Some People Really Need to Look Into NAC

Over the weekend I was talking to someone who has a mandatory requirement at work to have their computer inspected by the helpdesk every 60 days. If the computer is not inspected the computer is not allowed onto the network.
I’ve heard of such requirements for remote users. Remote users who don’t connect to the company using a VPN are tough to check up on. Requiring a periodic check-in could be a good idea for those users. However, physically checking computers that are manageable devices on your internal company network seems like a waste of time to me. If this story is accurate, I’d like to introduce them to NAC.
I know what you’re saying. First they are using a form of NAC if they can keep unapproved people off the network, and force them to go to the helpdesk to reauthorize themselves every 90 days. Second, some people think of NAC like they think of PKI. It just hasn’t taken off yet and some people think it is one of the more useless “useful technologies.”
NAC is actually useful for quite a bit more than keeping people off the network. If you manually check computers every 60 days, a computer that has broken patching mechanisms or is infected will not be detected for an average of 30 days. NAC would be able to detect this as the computer is connected to the network and on an ongoing recheck schedule. Even if you don’t want to send the user to a remediation page you could alert the helpdesk. Better to be fixing known problems immediately than inconveniencing everyone else every 60 days.
If you do have a NAC project, I’d suggest checking out Forescout. I have been happy with our selection. When we looked at other vendors it wasn’t even close in my opinion. Don’t feel like you have to buy NAC from your network switch vendor or your desktop antivirus vendor.