Security Basics mailing list archives
Re: NAC Question
From: badz <smanaois3 () gmail com>
Date: Wed, 25 Mar 2009 07:28:27 +0800
Hi, Try to leverage on the capabilities of the Network Access Protection technology (a _free_ core Windows component). How does NAP work? - [from the NAP FAQ] "When a client attempts to access the network or communicate on the network, it must present its system health state or proof of health compliance. If a client cannot prove it is compliant with system health requirements (for example, that it has the latest operating system and antivirus updates installed), its access to the network or communication on the network can be limited to a restricted network containing server resources so that health compliance issues can be remedied. After the updates are installed, the client requests access to the network or attempts the communication again. If compliant, the client is granted unlimited access to the network or the communication is allowed." To illustrate further, if your user logs in with a machine with a non-updated virus signature, and is missing a few critical patches, it will be validated by a Network Policy Server; since it does not meet certain criteria in your policy, you can define corrective measures (like applying OS patches, updating virus signatures, turning on the host firewall, etc) for it to be able to connect to your LAN and access your resources. For more comprehensive info regarding this technology, please refer to the NAP Technet page: http://technet.microsoft.com/en-us/network/bb545879.aspx HTH. Best Regards, Salvador Manaois III mcitp(x3) mcts(x5) mcse mcsa ciwa c|eh Bytes & Badz: http://badzmanaois.blogspot.com On Wed, Mar 25, 2009 at 12:49 AM, <avghacker () gmail com> wrote:
Well we have the downadup worm floating around our network and are slowly trying to deal with it. Our environment has a lot of users who are local admins so they basically are allowed to download anything here and at home. I wanted a way to keep them off the network unless they have patches and an AV solution. Many users only pull out their laptops every couple of weeks so obviously the update server isn't reaching them. Side note: already have and ids in place ------Original Message------ From: exzactly To: avghacker () gmail com To: security-basics () securityfocus com Subject: Re: NAC Question Sent: Mar 24, 2009 12:34 PM Are you sure NAC is the way to go for your issue? An IPS may be a better option to keep the spread of Malware down. NAC can be expensive, messy to implement and time consuming, it has it's place but I don't know if your requirements would warrant it. Can you add a little more information to your issue? -------------------------------------------------- From: <avghacker () gmail com> Sent: Friday, March 20, 2009 4:39 AM To: <security-basics () securityfocus com> Subject: NAC QuestionHey all was wondering if anyone had any experience with deploying or maintaining a NAC? I'm looking for recommendations, advice, gotchas, etc... Having some serious malware issues in a place that doesn't have patch management and I'm looking to turn to a NAC to help bring the network under control.....advice? ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------Sent from my Verizon Wireless BlackBerry
-- ...badz... http://badzmanaois.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- NAC Question avghacker (Mar 24)
- Re: NAC Question exzactly (Mar 24)
- <Possible follow-ups>
- Re: NAC Question avghacker (Mar 24)
- Re: NAC Question Jason (Mar 25)
- Re: NAC Question badz (Mar 25)
- Re: NAC Question Noah . Lance (Mar 25)
- Re: NAC Question ushacker20002001 (Mar 25)
- Re: Re: NAC Question chmod1777 (Mar 25)