This is one of my favorite parts of NAC solutions. As you’re probably getting tired of hearing already, the goal is to get people productive and have them be secure, not just locking people out. Because of this, it is important for NAC solutions to be able to fix the problems.
You will find that many NAC/NAP vendors skirt around the issues when it comes to the remediation portion of the solution. That is because many NAC/NAP solutions simply do not offer a component that will fix the discrepancies. Some do offer integration with leading patching solutions and other third-party systems, though some simply won’t do anything to the device.
In my opinion, giving the end user a link to a web site where the user can fix the deficiency is ridiculous, although some solutions will do this. This takes the responsibility and control out of the hands of IT and places it on the end user. While this may sound good to some IT departments, it’s really irresponsible. The end users’ job is to do their job, not to learn how to install patches.
Remediation Actions
Remediation actions can take place via the NAC solution itself, or they can come from separate third-party remediation services, such as Tivoli, System Management Server (SMS), and so on. Here are some common means to remediate security deficiencies within NAC solutions:
Push down operating system patches Push down Microsoft Office patches
Push down Internet Explorer and other browser patches Push down updates to third-party applications
Push down antivirus definition updates Push down antispyware updates Push down configuration changes Restart disabled security applications Kill unwanted applications that are running
N O T E For mobile devices, it is imperative that these remediation actions take place while the device is mobile and vulnerable. These actions should not be dependent upon the device returning to the corporate LAN or accessing the LAN via remote access technology.
Pushing down the operating system, MS Office, and browser patches is pretty straightforward. I don’t recall a single enterprise with which I’ve worked
Remediating the Security Deficiency 51 that doesn’t have something in place to be able to perform these functions. It’s common to see SMS, WSUS, LANDesk, Tivoli, and so on, performing these functions. That notwithstanding, don’t assume that all patching technologies work with all NAC/NAP solutions.
Updating antivirus software and antispyware is also relatively straightfor- ward. If definitions are out of date, update them to provide the device with the most current protection. Also, keep in mind that just because a device has the latest definitions, this doesn’t mean that it isn’t infected. That will be covered in detail in Chapter 4.
The configuration changes may surprise some people. Just as a device can be noncompliant and vulnerable if it is missing Microsoft operating system updates, it can be vulnerable because of insecure configurations. I used the example of firewalls. You can have the absolute best firewall in the world, but if it isn’t configured properly, it could let anyone into a network. The weakness is in the configuration, not the technology. Some configuration weaknesses include allowing null sessions and storing LM hashes for passwords. Neither of these is fixed by any hotfix, but they can be fixed by knowing they exist and being able to push down the appropriate fix.
Restarting disabled security applications is a very necessary capability of any NAC/NAP solution. I don’t know of any entity with which I’ve ever worked that didn’t have antivirus software installed. It is the de facto security application. It may not be the best or work all that well, but even amateur computer users understand the importance of antivirus applications. The problem is that just because it’s installed that doesn’t mean it’s running or up to date. You learned earlier about updating these applications, but why is it important to ensure that these and other security applications are running? Well, there are at least three reasons:
End users will shut down security applications to deliberately do things that security applications would either report on or prohibit.
End users are sometimes told to disable their security applications. Malware will disable security applications.
I know of a bunch of first-hand stories where end users will disable security applications. Some reasons are valid, and some occur because the user is attempting to do something unauthorized. A system administrator may need to shut down a personal firewall to do some network testing. On the other hand, a sales guy may disable his antivirus software because it deletes a particular tool that the antivirus solution deems malicious.
Users are inundated with requests for them to alter the security posture of their systems. When these applications become disabled, it is important that the remediation component of the NAC/NAP solution be able to fix the problem by restarting the application. Figures 2-18 and 2-19 show real-life examples of users being asked to disable their corporate security programs.
52 Chapter 2 ■ The Technical Components of NAC Solutions
Figure 2-18 Comcast asking users to disable security programs