NAC As A Training Tool

Gord Boyce, president of ForeScout Technologies has an interesting article about using NAC to change behavior up on Enterprise Networks & Servers asking Are Your Users Smarter Than a Fifth Grader? I find the idea intriguing because using NAC to lock down a network is onerous.

Mike Fratto

March 18, 2008

5 Min Read

Gord Boyce, president of ForeScout Technologies, has an interesting article about using network access control to change behavior up on Enterprise Networks & Servers, asking Are Your Users Smarter Than A Fifth Grader? I find the idea intriguing because using NAC to lock down a network is onerous. Let's say you can solve 95% of the problem simply. These would be well-meaning but misguided users who are trying to circumvent security measures to get work down because going to IT is too difficult, time consuming, or whatever the excuse may be. Dealing with remaining percentage points gets more difficult for each point gained because you end up dealing with smarter users or attackers intent of by-passing your security.

When I tell vendors how I might go about bypassing their security features, I invariably hear statements like "we are not trying to solve that problem" or "we are trying to solve 90% of the access control problem," or "there is no 100% secure systems, you have to use layers." I have rejected those arguments for two reasons. First, solving the easy problems isn't hard and really doesn't necessarily improve your security position. Internal users trying to by-pass IT systems doesn't mean they are malicious -- it may mean your IT systems don't match business needs. Secondly, well-meaning insiders isn't really the threat to worry about. The threat to worry about is the malicious attacker who already is inside your building and attempting to attach to your network directly. Assume the attacker is savvy and you can see that you have a whole different problem on your hands.

Using NAC As A Training Tool
This is the heart of Boyce's article. When was the last time you even read your employee handbook or any user policies you were supposed to read? Have you read it recently? Heard it discussed around the water cooler? Probably not. IT and HR can publish codes of conduct, hold training classes, and put up posters, but employees will often not pay attention. They're too busy doing their jobs.

While talking with an administrator at a large university about NAC and what they were looking for, they wanted a couple of things. First, they wanted something they could automate so as not to add workload to their help desk. That was critical. They wanted a soft-touch approach where students (this was a student-oriented NAC project) would be given varying levels of warning and options before being cut off for infractions. And they wanted to send a clear message to a largely nontechnical audience about unacceptable behavior and conditions. In other words, they want to train the student body about network usage without having training classes or making students read long documents.

NAC can be a perfect tool in this situation. By using orientation classes where network usage is discussed along with NAC that assesses hosts conditions and offers solutions, the school's IT department is able to soft-touch students from an unacceptable state to an acceptable one in stages without burdening the help desk. They expect to solve 95% of problems with students' computers via NAC, leaving the remaining 5% to be handled through other means.Colleges have a rather unique problem of a large, unmanaged user base, but we can translate some of their experiences and needs to the enterprise where a different set of conditions are in force.

Determining a-priori who needs access to which services is a time-consuming and error-prone task. NAC products from vendors like ConSentry Networks, Nevis Networks, and Vernier Software and Technology that can track network usage based on destination servers, ports, and even protocol usage, are well suited to determine who is doing what. You also can use packet and flow analysis at critical points in your network as well without deploying NAC. Once you have a picture of how users are using network resources, you can begin to figure out what resources they should be accessing.
You can monitor network usage and if a user is attempting to access some resource they shouldn't, then you could inform them of the violation and provide a means to request an access exception. You would need to have a process to handle those exceptions quickly, but you will be able to balance both access control and the business needs. I bet if one person needs access to resources, others that are similar will need it as well.
You can use soft touch on hosts that are out of compliance to inform users that an update is necessary and potentially a reboot will occur. So they need to either save their work now, or leave the computer on overnight. If after a few days of prompts (depending on how critical the configuration change is), they don't acknowledge the required update, then perhaps you force the update regardless. The soft touch balances the need to update systems with the potential for disrupting computing services.
You can monitor network activity and discover rogue hosts, personal computers, access points, and other systems that IT may not be aware of. Some of these services may be necessary for the business and cutting them off may not be a viable option. But it adds up to knowing what is out on the network and bringing previously unknown devices under the view of IT.

Not all NAC systems really offer the features to support soft-touch NAC. The decisions are often binary in nature and, depending on the product, you may have to do some custom development, like creating a landing page that offers links to updates and patches, to provide the soft touch.