5.1. What's the Primary Need?

The primary need for Mobile NAC is easy to understand. LAN-based NAC isn't designed to address mobile devices as they are mobile, so something else needs to perform that functionality. That something else is Mobile NAC.

There's an interesting true story from something that literally happened to me last week. Often, I get asked to speak at various security events. Some of these events are big, with hundreds of people attending the presentation, and sometimes these events are quite small. Last week, I was asked to speak at a chapter of a security organization. There were about 30 people present. This was the kind of event where security people from different companies get together once a month, share ideas, listen to people present, and pick up credits for their Certified Information System Security Professional (CISSP). I looked forward to the event, because this smaller group can lead to some great interaction.

The focus of my presentation was around the threats to mobility from an ethical hacking perspective. In the presentation, I talked about how mobile devices are more prone to attack, and more vulnerable than stagnant desktop systems (as I'll also discuss in detail in this chapter). I then followed up by stating the various technologies that can be used to help address these threats.

In particular, I used specific examples of how companies can misunderstand the security functionality of products and how this misunderstanding can lead to gaps in security coverage. Specifically, I mentioned the blindspot that mobile devices can fall into when they are mobile, and how LAN-based NAC solutions aren't designed to protect these devices as they are mobile. I mentioned a few LAN-based NAC solutions by name and noted how they could do a fine job of helping to protect the LAN. I did point out, however, that they would not remediate deficiencies in mobile devices as they are mobile. For example, I stated that a laptop missing a critical Microsoft patch wouldn't receive that patch until that laptop either physically came onto the LAN, or VPN'd into the corporate network. This would leave that laptop vulnerable to exploitation while it was mobile, which is a huge vulnerability for many organizations, and I stressed this fact.

After the presentation, I stuck around for a while to talk to local members of the chapter. I like talking to other security people because it's a great way to learn. During this time, a representative from the organization came up to me and my colleague and replied that a person in the audience had issues with portions of my presentation. I was admittedly shocked when I was approached, and replied that I certainly did want to be corrected if I misspoke or stated anything that was false. This was the first time I had ever been approached in this manner, and I was taking it quite seriously. A few moments later, the representative came to me with the reason why this person was so upset.

The representative said this particular person was a salesperson for one of the LAN-based NAC companies I had mentioned in the presentation. (I'm still not certain why this salesperson didn't approach me directly.) This salesperson was very upset with the fact that I stated their LAN-based NAC solution would not remediate mobile devices as they are mobile. As the local chapter representative told me this, a chapter member who sat through the presentation reaffirmed that this particular LAN-based NAC solution doesn't provide that functionality. I also restated that their solution actually doesn't provide this functionality, and that the salesperson had no reason to be upset. I wasn't bashing her company; in fact, I commented that her company had a fine LAN-based NAC solution. I was just saying that the solution wasn't designed for mobile devices as they are mobile, and many companies seeking a NAC solution don't recognize this fact.

That was actually one of the main points of my presentation — knowing what threats the security solutions actually address. The chapter representative (who is also a salesperson, by the way) then stated that I should not have said this in my presentation. I immediately mentioned that what I stated was factual, not said with malicious intent, and that pointing out this difference between LAN-based NAC and Mobile NAC was a key element of my presentation. The representative stated again that this fact should not have been mentioned. I politely replied that I was relieved I didn't say anything false or incorrect, and afterward, my colleague and I got a good laugh at this ridiculous confrontation.

So, there are a number of things that can be learned from this story:

  • There are key differences between LAN-based NAC and Mobile NAC, and these differences will often be blurred.

  • Understanding these differences is key to providing an appropriate security solution to meet your needs.

  • Get the objective facts on how a prospective NAC solution works. Don't rely on what you're being told by a salesperson, or hearing via the grapevine. (You'll get this info in later chapters of this book.)

  • Evidentially, it's bad form to point out differences in various security solutions to other security engineers if salespeople are present.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.83.7