Gord Boyce, president of ForeScout Technologies, has an interesting article about using network access control to change behavior up on Enterprise Networks & Servers, asking Are Your Users Smarter Than A Fifth Grader? I find the idea intriguing because using NAC to lock down a network is onerous.
Let's say you can solve 95% of the problem simply. These would be well-meaning but misguided users who are trying to circumvent security measures to get work down because going to IT is too difficult, time consuming, or whatever the excuse may be. Dealing with remaining percentage points gets more difficult for each point gained because you end up dealing with smarter users or attackers intent of by-passing your security.
When I tell vendors how I might go about bypassing their security features, I invariably hear statements like "we are not trying to solve that problem" or "we are trying to solve 90% of the access control problem," or "there is no 100% secure systems, you have to use layers." I have rejected those arguments for two reasons. First, solving the easy problems isn't hard and really doesn't necessarily improve your security position. Internal users trying to by-pass IT systems doesn't mean they are malicious -- it may mean your IT systems don't match business needs. Secondly, well-meaning insiders isn't really the threat to worry about. The threat to worry about is the malicious attacker who already is inside your building and attempting to attach to your network directly. Assume the attacker is savvy and you can see that you have a whole different problem on your hands.
Using NAC As A Training Tool
This is the heart of Boyce's article. When was the last time you even read your employee handbook or any user policies you were supposed to read? Have you read it recently? Heard it discussed around the water cooler? Probably not. IT and HR can publish codes of conduct, hold training classes, and put up posters, but employees will often not pay attention. They're too busy doing their jobs.
While talking with an administrator at a large university about NAC and what they were looking for, they wanted a couple of things. First, they wanted something they could automate so as not to add workload to their help desk. That was critical. They wanted a soft-touch approach where students (this was a student-oriented NAC project) would be given varying levels of warning and options before being cut off for infractions. And they wanted to send a clear message to a largely nontechnical audience about unacceptable behavior and conditions. In other words, they want to train the student body about network usage without having training classes or making students read long documents.
NAC can be a perfect tool in this situation. By using orientation classes where network usage is discussed along with NAC that assesses hosts conditions and offers solutions, the school's IT department is able to soft-touch students from an unacceptable state to an acceptable one in stages without burdening the help desk. They expect to solve 95% of problems with students' computers via NAC, leaving the remaining 5% to be handled through other means.
