Thanks Luis

The problem we are trying to solve is as follows. If a user brings in laptop infected with a virus, we would like to restrict the spread of that virus to the local LAN segment. If we put an IPS at the perimeter/gateway of this LAN, can we prevent the spread of the virus to the global network? And can IPS identify the source (laptop) of the virus?

Regards

Hilary

Hilary,

This can be addressed by Cisco's BYOD (Bring Your Own Device) solution, so in this case ISE or NAC will be the way to go.

Regards,

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Hi Hilary,

To add on ISE, the Cisco ISE supports posture assessment of clients. Posture assessment allows inspecting security “health” of the PC and MAC clients. This includes checking for installation, running state, and last update for security software, such as anti-virus, anti-malware, personal firewall. It also ensures the operating systems are patched appropriately.

In addition, ISE posture policies can check for additional custom attributes, like files, processes, registry settings, and applications. Taken together, these features provide ISE with the ability to determine the security “health” of a client that is trying to access your network. ISE uses posture policies to determine the access rights and remediation options that should be provided to clients.