Doing your NAC homework

Make it a matter of policy.


If schools had technology that could stop students from coming to class unless their homework was complete, would they turn students away at the door if they hadn't finished their assignments? Or give them a warning but let them come to class? And would the policy become stricter based on the type of homework?

It's an interesting analogy to automating security policy enforcement on enterprise networks.

Historically, enterprise security policies have been distributed via books or e-mail and users are expected to comply, but compliance is hard to enforce. With network access control (NAC), it's possible to automate enforcement. But as with the school scenario, we need to think through what enforcement means in practice.

Surprisingly, with all the hype around NAC, this topic has received little attention, yet it may be one of the most significant determinants of a deployment's success.

The goal of NAC is not to keep devices off the network; it's to make sure the network isn't compromised by problem devices or unauthorised access.

Consider this policy: All computers must have anti-virus software profiles updated within 72 hours, scan for viruses weekly, have a firewall running and install operating-system patches within 96 hours.

Some NAC solutions allow this policy to be enforced automatically, but here's the interesting part: If the CEO's virus signatures were out of date, would enforcement be quarantine and remediation? Should a mailserver be treated like a laptop? The answer is almost always No.

It boils down to the fact that NAC is not a one-size-fits-all approach to policy enforcement. A well-built policy is a lot like good journalism. It must address who, what, when, where and why - or the results may not align with enterprise objectives.

From a NAC perspective, who maps to identity-based decisions for users and devices such as:

  • If not known/authenticated, what do I do?
  • Is the user/device mission critical?
  • Is the user likely to be exposed to threats?

    What addresses factors related to the nature of the problem:

  • Is there an immediate threat to the device or network?
  • Does the violation demand immediate remediation, or is 'soon' good enough?
  • Is this a guest?

    When includes such parameters as:

  • When must I resolve this, now or in the future?
  • Are there times of day to make certain tests or skip certain tests?
  • Does my action vary based on time of day?

    Where has a huge impact on policy:

  • Conference room, lobby or other public area; test lab; repair centre; remote office, data centre.

    For example, devices in a data centre or test labs probably should be held to different standards than PCs used for e-mail or browsing.

    Last, comes why. In NAC, there must be a motive to take an action. Why is going to be highly dependent on enterprise objectives, but a few examples include:

  • Increasing access for guests/ vendors /contractors without compromising security.
  • Documenting enforcement of compliance mandates (such as Sarbanes-Oxley and the US HIPAA rules).
  • Reducing endpoint remediation/help-desk costs because of exploits.
  • Eliminating recurrent security problems caused by guests.

    Pulling these ideas together, consider some sample policies:

  • IF location is DataCentre, THEN scan for SANS-20 every day. IF device fails, THEN notify admin.
  • IF user is executive, THEN allow on network and perform a background audit. IF fails ,THEN notify admin.
  • IF in field office, THEN quick-scan before allowing on network. IF passed, allow on Network, ELSE quarantine and remediate.

    In the light of all this, the school homework policy should be IF student IN classroom, AND homework done, smile, ELSE log and deliver stern notification.

    Dan Clark is vice president of marketing for Lockdown Networks.

  • "Recommended For You"

    Five key steps to manage mobile access in the enterprise Equifax bolsters border security