NAC and Patching

When I was looking at different NAC solutions, I remember one vendor being aghast at my plans for NAC, “NAC isn’t patch management” he sputtered. While I agree that no one is looking to supplant their SMS/patchlink whatever with NAC, making sure every computer meets a baseline requirement is an important goal.
We continued looking at vendors and eventually went with Forescout’s Counteract. As I’ve been implementing it, one of the things that struck me was that Microsoft SMS 2003 is even worse that I thought. We used Forescout to run a check for June 2008 Microsoft patches. What I found was 5% of the systems didn’t have those patches because their SMS was hosed.
Using NAC to gather vulnerability information has a lot of advantages. Unlike vulnerability scans, in many cases I was not restricted by personal firewalls. The Forescout uses a connector so it can run scans on the local machine with admin credentials. A vulnerability scan runs once per week and not every system may be online. With Forescout I have a more accurate view of the patching in the enterprise because the scan can be set to run as the client comes online.
Forescout NAC has given me insight to the network that I didn’t have before. Unfortunately its putting in a 100 watt bulb after you’ve been using 40 watts. With the sudden brightness, you see the cobwebs and dirt that you hadn’t noticed before.
The next steps are to fix the SMS on the 5% systems that are broken. Plans are being drawn up to upgrade to SCCM which uses WSUS for updates. I’m hoping that version will be more robust.