In the past, when walking through the cubical farms of corporations you would see primarily these types of devices. The CPU would be under the work area and a big honkin’ monitor would be on top of the work area. This is still the case at some companies, although laptop sales have surpassed desktop sales, as more and more organizations are simply giving their employees laptop computers. That notwithstanding, desktop computers certainly do exist.
The thing about desktop computers is that, generally speaking, they don’t move a whole lot. Does this mean they don’t cause a threat and shouldn’t be considered when looking at NAC solutions? No, I wouldn’t say so. You’ll see throughout this book and in your own research that the biggest threats do come from the laptops, but they aren’t the only threat.
Can a sedentary desktop actually cause problems to LAN? Absolutely, as you’ll see in Chapter 4. Desktops can become infected and have their security posture become noncompliant just as any other device can. The main reasons for this are that they do have access to the Internet and files from other computers and systems, and they can have USB drives and other media connected to them. The simple act of surfing the Internet or plugging in a USB hard drive can put the desktop in a state where an enterprise would not want it to have full access to resources on the LAN.
It’s also important to keep in mind the importance of Post-Admission NAC [J1] when it comes to LAN-based desktop computer systems. These systems may only attempt to get an IP address on the LAN once a week, or even once a month, when the machine happens to get rebooted. Once on, they may stay on the LAN for extended periods of time and never try to gain access again. Certainly, over the course of a week or month, their security posture can change.
LAN-Based NAC 63
Laptops Used on and off the LAN
These types of systems pose one of the absolute largest threats to organizations. This is because they:
Are put in the most vulnerable situations Have data on the actual devices themselves Access LAN-based resources while mobile
Physically connect back onto the LAN on a routine basis
I am a perfect example of this type of user. Over the past week, I have worked from home, worked from a client location in Pittsburgh, connected to the Internet via EvDO while at an airport, connected via a Wi-Fi hotspot at a different airport, and VPN’d back to the corporate network every day. Plus, from time to time I will physically go to my company’s corporate headquarters and connect via the wireless LAN or Ethernet.
So, how will LAN-based NAC help me and other users like me? For starters, when I try to VPN into the corporate network, the LAN-based solution can assess me and see if my security posture is up to snuff enough to allow me unre- stricted access to the LAN. Most corporations would relate checking for updated antivirus software as a good example of a check that would be performed.
In addition to checking during VPN, the LAN-based NAC solution can assess me when I return to the corporate headquarters. If my security posture is deficient at that time, then they can prohibit me from physically accessing the corporate LAN.
At first thought, it would appear as though the LAN-based solution would do a good job of protecting the LAN from me. At each entry point, whether VPN, wireless LAN, or Ethernet, it’s checking to make sure that my security posture meets the minimum requirements. If it doesn’t, it will restrict me and hopefully remediate the problem that is causing the deficiency. Here’s where this solution falls short.
A good portion of the time I worked this week, I was connected to a net- work, such as the Internet, without any connection back to my corporate LAN. At times, I was downloading software, surfing the Internet, checking private e-mail, and so on. During that time, my security posture could have easily become deficient and I could have been hacked directly or infected with mal- ware. Either of these events could have placed a keylogger or other backdoor program onto my laptop. It also could have installed a worm that would attempt to propagate on any LAN to which I attach, including the corporate LAN. These attacks that occur in the Mobile Blindspot are easily missed by LAN-based NAC systems upon my return to the LAN via VPN or physically.
The big point here is that the LAN cannot truly be protected against these types of laptops by LAN-based NAC alone. That is why Mobile NAC exists,
64 Chapter 3 ■ What Are You Trying to Protect?
and Mobile NAC will be discussed later in this chapter and throughout this book.
N O T E The concept of the Mobile Blindspot is extremely critical to understand. The Mobile Blindspot is the time where the mobile device is out of sight and control of the LAN-based systems.
The big point to grasp when it comes to devices that are mobile is that they can become compromised while mobile and the LAN-based systems will never find out about it. Again, exactly how systems are compromised will be discussed in Chapters 4 and 5.