Chapter 4. Understanding the Need for LAN-Based NAC/NAP

– Ty Webb

A flute without a hole is not a flute. A donut without a hole is a Danish.

NAC and NAP are some of the hottest buzzwords out there today. While most companies have at least heard of them, those that are actually implementing the solutions are doing so for a reason. Unless they are different from the IT and security departments I talk to, they aren't implementing these solutions because they are just sitting around looking for things to do. Following are a few reasons why companies look at these solutions:

• The need to adhere to compliance regulations

• Failing a security audit

• Being directly affected by a security breach or loss of data

• Proactively realizing the need to increase security

Most of these reasons are fairly straightforward. Somebody within the organization, or hired by the organization, says that NAC-type solutions will help. As a result, the NAC project gets started.

These reasons can hold true as reasons to implement many different types of security projects, not just to NAC-type solutions. So, why do companies actually turn to NAC to solve their needs, and what exactly is NAC protecting against? You may be surprised that a number of companies that I've spoken to don't really know exactly what they are protecting against. That is one of the main purposes of this chapter.

NAC, NAP, and Mobile NAC can play a key role in an enterprise's security strategy. These solutions can also help companies mitigate risks and be a great fit to address their security concerns. This chapter outlines the specific risks, vulnerabilities, and exploits that can be addressed by the various types of NAC/NAP solutions. I'll show actual hacking steps and exploits and exactly how they are stopped with these solutions. This will give you the necessary knowledge to realize your own vulnerabilities and how they can be addressed.

Another key reason for this chapter is that it can act as ammunition. Sometimes, different people in an organization need to be convinced that there is a problem and that it needs to be addressed. Showing these types of people the actual exploits from this chapter can act as that ammunition to move the NAC/NAP project forward. In fact, the purpose of many of my presentations at security shows, in front of prospects, in written articles, or in educational hacking videos is for that very point. Make the risks real by showing the actual exploits and show how they can be fixed with security solutions.

Also, the hacks are pretty cool!