NAC For Patch Or Patch For NAC

Sophos issued a press release announcing that Microsoft's recent update contained fixes for a critical vulnerability in the TCP/IP stack. Sophos then went on to recommend NAC to "reduce the risk of unauthorized, guest, noncompliant, or infected systems compromising the network, ensuring that only correctly secured computers gain network access." Not a surprising recommendation from Sophos, considering it sells a NAC product. But deploying a NAC product to keep abreast of patches addresses a symptom and not the problem. Don't do it.

Let's take a look at managed computers -- these are the computers the company owns. In the case of universities, managed computers don't include students' or faculty members' personal computers. You have an entirely different set of problems on your hands. I have heard time and time again from vendors and others about how NAC products can ensure that computers are current and automatically do something like kick off a patch process or quarantine a host. These same people will relate stories about how their customers found that their patch management product wasn't keeping track of host patches very well and the customers needed something to watch the watchers, so to speak. Bah.

First, companies should have a patch management plan in place and they have to ensure that it works by executing the plan. Whether your patch management includes using a dedicated patch management product or deploying via Windows System Update Service or you run around with a floppy and do installs manually, you need to have a plan and you need to track progress. That is just good computer management. If you don't have a patch management plan, NAC won't help, because once it starts to quarantine hosts and sending alerts, your help desk is going to get real busy real fast.

Besides, even if you can get around to patching hosts that are flagged by your NAC, you are still have the fundamental problem of poor computer management to content, which extends far beyond access control. For what it's worth, if you are one of those companies that for whatever reason have a patch management product that isn't keeping an accurate inventory of your computers patch status, it's time to shop for a new patch management product.

Just because a host is un-patched does not, ipso facto, mean that A) it is infected or B) that it will be infected in the future. Obviously, an unpatched computer is vulnerable to attack, and, of course, you want to patch systems to thwart any future problems, but those are wholly separate issues to NAC. Fix the fundamental problem and your NAC deployment will be more effective for it.Secondly, if you're concerned about guest's computers -- computers that you have no administrative control over -- guess what? You probably can't dictate that they apply patches anyway, because doing so may violate their company's policies. A lot of companies delayed updating Windows XP to Service Pack 2 because the changes to the IP stack and the Window firewall broke things like third-party VPN clients and what-not. You can tell a guest that they can't connect to the network. You can tell a guest that they can't engage in certain kinds of activity. You can't dictate configuration.

Nah, don't deploy NAC to fix your patch problem. Fix your patch problem, then decide if you need a NAC. They address separate, but related, problems.