But is the NAC paradigm, and all of the benefits and challenges it brings to your network, appropriate for you and yours? Here are some signs that indicate you should spend some time considering whether tougher network access controls are necessary in your organization:
- You've recently noticed an uptick in malware spreading internally. Don't confuse this with malware that ends up on one or two of your systems. Despite all the perimeter protection in the world, statistically speaking, you're going to get nailed at some point. It's not a matter of if; it's a matter of when. But if you notice that such malware isn't just on one or two systems, but suddenly begins to spread itself around your internal machines with ease, that's something that a network access control product could prevent.
- You support a significant population of mobile users. If many employees in your company work offsite for a good portion of their work week and typically and regularly connect to your network, their connection is essentially an unprotected orifice. All of the malware their laptops accumulate while those employees are on the road can penetrate your network in its soft, white underbelly and wreak havoc. If you manage a group of people using dial-up or VPN connections, and you haven't implemented any sort of vetting procedures when they dial up (in particular, the true road warriors that are hardly ever in the office and hardly ever dial in), then tougher network access controls might be appropriate for you.
- Business conditions have dictated that you will have more mobile users entering your network than before.
Computers over which you have no control pose the biggest and most significant threat to your infrastructure. Situations might include:
- The computers in a company you've acquired.
- Employees with laptops hosted at your corporate campus for a temporary session.
- Working without a Windows domain or any sort of advanced, certificate-based wireless security, which thus permits anyone to join your wireless network.
If you have time to budget and plan in advance of your new environment, NAC could do a lot to prevent the transmission and spread of nastygrams among the newcomers to your network.
- You have a heterogeneous environment, with lots of Windows machines and a bevy of Macs, Unix or Linux computers and so on. Some management capabilities, like Group Policy, central IPsec configuration and automatic certificate requests, that you only get in a Windows Server-based domain won't work on your cross-platform machines. In that case, you have to have another source of protection, such as: bulletproof perimeter detection; trust in a secure desktop-based anti-malware product; or implement NAC to be sure that the members of your network are "siloed" when they should be. Or else you can rest on your laurels and place confidence in the technical and architectural superiority of your platforms.
About the author: Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics, including networking, security and Windows administration. He can be reached at firstname.lastname@example.org.
This was first published in April 2007