Ok so it’s been a while for the blogs so I’ve decided to jump back and forth to different areas based on the surrounding happenings. For this weeks’ blog I’d like to run a quick discussion through on NAC and compliance checking.
I know a lot of people who struggle in this arena and are usually left with an uneasy feeling when a consultant installs NAC on the customers’ network an turns the driver’s seat over to them. There is plenty of documentation out there discussing various technologies, and by no means am I trying to just regurgitate the material. I’m trying to present it in a different way that might be beneficial for use.
First off, I’m assuming you have installed the Cisco NAC Appliance and are up and running and feel comfortable maneuvering around the device. There are really three major components to check on a users host (by a check, I am referring to something you would like to look for on the host). As of this date in 4.5 software code there are three available checks:
- Registry check is pretty straightforward, is there a registry key present/not present or a registry key string match.
- The file check allows us to see if a file is present/not present on the client or we can check the file date or version.
- The service check is straightforward too and just looks to see if a service is running as does the process check.
So, think about all the various checks you would like to perform on the client and how you can use these checks in NAC to accomplish your goals. The following is an example of what a registry check looks like in NAC 4.5.
The image depicts a check based on the registry that looks for a registry key value. In fact, this is a Cisco-provided check that I just picked out of the air. How can you tell? Look at the name of the check, notice it begins with the word pc_. These are called “preconfigured checks”. Your NAM gets these from Cisco.com every night when it does its update (if you’ve configured NAC to poll Cisco every night).
Think about something else here. Since all we are checking for is the registry setting, then how easy is it for a user to bypass this check? Yup, it’s as easy creating your own registry key with that value. Once you do that, you’ll be able to gain network access and off you go.
Think about this from a high level view. If your goal with NAC is to enforce policy for your infrastructure better than what you currently have AND IF you have other controls in place to help secure the environment you will benefit from this technology. The other controls I am referring to are things like, do your users have access to the registry to create these keys on the fly to circumvent NAC? Or do you have software such as Cisco Security Agent on your network to enforce your host policies where software cannot be installed (such as VMWare).
Author: Jim Thomas
2 Responses to “Check your NAC”