3.4. Not So Fast...

Remediation, shown in Figure 3-4, is an optional step in the NAC process.

Some users might never go through remediation if their machines stay in compliance with policies at all times. For example, your desktop deployment group might have a very firm handle on software distributions and can manage to keep all the employee machines on the network patched and up to date. When a user comes onto the network with such a machine, NAC can bypass the entire remediation step, moving right on to enforcement, which you can read about in the following section.

Figure 3.4. The remediation stage.

Remediation is an incredibly important part of the NAC lifecycle. In this step, your NAC system gets any machine compliance issues corrected so that the user gets full access to any resources for which he or she is authorized. Properly chosen and deployed remediation can make the difference between a safe and secure network, and a horrible situation where machines are out of compliance and your helpdesk is flooded with calls from frantic users.

NOTE

You ultimately want to get all your users onto the corporate network with full access to everything that their roles imply they should be able to access. Nobody wants to be the person keeping the CEO from her e-mail simply because her antivirus program is out of date. If users can't get their work done, they either try to circumvent access control restrictions (though hopefully your NAC system can prohibit this action) or call the helpdesk. You don't want either of these scenarios to happen in your organization, but you likely don't have to worry about them if you have a well-designed NAC implementation.

NOTE

Wherever possible, use automatic remediation mechanisms as a first line of defense for machines that are out of compliance. By using this function, your NAC system automatically corrects issues that it finds in the endpoint device. For example, if your NAC system finds that an antivirus program is out of date, it can automatically initiate the update mechanism with no end-user interaction. Or the NAC system might push a machine to retrieve the appropriate patches if it doesn't find them all on the end user's system.

Avoid end-user interaction. Use manual remediation, available on all NAC systems, as a backup. Although most systems provide a mechanism that can give users custom instructions on how to update their antivirus programs, for example, this unnecessary step can cause delays and potential helpdesk calls. The authors have seen many deployments in which end users can't even identify which piece of software is their corporate antivirus program, let alone open it, update it, and enable real-time protection! A good guideline in any security policy, NAC or otherwise, is that the less the end user needs to do, the better.


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.39.55