14.3. Extending NAC on the Endpoint

NAC solutions are quickly driving towards a more complete integration across the entire network. The preceding sections focus on extending NAC into the traditional network and security infrastructure. But extending NAC to the endpoint also has some merits because all NAC solutions provide some form of endpoint integrity inspection by scanning endpoint devices to ensure that the appropriate antivirus, personal firewall, anti-malware, and other standard endpoint security suites are installed and running. Although most enterprises can meet all of their endpoint integrity needs by using this kind of inspection, you might have more specialized needs.

Client-side open standards and APIs allow the NAC vendor's endpoint integrity agents to fully scan the endpoint machine for endpoint software and posture assessment that the NAC solution from your vendor might not natively include. For example, although your NAC vendor might provide a native ability to scan for and remediate missing operating-system patches, your team might have already spent considerable time and money on your own chosen patch remediation solution. By using APIs (including the Trusted Computing Group's Trusted Network Connect and Microsoft's NAP SHA/SHV APIs), you can work with your patch vendor or on your own to successfully create scans that are fully integrated into the capabilities of the NAC endpoint-integrity inspection engine.

By extending NAC on the endpoint, you create a native solution that combines most of what you need and provides you with the ability to extend that solution further to address your specific needs.

14.3.1. Disk encryption integration

In a business environment that has increasingly mobile users accessing data from an ever-expanding range of devices, disk encryption becomes a great tool to help prevent data theft from lost or stolen machines.

Tens of thousands of laptops are lost or stolen each year in places such as airports, coffee shops, taxis, and other public areas. Those same laptops often contain a wealth of important information — many high profile cases have involved the loss of machines that contained credit card numbers, Social Security numbers, and other sensitive data. If the organizations involved had protected these machines by using encrypted disks, they could have greatly reduced the concerns over that data loss or theft.

While these solutions become more popular, NAC vendors will probably provide native checks to ensure that a machine has disk encryption software installed, which is actively encrypting.

In the meantime, the extensibility of NAC allows it to provide custom checks on the endpoint that ensure every applicable laptop complies with your disk encryption policies.

14.3.2. Data leakage prevention integration

The jury is still out on data leakage prevention (DLP) solutions. Vendors have come a long way in recent years in terms of their ability to effectively fingerprint and identify sensitive corporate data without requiring each customer to maintain a team of people to keep the solution up to date and effective. Most of these solutions incorporate a network-based component, as well as an endpoint-based client component. By using NAC, you can ensure that your DLP solution is actively protecting each endpoint on the network, minimizing the risk of data leakage or data theft.

These types of solutions sometimes overlap with other solutions discussed in this chapter — including solutions such as disk encryption (which we talk about in the preceding section) and peripheral protection (as discussed in the following section). NAC can help you achieve your data loss and theft prevention goals, regardless of the approach that your organization takes.

Figure 14-5 illustrates some of the many ways that users can leak data from an organization, which should help explain why these types of solutions matter and how they can help to minimize the potential for data leakage. Most DLP solutions also include a network component that scans and fingerprints data while that data traverses the network, further expanding the scope and protection of the system.

Figure 14.5. How users can leak data.

14.3.3. Peripheral protection suite integration

USB drives provide very convenient ways to store and move data in a portable format. As a result, an enormous number of users rely on them not only for their personal data storage, but also for storing sensitive corporate data — a practice that most enterprises see as quite risky. This problem doesn't stop at USB drives, however.

Think about how many devices and media in a typical power user's arsenal have the capacity to remove data from the device:

• Many mobile phones, PDAs, and smartphones have storage media on which you can place data.

• Music players (iPods and other MP3 players, for example) have also become high-capacity mobile storage devices.

• Digital cameras are another great example. Beyond these types of devices, you can also find a variety of media cheaply available. CDs and DVDs are inexpensive and popular, and most computers sold today have the ability to write data to CDs or DVDs.

Printers are another source of potential data leakage from an organization.

The huge explosion of portable devices and media represents an increased potential for data to leak, or for someone to remove or steal that data, from your organization. As a result, you might already use some sort of endpoint software that provides you the ability to control usage of these types of devices and media. NAC vendors will likely respond to this market need by providing native integration if and when these peripheral protection suites become more popular.

