Re: NAC Question

[Stephen Mullins <steve.mullins.work () gmail com>]

Sounds like you're fighting a losing battle with a company that
doesn't care about security.  If they won't fund your security program
or provide managerial support then that is a clear message that
security does not matter to them.

On Sat, Apr 18, 2009 at 11:46 AM,  <avghacker () gmail com> wrote:
> Both assessments are very good.  I have been working on trying to make sure / force all users to update their anti 
> virus clients.  The biggest problem is that there are around 800 users and 5 of us in the IT dept.  I'm not sure how 
> common / uncommon this ratio is in the corperate world.  Because of this anything we implment has to be carefully 
> planned bc we can only handle so many ticket requests at one time.
>
>
>
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: Stephen Mullins <steve.mullins.work () gmail com>
>
> Date: Sat, 18 Apr 2009 11:36:18
> To: <Noah.Lance () apcc com>
> Cc: <avghacker () gmail com>; <security-basics () securityfocus com>
> Subject: Re: NAC Question
>
>
> I agree with this guy.  You can't protect what you don't control.  A
> network where all of the users have local admin is a network that
> cannot be realistically defended.
>
> On Tue, Mar 24, 2009 at 5:25 PM,  <Noah.Lance () apcc com> wrote:
> > This would be a user policy issue. A NAC is always a good idea, but if you
> > don't have the money or power to implement it you'd be better off a policy
> > based solution.
> >
> > Information Assurance user level training could fix a good portion of this
> > problem. User training is key to these situations I watch large companies
> > leave this out and then have 100's of experienced IT personnel running
> > around with their web found solutions, which is great and all. However, if
> > the company just put some emphasis on user training/awareness, usage
> > policies, through an Information Management program they would never be a
> > this point.
> >
> > Currently if you are looking at warding off malware then you are best off
> > implementing a computer based local policy. If they are windows boxes
> > (assuming so, since nix boxes would be a big worry) use GPO/computer
> > Security templates. Harden the box via these policies and enforce the
> > firewalls are turned on, use the IEAK to configure it have the pop up
> > blocker turned on, utilize the connection levels IE already provide.....
> > your getting the point I'm sure. Sure local admins could change this but
> > few people, heh, few IT personnel know hot to work through such a
> > configuration.
> >
> > Another more "enterprise" level solution would be to utilize SMS and
> > Symantec MMC to hunt out any "aged" configurations, once they send an
> > alert have the IS guys or even Service Desk disable the computer accounts
> > via Active Directory. You could actually even do this via logon script,
> > and have it cached for local runs.
> >
> > If you really want the full NAC, there's a few universities I've read
> > about implementing a combo type system. If any user plugs their computer
> > into the network, the computer submits to a scan and if they are not up to
> > date per AV/VA then they are only allowed to go to the common minimal
> > sites to get the updates. Nothing else.
> >
> > Realistically, for a production environment you are best off with getting
> > a strong Vulnerability Assurance/Management program in place first.
> > Establish written policies and then aid with user awareness and education.
> >
> >
> >
> >
> >
> > avghacker () gmail com
> > Sent by: listbounce () securityfocus com
> > 03/24/2009 11:49 AM
> > Please respond to
> > avghacker () gmail com
> >
> >
> > To
> > security-basics () securityfocus com
> > cc
> >
> > Subject
> > Re: NAC Question
> >
> >
> >
> >
> >
> >
> > Well we have the downadup worm floating around our network and are slowly
> > trying to deal with it.  Our environment has a lot of users who are local
> > admins so they basically are allowed to download anything here and at
> > home.  I wanted a way to keep them off the network unless they have
> > patches and an AV solution.  Many users only pull out their laptops every
> > couple of weeks so obviously the update server isn't reaching them.
> >
> > Side note: already have and ids in place
> > ------Original Message------
> > From: exzactly
> > To: avghacker () gmail com
> > To: security-basics () securityfocus com
> > Subject: Re: NAC Question
> > Sent: Mar 24, 2009 12:34 PM
> >
> > Are you sure NAC is the way to go for your issue? An IPS may be a better
> > option to keep the spread of Malware down. NAC can be expensive, messy to
> > implement and time consuming, it has it's place but I don't know if your
> > requirements would warrant it. Can you add a little more information to
> > your
> > issue?
> >
> > --------------------------------------------------
> > From: <avghacker () gmail com>
> > Sent: Friday, March 20, 2009 4:39 AM
> > To: <security-basics () securityfocus com>
> > Subject: NAC Question
> >
> > > Hey all was wondering if anyone had any experience with deploying or
> > > maintaining a NAC?  I'm looking for recommendations, advice, gotchas,
> > > etc...
> > >
> > > Having some serious malware issues in a place that doesn't have patch
> > > management and I'm looking to turn to a NAC to help bring the network
> > > under control.....advice?
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: InfoSec Institute
> > >
> > > Learn all of the latest penetration testing techniques in InfoSec
> > > Institute's Ethical Hacking class.
> > > Totally hands-on course with evening Capture The Flag (CTF) exercises,
> > > Certified Ethical Hacker and Certified Penetration Tester exams, taught
> > by
> > > an expert with years of real pen testing experience.
> > >
> > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > > ------------------------------------------------------------------------
> >
> >
> > Sent from my Verizon Wireless BlackBerry
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: InfoSec Institute
> >
> > Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
> > Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
> > Penetration Tester exams, taught by an expert with years of real pen testing experience.
> >
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------