11.2. Evaluation Before Enforcement

When you expand your NAC deployment and begin requiring user authentication and endpoint inspection over a huge number of end users, you don't want the NAC system to block the CEO from accessing her e-mail simply because her machine isn't adequately patched or her antivirus software is out of date.

After you finish the proof of concept and pilot test, both of which involve only a limited number of end users, you need to push the proposed NAC policies to the rest of the organization so that you can truly assess the impact of NAC across the production environment. If you don't know what's going to happen when you flip the switch, do a broad test run. Many organizations simply don't have a firm grasp of the overall state of the machines on their networks. In many cases, multiple groups are responsible for desktop management, each with their own organizational policies and management tools. In other cases, a large number of partners, contractors, and customers run unmanaged devices on the network.

NOTE

People really become nervous when they don't have the appropriate strategy in place to keep their machines updated. Follow the processes outlined in this chapter, and throughout the entire book, and you will have nothing to worry about when rolling out NAC!

Even if you're confident about how well the rollout will work, best practices dictate a slow introduction of NAC into your corporate network.


Luckily, NAC vendors have responded to the need to verify how well their users and network will respond to NAC policies in advance by offering an evaluation mode that allows you to more seamlessly transition over to NAC. First, run your NAC deployment in an evaluation-only mode prior to the initial rollout so that you can see what type of situation you really have related to desktop management. During this phase, answer these questions:

  • Are the organization's managed devices patched and up to date?

  • When machines are out of date, do the appropriate manual and/or automated remediation mechanisms fix any issues?

  • Have you chosen the appropriate managed machine policies for endpoint integrity to serve the entire range of machines on the network?

  • How many unmanaged machines run on your network?

  • Can these unmanaged machines pass the acceptable endpoint integrity policies that you intend to put into place?

  • What policy will you enforce for unmanaged machines that aren't in compliance?

  • Do manual and/or automated remediation mechanisms work for these unmanaged devices?

  • Will any machines out there (such as mobile devices) not work properly with the NAC solution that you're evaluating?

  • How does the chosen solution allow network access for devices that have no user involvement, such as a printer, networked HVAC system, or video-conferencing system?

NOTE

Take a deep look at the reporting and logging capabilities available within your NAC solution. Knowing these capabilities can help you determine whether the native capabilities of the NAC solution are sufficient to meet your needs or you need additional functionality through a third-party tool.

NAC solutions vary in the number of pre-defined reports that are provided in order to meet requirements, such as compliance, management reports, and technical challenges. In general, however, NAC solutions tend to fall into one of two categories:

  • Include a full, integrated reporting engine

  • Have no native capabilities but can offload to other third-party reporting engines that can provide this functionality.

Evaluate-only mode

Evaluating before enforcing means that you install the NAC solution in some or all areas of the network and have the agreed-upon policies running, but NAC doesn't take actions on end user sessions if the devices do not meet the policy requirements.

For example, if you're scanning to find out whether endpoint machines have the appropriate operating system patches, antivirus applications, and personal firewalls, create those policies in the system but take no action if they fail. Later, when you actually begin enforcing these policies, you might decide to start taking actions, ranging from automatically remediating the endpoint software to using quarantine or network restriction mechanisms that alter resource access on the network.

You can run evaluate-only mode for any amount of time, depending on what the organization needs and the amount of work that you have to do in order to get the various components NAC-ready for fully enforced deployment. Your company might already have fully managed machines that are patched and running the appropriate software. In that kind of situation, evaluation mode lasts a very short amount of time. In other cases, a wide range of different types of devices might be on the network, and each device has a different security posture. If that's the case, you might want to spend more time either correcting machine issues or working to deploy a more consistent strategy for desktop management.


Whatever kind of NAC solution you have, be sure to get the appropriate level of visibility. When you evaluate policies, avoid sorting through thousands of log entries to determine how many of your machines are failing planned NAC policies by leveraging the provided reporting tools. These reporting tools, whether part of the NAC solution or provided through a third party reporting tool give you an at-a-glance view of the overall network health, as well as an easy way to identify out-of-compliance machines.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.116.37.62