Shmoocon: Network Policy enforcement

Steve Manzuik, Toby Madhat, and Chris Farrow presented a Birds of a Feather titled "Network Policy Enforcement / Network Quarantine : Latest Security Gimmick or Good Idea.

NAC controls access to the network until the computer is brought into compliance. A lot of users go around the country plugging into any port available. What happens when they get back home. While they may get a cycle of penicillin, their computer gets attached to the network spreading anything the computer may have picked up.

You can have a lot of problems with NAC if you apply it foolishly. A company with 5-6 thousand users had NAC implemented. On Friday they configured NAC to require the WMF patch. When monday came, they had 3 thousand computers that couldn't access the network. (does NAC have remediation? With a system with remediation, I dont see how this is a bad thing as long as management was on board that this was a critical requirement and they also had been made to understand what would happen.

There are three types of network enforcement. The client could isolate itself using a personal firewall. The switch could isolate bad clients. Or an appliance could be added in-line to the network to provide enforcement.

One of the key problems with Network Policy Enforcement is handling heterogeneous environments. Can you deal with mac and Linux. Second, how do you interrogate the clients. Is it only a network vuln scan like nessus, or is there a client agent. If you dont trust the computer, how can you trust the answer it gives to the agent. Someone could go to a lot of trouble to fool the agent. Or they could just write their own agent to give answers to the device assuming the protocols are that insecure.

In their experience it takes a huge amount of manpower and money. Some things just don't scale well and Network Policy enforcement may never work on large 10k+ implementations.