BIGFIX
Top 10 Best Practices for Network Access Control IT organizations considering implementing a Network Access Control (NAC) project should think carefully about the objectives of the project, and the different requirements for managed and unmanaged endpoints. In our experience—and leading market analysts concur—organizations can realize significant savings in time, complexity, cost, and end-user impact of a NAC if they deploy agent-based technologies to automate device assessment against configuration baselines, remediation, and enforce configuration baselines when the device is off-network. The main thing we have discovered is that successful NACs focus on managing endpoint security baselines every bit as much as deciding which endpoints to admit or exclude from a network. The visibility and active baseline management that goes along with this approach also enables IT departments to set higher standards for network admission. If you can’t see into endpoints or prescribe and maintain “security dress codes,” it’s all too easy to take a lowest common denominator approach to admitting endpoints.
top 10 best practices for network access control
1
BIGFIX
W H ITE PAPER
This concept of active pre-mediation of endpoints is ambitious, but following some basic best practice principles can smooth the way and help assure long-term success in implementing combined network access and endpoint management solutions.
1. Know What You Don’t Know Many customers are shocked to discover how little they know about assets on their networks when they implement a NAC solution and first turn it on. Therefore, one of the key missions of the early stages of a NAC solution is to quickly and thoroughly identify and inventory all known and unknown assets and distinguish between well-behaved and ill-behaved endpoints. By performing triage early and accurately, IT organizations can productively focus on remediating or quarantining rogue elements and spend less time wondering if an otherwise benign endpoint has deficiencies that may require attention.
2. Have a Single “System of Truth” To know what you don’t know, it’s important to have a single, authoritative source of knowledge on endpoint security configurations. Since device configurations and status are subject to constant change, knowledge should be as real-time as possible. Scanning a network once a week, or even once a day, is insufficient to know what’s really going on or to intercept fastmoving threats.
3. Quarantine is a Last Resort Every minute an otherwise “good” device spends in quarantine are minutes that sacrifice productivity, irritate end users and require automated or human intervention to remediate the device. It is far better to have proactive program that seeks to keep managed devices in compliance with NAC policies and out of quarantine. As with many things in life, a ounce of prevention is worth a pound of cure.
4. Automate Assessment and Remediation Manual assessment remediation processes are expensive, slow and subject to human error. Furthermore, attempting to avoid support costs by relying on end users to manage their own machines distracts them from what they were really hired to do—accounting, sales, management, research, etc.—and increases the risk of error and neglect. By contrast, automated approaches to assessment and remediation are faster, require less human intervention and also make the NAC process less intrusive on end user work styles and productivity.
5. Be Transparent to End Users The less an end user notices that their machine is under NAC management, the better. Intrusive NACs that interrupt logging on processes, stop machines to install patches and updates, or generally make themselves known to users
top 10 best practices for network access control
2
BIGFIX
W H ITE PAPER
in inconvenient ways do more than make IT departments unpopular. They tempt users to circumvent management controls and undermine all the good work you have done in protecting the enterprise network.
6. Manage Endpoints Anytime, Anywhere Just because a mobile device logs off an enterprise network and goes roaming does not mean it is beyond the reach of NAC-oriented security configuration remediation. Persistent agent-based management technologies can maintain policies in force on roaming devices, and technologies exist for mobile systems to “phone home” via the Internet to report status and pick up the latest patch and configuration policy content.
7. Implement Global, Comprehensive Solutions It’s the devices that you don’t know about that will hurt you the most. Avoid, or at least be skeptical about, approaches that have blind spots in terms of platform coverage (for example, Windows-but-not Unix), issues they address, or even the timeliness of information they collect about endpoints.
8. Change in Manageable Increments Taking an “early and often” approach to change management on end user devices has a number of advantages. It helps maintain policy currency. It makes NAC management less obtrusive to end users. And it reduces risk that big, complex, all-at-once changes will have unpredictable effects on system availability and performance.
9. Leverage Redundant Systems “What if it fails?” is a question that should be frequently asked in the design phase of every NAC project. Either building in redundancy or taking advantage of existing surplus resources to enable fail over or quick service restoration is a classic way of improving reliability of NAC solutions. Remember also that breakdowns and service outages not only inconvenience end users, they create opportunities for the bad guys to do things that would normally prove difficult.
10. No NAC Stands Alone It’s a given that a NAC solution will not be an organization’s only security defense. But as IT security and operations management continue to converge, the best designed and implemented NACs make it hard to tell where security management ends and operations management begins. Integrating and consolidating NAC tools and processes with other management practices reduces costs, improves security efficacy and increases overall quality of service. In final analysis, the specifics of a given NAC technology are no guarantee that the solution will be successful. As always, it’s the thoughts, actions and practices that surround a technology that make the difference between success and failure.
top 10 best practices for network access control
3
W H ITE PAPER
BIGFIX
BigFix: Breakthrough Technology, Revolutionary Economics Founded in 1997, BigFix®, Inc. is a leading provider of high-performance enterprise systems and security management solutions that revolutionizes the way IT organizations manage and secure their computing infrastructures. Based on a unique architecture that distributes management intelligence directly to the computing devices themselves, BigFix is radically faster, scalable, more accurate and adaptive than legacy management software. From Systems Lifecycle Management, Security & Vulnerability Management to Endpoint Protection, BigFix solutions automate the most labor-intensive IT tasks across the most complex global networks saving organizations significant amounts of time, labor, and expense. BigFIx provides real-time visibility and control for millions of globally distributed computing devices. The BigFix customer list counts many of the world’s largest and most prestigious organizations in every industry including financial services, retail, education, manufacturing, and public sector agencies. More information can be found at www.bigfix.com
©2009 BigFix, Inc. BigFix and the BigFix Logo are registered trademarks of BigFix, Inc. Other trademarks, registered trademarks, and service marks are property oftheir respective owners. 20090701
top 10 best practices for network access control
4