In the meantime, you might consider extending your NAC implementation on the computers connecting to your network to provide greater value to your organization and ensure that you minimize your data leakage concerns.

14.3.4. Virtual sandbox desktop virtualization integration

The explosion of new types of devices into corporate networks has resulted in what some are calling the consumerization of IT, meaning that end users are demanding more choices than ever before in the type of devices that they use to complete their work. Control has gradually shifted away from the IT department and towards the end users in regards to managing these devices. Although many organizations have retained their control over managed machines, others have ceded some level of control over the purchase decision and the management of productivity devices to end users.

In these types of environments, an emerging kind of endpoint software is gaining in popularity. These software packages use virtualization technologies to create secure sandboxes on devices of the user's choice, and those sandboxes contain all corporate data and applications.

For example, a user purchases his or her own Microsoft Windows laptop, then installs a broad range of personal applications, in addition to those applications required for his or her job. By using these application or desktop virtualization technologies, the IT department can install on this machine a separate, virtualized machine that stores all work-related data and applications, and in which the user must perform all his or her work-related tasks. Virtualization software makes the virtual machine itself completely separate from the user's personal partition, typically encrypts or otherwise secures the virtual machine, and includes mechanisms that prevent data leakage or movement from one partition on the system to the other.

Organizations that deploy these types of solutions need to ensure that the user is really working from within the encrypted sandbox environment for the duration of his or her session, which you can do by extending your NAC deployment to perform the necessary scanning.

14.3.5. Patch management and remediation integration

NAC was first used to determine whether machines on the corporate network run the appropriate endpoint security products and whether those machines were patched with the latest critical operating system and application patches.

Most NAC vendors include these capabilities natively within their solutions, allowing you to scan various machines on the network for the presence (or absence) of any type of patch. NAC provides appropriate remediation if the endpoint does not have the necessary patches. But some NAC solutions don't provide this capability. Also, your company may have invested in its own patch management and remediation system, so you want to make use of that system in conjunction with your NAC deployment. In these cases, extending NAC allows you to integrate fully with your existing patch management and remediation system, and maintain use of the investment that your organization has already made in that technology.

For example, NAC allows a non-compliant machine on the network to have access to the remediation server, most likely through quarantine. The patch management client contacts the server for the appropriate patches, which is then automatically installed on the endpoint machine. After the machine is in compliance, the NAC solution reverses the access control decision to quarantine, and the end user gains the full level of access that he or she would have had from the beginning if the machine had initially passed all the endpoint integrity scans.

14.3.6. Backup software integration

Because NAC is extensible on the endpoint, you can even use NAC to scan for applications that might not seem like traditional endpoint-security applications. Backup clients, for example, aren't security applications, but you might have a policy that stipulates your organization's managed endpoints must have these applications installed and running.

By extending your NAC deployment on the endpoint, you have the ability to scan for these applications, ensuring that the backup software is backing up important corporate data appropriately.

If the client side of your backup software deployment has a tight integration with the server side, you might even set policies on the backup client, ensuring that it's appropriately configured to back up key corporate application data or other important items, such as a user's locally saved e-mail inbox.

14.3.7. Custom application integration

You can use many NAC solutions to scan for almost anything on an endpoint device.

Like with other software such as backup clients (as discussed in the preceding section), which don't necessarily relate to endpoint security, you might consider other applications on machines attached to your network necessary.

• For example, you might have mobile devices, such as Windows Mobile smartphones, that must have remote-wipe or device-reset software installed before you allow them to connect to the network and access corporate data. By using NAC, you can scan for this type of software, ensuring that you can remotely delete the device memory if the user loses that device.

• Or maybe you develop some of your own internal endpoint security, data protection, or productivity applications, and you want to ensure that every endpoint has installed these applications and has an up-to-date version running.

By using NAC, you can accomplish your goals beyond simple endpoint security. NAC gives you a fairly easy way to scan for just about any kind of software that you might need installed on an endpoint device. Although some of the ideas mentioned in this section may not fall into the realm of traditional security, you can use them to get more from your NAC investment.

By placing NAC on the endpoint, as well as across the network and security infrastructure, you gain many advantages because other technologies are simply more limited than NAC.