Over the weekend I was talking to someone who has a mandatory requirement at work to have their computer inspected by the helpdesk every 60 days. If the computer is not inspected the computer is not allowed onto the network.
I’ve heard of such requirements for remote users. Remote users who don’t connect to the company using a VPN are tough to check up on. Requiring a periodic check-in could be a good idea for those users. However, physically checking computers that are manageable devices on your internal company network seems like a waste of time to me. If this story is accurate, I’d like to introduce them to NAC.
I know what you’re saying. First they are using a form of NAC if they can keep unapproved people off the network, and force them to go to the helpdesk to reauthorize themselves every 90 days. Second, some people think of NAC like they think of PKI. It just hasn’t taken off yet and some people think it is one of the more useless “useful technologies.”
NAC is actually useful for quite a bit more than keeping people off the network. If you manually check computers every 60 days, a computer that has broken patching mechanisms or is infected will not be detected for an average of 30 days. NAC would be able to detect this as the computer is connected to the network and on an ongoing recheck schedule. Even if you don’t want to send the user to a remediation page you could alert the helpdesk. Better to be fixing known problems immediately than inconveniencing everyone else every 60 days.
If you do have a NAC project, I’d suggest checking out Forescout. I have been happy with our selection. When we looked at other vendors it wasn’t even close in my opinion. Don’t feel like you have to buy NAC from your network switch vendor or your desktop antivirus vendor.
Archive for the ‘NAC’ Category.
Some People Really Need to Look Into NAC
NAC and Patching
When I was looking at different NAC solutions, I remember one vendor being aghast at my plans for NAC, “NAC isn’t patch management” he sputtered. While I agree that no one is looking to supplant their SMS/patchlink whatever with NAC, making sure every computer meets a baseline requirement is an important goal.
We continued looking at vendors and eventually went with Forescout’s Counteract. As I’ve been implementing it, one of the things that struck me was that Microsoft SMS 2003 is even worse that I thought. We used Forescout to run a check for June 2008 Microsoft patches. What I found was 5% of the systems didn’t have those patches because their SMS was hosed.
Using NAC to gather vulnerability information has a lot of advantages. Unlike vulnerability scans, in many cases I was not restricted by personal firewalls. The Forescout uses a connector so it can run scans on the local machine with admin credentials. A vulnerability scan runs once per week and not every system may be online. With Forescout I have a more accurate view of the patching in the enterprise because the scan can be set to run as the client comes online.
Forescout NAC has given me insight to the network that I didn’t have before. Unfortunately its putting in a 100 watt bulb after you’ve been using 40 watts. With the sudden brightness, you see the cobwebs and dirt that you hadn’t noticed before.
The next steps are to fix the SMS on the 5% systems that are broken. Plans are being drawn up to upgrade to SCCM which uses WSUS for updates. I’m hoping that version will be more robust.
Forescout Announces Buyout Program for Orphaned Lockdown Customers
Last week Forescout announced a program to credit Lockdown customers for their orphaned NAC equipment when they make a Forescout CounterACT purchase.
Lockdown is a NAC vendor that announced it was ceasing operations. Forescout is an up and comer in the NAC market. Personally, I think they are the best NAC choice, and when I get some time, I’ll have an entry about why I think that.
I think this is a great way for Forescout to get their name out there. At the same time though the death of Lockdown does make me even more wary about using a smaller player. Its a classic trade off. Going with the established name means they probably wont go out of business. At the same time, their feature set may not be as good and they wont have good support or response to enhancement requests. With Forescout, there is a risk they will go out of business or be bought by “XYZ Company you hate”. But they will tend to be more responsive and thus have better features.
Different companies have different opinions on the best approach to take. Even if you go with an established “name” company, they may drop your product line when they purchase a smaller named company that has a better product. Its a risk that needs to be considered.
