locked
Simple NAC/NAP RRS feed

  • Question

  • Why can't someone develop a simple NAC or NAP solution for the majority of us.  Most of us do not operate high security environments such as a military network, a government network or a financial network.  These environments demand full-blown feature laden, pre/post scanning and policy driven access control. They face real and significant risks and threats every minute. They also have deep pockets to pay for such solutions.  Even so, they will never be in a secured state.

     

    As for the rest of us, we will never attain a "secured state" either, but we should be prudent and follow sound principles to achieve reasonable security. Given shallow pockets, a simple NAC solution would provide reasonable security, by providing a simple means to control access. Though imperfect, DHCP combined with 802.1x, could permit a "device" access if it is a member of a AD domain or the MAC address is on a whitelist, otherwise the device is denied access.  Yes, this is imperfect, but if your systems are already well managed and you just want to prevent normal rogue access, what more is needed?  If you already manage a device, why do you need to scan it or run policies against it? Seems to me if you already manage it, you should trust the device. Seems to me that "trust" determines whether a "device" is rogue or not.

     

    Do most networks really require more than simple NAC?  Why don't we have such a solution?  I know this is a imperfect solution, but its a simple programming problem to solve, and it would surely solve the problem for most of us.

     

    Rob John

    Friday, August 24, 2007 3:09 AM

Answers

  • Hi Rob,

     

    I just wanted to be clear on your second question about a zero-day worm. I'm not aware of any technology that can provide complete protection from such a worm, including NAP.

     

    NAP helps you keep systems up to date and assists in restricting access to vulnerable systems. It isn't designed as a solution to zero-day worms.

     

    -Greg

    Tuesday, August 28, 2007 5:17 PM

All replies

  • BTW...how does NAC or NAP stop a zero day worm emanating from a trusted system?

     

    Rob John

     

    Friday, August 24, 2007 3:15 AM
  • Hi, Rob,

     

    Thanks for your comments.

     

    NAP is not really intended to be a comprehensive security solution by itself. However, it does help to encourage better security practices, which can have a significant impact. I think this is what you are saying in part of your comments.

     

    One of the advantages of NAP is that the level and type of health enforcement you deploy is very flexible and up to the administrator. For example, if part of your network is at higher risk, perhaps due to laptops that are exposed to unmanaged environments frequently, you can enforce more strict policies here. If there is no need for complex policies, then NAP can be pretty simple to implement.

     

    The policies you enforce and applications that you use with NAP will determine your ability to mitigate worms and other malicious software that has either gained access, or is trying to gain access.

     

    -Greg

     

    Friday, August 24, 2007 4:43 PM
  • Hi Rob,

     

    I just wanted to be clear on your second question about a zero-day worm. I'm not aware of any technology that can provide complete protection from such a worm, including NAP.

     

    NAP helps you keep systems up to date and assists in restricting access to vulnerable systems. It isn't designed as a solution to zero-day worms.

     

    -Greg

    Tuesday, August 28, 2007 5:17 PM