What CCA should have is a way to verify the system OS using java, which is
>> much harder to forge. Basically any computer that shows to be not windows
>> should have to run an applet that could verify the OS is truly not windows.
>>
>>
>>
>>
>> -Mike Binns
>> Internet Manager
>> Gordon College
>> [log in to unmask]
>>
>>
>>
>>
>>
>>
>> From: Perfigo SecureSmart and CleanMachines Discussion List
>> [mailto:[log in to unmask]] On Behalf Of Joyce, Todd N
>> Sent: Thursday, December 08, 2005 10:28 AM
>> To: [log in to unmask]
>> Subject: New problem
>>
>>
>>
>>
>>
>> I had a student this morning tell me they had fairly easily found a
>> workaround to Clean Access. They modified the Information / Authentication
>> string that Internet Explorer sends to indicate that the computer was a
>> Linux machine and therefore since Clean Access thinks their machine is a
>> Linux machine and there are no requirements in place on the network for
>> Linux boxes, they were able to access the network without installing Clean
>> Access.
>>
>>
>>
>>
>>
>> Todd Joyce
>> Network Services
>> Radford University - The Smart Choice
>> [log in to unmask]
>> (540) 831-7777
>>
>>
>>
>> I would rather be a lonely genius than a popular idiot.
>>
>>
>
|
|
|