nac -a bandaid for your network v07.21.11.txt
This is just a blog storming session about why I feel NAC is over-rated.. It may be the best marketing invention in a while to give vendors the opportunity to sell you a security solution, but it clearly isn't the best use of technical minds to come up with an effective way of securely managing diverse networks.
NAC - Posture Assessment
If you are responsible for keeping the corporate workstations up to date, then you are just proving to yourself that your method is ineffective if you perform posture assessment and fail the workstation. Why not concentrate on way to deliver updates and patches to a workstation while it is not directly connected to your corporate network?
- Windows Update can be configured to access an internet site accessible: (ie: windowsupdate.corporate.com) that works internally and externally.
- SMS and GPO updates can't easily be applied unless you have a VPN connection back to the corporate network.. seems like a good place for MS to work on ISA Server.
Quarantine Network
What is going to provide network services such as dhcp and dns for your quarantine environment? Are these your Active Directory DNS servers?
How isolated is it going to be if you have managed workstations that need to get updates when the users run as non-local admins?
It seems it would be more appropriate to properly engineer the network and windows services than create *another* network of update servers to do what the initial update servers should have done to begin with.
I understand that computers that aren't part of corporate policy are one of the primary reasons to quarantine. But..
Trying to stop malware by not letting the infected computers connect?
If you look at creating a network model that doesn't allow any communication to protected resources, you'll probably run across Microsoft's Server and Domain Isolation. This is a great start based on IPSEC but leaves little room for analyzing data passing across the network.
Detecting when a computer comes on the network?
- Doesn't work with SNMP notification on a switch behind an ip phone, hub, or switch
- Doesn't work with 802.1x if the port can be authorized with another device (corp workstation, print server, ip phone)
- How do you handle virtualization environments where the guests can be NAT'ed
- What about physical connectivity wired in a particular fashion:
(802.1x switch) -> (4 port hub w/ NAT) -> (Corp Workstation) + (Rogue Workstation)
Other Ideas:
Lock down all physical ports where there is really nothing to attack.. DoS is always a possibility, but when is it ever not? If you only provided DHCP, DNS, and RDP or ICA with thin clients you would have a very tight ACL that could be applied to a client VLAN.
Only allow guest's wireless access.. much easier to control how can and cannot connect to secure WPA2 enabled SSIDs.. Guests have access to open SSIDs.. then you focus on traffic shaping and ACLs to allow only certain ports. Deep inspection on those few open ports would be great, a few vendors will look inside SSL..
I'll elaborate more on the details of each of these thoughts in future posts..
NAC - Posture Assessment
If you are responsible for keeping the corporate workstations up to date, then you are just proving to yourself that your method is ineffective if you perform posture assessment and fail the workstation. Why not concentrate on way to deliver updates and patches to a workstation while it is not directly connected to your corporate network?
- Windows Update can be configured to access an internet site accessible: (ie: windowsupdate.corporate.com) that works internally and externally.
- SMS and GPO updates can't easily be applied unless you have a VPN connection back to the corporate network.. seems like a good place for MS to work on ISA Server.
Quarantine Network
What is going to provide network services such as dhcp and dns for your quarantine environment? Are these your Active Directory DNS servers?
How isolated is it going to be if you have managed workstations that need to get updates when the users run as non-local admins?
It seems it would be more appropriate to properly engineer the network and windows services than create *another* network of update servers to do what the initial update servers should have done to begin with.
I understand that computers that aren't part of corporate policy are one of the primary reasons to quarantine. But..
Trying to stop malware by not letting the infected computers connect?
If you look at creating a network model that doesn't allow any communication to protected resources, you'll probably run across Microsoft's Server and Domain Isolation. This is a great start based on IPSEC but leaves little room for analyzing data passing across the network.
Detecting when a computer comes on the network?
- Doesn't work with SNMP notification on a switch behind an ip phone, hub, or switch
- Doesn't work with 802.1x if the port can be authorized with another device (corp workstation, print server, ip phone)
- How do you handle virtualization environments where the guests can be NAT'ed
- What about physical connectivity wired in a particular fashion:
(802.1x switch) -> (4 port hub w/ NAT) -> (Corp Workstation) + (Rogue Workstation)
Other Ideas:
Lock down all physical ports where there is really nothing to attack.. DoS is always a possibility, but when is it ever not? If you only provided DHCP, DNS, and RDP or ICA with thin clients you would have a very tight ACL that could be applied to a client VLAN.
Only allow guest's wireless access.. much easier to control how can and cannot connect to secure WPA2 enabled SSIDs.. Guests have access to open SSIDs.. then you focus on traffic shaping and ACLs to allow only certain ports. Deep inspection on those few open ports would be great, a few vendors will look inside SSL..
I'll elaborate more on the details of each of these thoughts in future posts..
Comments