Security Basics mailing list archives
Re: NAC Question
From: Noah.Lance () APCc com
Date: Tue, 24 Mar 2009 16:25:16 -0500
This would be a user policy issue. A NAC is always a good idea, but if you don't have the money or power to implement it you'd be better off a policy based solution. Information Assurance user level training could fix a good portion of this problem. User training is key to these situations I watch large companies leave this out and then have 100's of experienced IT personnel running around with their web found solutions, which is great and all. However, if the company just put some emphasis on user training/awareness, usage policies, through an Information Management program they would never be a this point. Currently if you are looking at warding off malware then you are best off implementing a computer based local policy. If they are windows boxes (assuming so, since nix boxes would be a big worry) use GPO/computer Security templates. Harden the box via these policies and enforce the firewalls are turned on, use the IEAK to configure it have the pop up blocker turned on, utilize the connection levels IE already provide..... your getting the point I'm sure. Sure local admins could change this but few people, heh, few IT personnel know hot to work through such a configuration. Another more "enterprise" level solution would be to utilize SMS and Symantec MMC to hunt out any "aged" configurations, once they send an alert have the IS guys or even Service Desk disable the computer accounts via Active Directory. You could actually even do this via logon script, and have it cached for local runs. If you really want the full NAC, there's a few universities I've read about implementing a combo type system. If any user plugs their computer into the network, the computer submits to a scan and if they are not up to date per AV/VA then they are only allowed to go to the common minimal sites to get the updates. Nothing else. Realistically, for a production environment you are best off with getting a strong Vulnerability Assurance/Management program in place first. Establish written policies and then aid with user awareness and education. avghacker () gmail com Sent by: listbounce () securityfocus com 03/24/2009 11:49 AM Please respond to avghacker () gmail com To security-basics () securityfocus com cc Subject Re: NAC Question Well we have the downadup worm floating around our network and are slowly trying to deal with it. Our environment has a lot of users who are local admins so they basically are allowed to download anything here and at home. I wanted a way to keep them off the network unless they have patches and an AV solution. Many users only pull out their laptops every couple of weeks so obviously the update server isn't reaching them. Side note: already have and ids in place ------Original Message------ From: exzactly To: avghacker () gmail com To: security-basics () securityfocus com Subject: Re: NAC Question Sent: Mar 24, 2009 12:34 PM Are you sure NAC is the way to go for your issue? An IPS may be a better option to keep the spread of Malware down. NAC can be expensive, messy to implement and time consuming, it has it's place but I don't know if your requirements would warrant it. Can you add a little more information to your issue? -------------------------------------------------- From: <avghacker () gmail com> Sent: Friday, March 20, 2009 4:39 AM To: <security-basics () securityfocus com> Subject: NAC Question
Hey all was wondering if anyone had any experience with deploying or maintaining a NAC? I'm looking for recommendations, advice, gotchas, etc... Having some serious malware issues in a place that doesn't have patch management and I'm looking to turn to a NAC to help bring the network under control.....advice? ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught
by
an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Sent from my Verizon Wireless BlackBerry ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- NAC Question avghacker (Mar 24)
- Re: NAC Question exzactly (Mar 24)
- <Possible follow-ups>
- Re: NAC Question avghacker (Mar 24)
- Re: NAC Question Jason (Mar 25)
- Re: NAC Question badz (Mar 25)
- Re: NAC Question Noah . Lance (Mar 25)
- Re: NAC Question ushacker20002001 (Mar 25)
- Re: Re: NAC Question chmod1777 (Mar 25)