Help! My Machine Is Infected!

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

9.3. Help! My Machine Is Infected!

When endpoint security scans reveal that machines are out of compliance with security policies, you can deal with the issue in several ways:

Device remediation: Includes any process that's designed to correct the issue on the machine before allowing that machine full network access
Device quarantine: Describes processes that restrict access to the network — either wholly or partially — for either the duration of the session or until the machine corrects the issue

NOTE

Most NAC solutions offer some form of remediation, as well as some form of quarantine.

9.3.1. Remediate

Remediation comes in two flavors:

Automatic remediation: A NAC system's ability to repair or correct issues identified on an endpoint machine without end-user intervention
Common types of automatic remediation include
- Enabling a personal firewall
- Updating an antivirus application
- Applying operating system or application patches to an endpoint system
When a NAC system uses these schemes, the system automatically fixes a machine when it's out of compliance, instead of burdening the end user with instructions about how to solve system issues.
Manual remediation: Puts the task of correcting machine deficiencies in the hands of the end user.
Although a successful NAC implementation should remove the end user from as much interaction as possible, you sometimes can't avoid it. In these cases, NAC vendors generally provide the tools necessary to make this task an easy one for end users. For example, many NAC tools allow you to customize messages that end users see when they're out of compliance. In addition to system-generated messages, you can use custom messaging to alter the message so that your group of end users can understand it.

Regardless of the remediation type that your NAC solution uses, the typical process involves requesting that the user wait until the NAC/NAC system remediates his or her system before he or she can access the network. In some cases, the user can access the network in quarantine (as discussed in the section "To quarantine or not to quarantine, that is the question," later in this chapter), until either automatic or manual remediation repairs the machine.

After a machine is successfully remediated, it's removed from quarantine, and the user gains full access to the network, according to his or her role restrictions. Keep this remediation time in mind when designing your NAC implementation. You probably don't want to force users to wait for 20 minutes while their antivirus applications perform full system scans of their entire file systems.

You can put issues that can resolve quickly, such as enabling a personal firewall, in the short-wait category. Other issues might call for another strategy — for example, if you want to do an antivirus full-system scan, you might be able to start the full system scan but not wait for the results before allowing the user onto the network.

Figure 9-3 shows a sample manual remediation instructions screen from a leading vendor's implementation.

Figure 9.3. Sample remediation instructions that a user might see

9.3.2. Make mine an automatic

Employ automatic remediation whenever possible because an end user can find the task of repairing or altering a machine complex and challenging. We've seen hundreds of end users who can't even identify the antivirus icon in their Windows System Tray, let alone get through the task of updating virus signatures or enabling real-time protection. For example, many NAC solutions can fix existing antivirus applications, but they can't deliver and install a new AV application if one doesn't already exist on the endpoint machine. So, someone must manually do the installation.

NOTE

In general, your end users need only to get their jobs done, not know how to interface with complex NAC technologies. You have to ensure that a user's machine is patched and up to date. Fall back on manual remediation only when necessary — such as when a user's machine is an unmanaged, non-compliant device or when automatic remediation provided by your NAC vendor doesn't cover the issue in question.

9.3.3. To quarantine or not to quarantine, that is the question

This Shakespearian dilemma is one of the biggest questions facing IT professionals who want to roll out NAC in their networks, and it could be the single biggest decision you make when planning your implementation.

NOTE

Security is essential, but not at the expense of user productivity. Implementing the wrong policy can leave your CEO locked out of the network, and you might find yourself locked out of the building.

Luckily, the NAC vendors provide you with options.

If repeated attempts at remediation fail, you need to decide how the inibality to remediate the system should affect the user's access to the network. In the most extreme cases, organizations lock these users out of the network altogether, keeping them from spreading infections, but at the same time potentially keeping them from their normal jobs. Here are your policy options:

Place the device in a temporary quarantine. You might restrict access while the machine updates itself via a patch management server, for example. After the machine fully patches itself (hopefully after a very brief delay), NAC reevaluates the access control policy and grants the user full access.
Provide access, but in a more restricted fashion. For example, an employee who accesses network resources from his or her corporate-owned laptop might have full access to e-mail, the intranet, and some sensitive financial data. That same employee coming in by using his or her Windows Mobile smartphone, however, might have access only to e-mail and the intranet, not the financial records.
Implement network security policies based on machine state. For example, a contractor's machine might be in violation of your policies because it doesn't run an antivirus program. Because you don't own and manage this machine, you might not be able to add software to it. Instead, you might map this contractor to an access control policy that pushes all his or her traffic through an intrusion prevention system (IPS) device or a network-based antivirus scanning engine, which other traffic doesn't have to go through. This flexible type of policy allows workers to be productive without your network losing security.

These examples outline typical quarantine scenarios for different users in your network:

Compliant employee: Shown in Figure 9-4, the user, who's a member of the Finance group, has passed all the host check policies. In this case, the user gets access to the Internet, as well as to all corporate resources, including the Finance servers.
Non-compliant guest: Shown in Figure 9-5, the user is a guest on the network and has failed all host checks. This guest can access the Internet but can't access any corporate resources.
Compliant contractor: Shown in Figure 9-6, the user is a contract employee who uses a machine that has passed all the host check requirements. This user can access the Internet, as well as some corporate resources, but not the Finance resources.
Non-compliant contractor: Attempts to access the network, but his or her machine has failed the host checks. In Figure 9-7, the contractor has access only to the Internet and can't access protected corporate resources.

Figure 9.4. Scenario one

Figure 9.5. Scenario two

Figure 9.6. Scenario three

Figure 9.7. Scenario four