3.6. We're Watching You

After you allow users and machines onto the network, you need to ensure that they remain in compliance with the policies that they passed in order to get on the network.

Implementing a security solution such as network access control has no point if you check for policy compliance only at the very beginning of the session. That's like the highway patrol checking for speeders at the beginning of the freeway, and then assuming that everyone stays under the speed limit for the rest of the freeway.

The final phase — monitoring — comes into play when you want to make sure that everyone stays compliant.

When NAC monitors your network, it continually watches users and endpoints for updates or changes in their compliance status, as shown in Figure 3-6.

• If a user switches off his or her personal firewall or antivirus application, your NAC system should be able to detect that change and react accordingly.

• Perhaps your operating-system vendor just rolled out a very high severity patch that corrects a gaping security hole. Your NAC system should allow you to roll out a policy that scans for that patch after IT pushes it to all the managed systems so that you can ensure everyone has accepted and installed the patch.

  Figure 3.6. Monitoring your NAC solution.

  

You can choose from two primary types of monitoring:

• Time-based: Scans the system at an administrator-defined interval and makes adjustments when it finds changes

• Event-driven: Actively watches the system and reacts immediately to any changes

In general, you want to implement monitoring functionality that reacts to new events as quickly as possible, which event-driven monitoring can do. But you may not always be able to implement these solutions for various reasons, including performance of the endpoint device. In some cases, event-driven monitoring will consume more resources on the endpoint device, which can be of concern, especially for older or less powerful systems. This determination will need to be made on a case-by-case basis.

Through one mechanism or another, watch the important policies that you roll out so that you can ensure that your end users and machines stay in compliance throughout their sessions.

When or if the part of your NAC system that does the monitoring detects a change in status, this information should feed directly back into a change in access control or possibly remediation for the endpoint device. At this point, the NAC lifecycle essentially starts over and runs through the first four steps of the lifecycle, ensuring that this process happens not only at the beginning of the session, but also on a continual basis throughout every user's and machine's session on the network.