Alan Shimel, Chief Strategy Officer for StillSecure, makes the argument that "with out the pre-connect posture or health check, you don't have NAC." I???ll go out on a limb and say host assessment plays a small part.
When a host connects to the network, does it really matter what the state of a host is in if that same host is not acting maliciously? No, it doesn???t. Let???s break this down. Network Access Control, NAC, is about making a decision on the kind of access assigned to a host or user (or a combination of both) when they connect to the network. The access decision could be a binary one???on network or off-network. Or the access decision could be more complex such as Sales is assigned to this VLAN with these access rules, Engineering, is assigned to that VLAN and access rules, while guests can only access the Internet. Host assessment could play a role in any of those decisions, but even a host that passes muster can still do malicious things. Jordan Wiens, one of our contributing editors who beat the RSA Interactive Testing Challenge and Blackhats Capture the Flag challenges, could root you with just telnet. :)
I have heard many reasons why host assessment is important???making sure managed hosts are properly configured, ensuring that authorized applications are installed and/or running, ensuring unauthorized applications are not installed and/or not running, ensuring anti-malware is upto date, ensuring the firewall is running, etc. All good things to check for, I suppose, but a host is not necessaruly a threat even if the computer is woefully out of date with an idle P2P application, running, and a directory full of exploits and penetration test tools, no AV, and the firewall disabled. If the host never behaves maliciously???never tries to transfer files over P2P, never scans the network, never tries to crack a server, then it doesn???t pose a security risk.
Now, you might point out that the second host I describe is a threat because of all the malware and it???s condition, but unless the user (or some rogue program) starts kicking off malicious activity, it???s actually not a threat. Besides, a user could store a bunch of exploit tools on an encrypted drive and no host assessment is going to detect them unless you decide file and folder encryption is a ???hacker tool.???
Twisting a much abused adage, ???exploits don???t root servers, people do.??? Network access control is about access control???meaning you limit the resources computers and users can reach limiting the potential for attack. Then you have to make sure that your application servers are properly hardened because, as I have already pointed out, the current crop of NAC products simply aren't up to the job if managing access at layer 7. Don't give up other security initiatives.
Managed or unmanaged?
Finally, the value of host assessment depends largely on whether a host is owned and managed by the organization or not. One reason offered by vendors to use host assessment is to ensure that your managed computers are configured the way you think they are. Talking to system engineers that have come through the lab, they repeatedly talk about how they visit many organizations (they never, ever name names) that have a desktop management strategy that is never 100% implemented and worse, the companies often can???t determine the status of the hosts they manage. Lots of reasons are offered like uses disabling host agents, hosts being disconnected for long periods, no real strategy for host management, etc. The problem is real.
