Home page logo
/

basics logo Security Basics mailing list archives

Re: NAC Question
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Sat, 18 Apr 2009 15:20:22 -0400

Sounds like you're fighting a losing battle with a company that
doesn't care about security.  If they won't fund your security program
or provide managerial support then that is a clear message that
security does not matter to them.

On Sat, Apr 18, 2009 at 11:46 AM,  <avghacker () gmail com> wrote:
Both assessments are very good.  I have been working on trying to make sure / force all users to update their anti 
virus clients.  The biggest problem is that there are around 800 users and 5 of us in the IT dept.  I'm not sure how 
common / uncommon this ratio is in the corperate world.  Because of this anything we implment has to be carefully 
planned bc we can only handle so many ticket requests at one time.



Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Stephen Mullins <steve.mullins.work () gmail com>

Date: Sat, 18 Apr 2009 11:36:18
To: <Noah.Lance () apcc com>
Cc: <avghacker () gmail com>; <security-basics () securityfocus com>
Subject: Re: NAC Question


I agree with this guy.  You can't protect what you don't control.  A
network where all of the users have local admin is a network that
cannot be realistically defended.

On Tue, Mar 24, 2009 at 5:25 PM,  <Noah.Lance () apcc com> wrote:
This would be a user policy issue. A NAC is always a good idea, but if you
don't have the money or power to implement it you'd be better off a policy
based solution.

Information Assurance user level training could fix a good portion of this
problem. User training is key to these situations I watch large companies
leave this out and then have 100's of experienced IT personnel running
around with their web found solutions, which is great and all. However, if
the company just put some emphasis on user training/awareness, usage
policies, through an Information Management program they would never be a
this point.

Currently if you are looking at warding off malware then you are best off
implementing a computer based local policy. If they are windows boxes
(assuming so, since nix boxes would be a big worry) use GPO/computer
Security templates. Harden the box via these policies and enforce the
firewalls are turned on, use the IEAK to configure it have the pop up
blocker turned on, utilize the connection levels IE already provide.....
your getting the point I'm sure. Sure local admins could change this but
few people, heh, few IT personnel know hot to work through such a
configuration.

Another more "enterprise" level solution would be to utilize SMS and
Symantec MMC to hunt out any "aged" configurations, once they send an
alert have the IS guys or even Service Desk disable the computer accounts
via Active Directory. You could actually even do this via logon script,
and have it cached for local runs.

If you really want the full NAC, there's a few universities I've read
about implementing a combo type system. If any user plugs their computer
into the network, the computer submits to a scan and if they are not up to
date per AV/VA then they are only allowed to go to the common minimal
sites to get the updates. Nothing else.

Realistically, for a production environment you are best off with getting
a strong Vulnerability Assurance/Management program in place first.
Establish written policies and then aid with user awareness and education.





avghacker () gmail com
Sent by: listbounce () securityfocus com
03/24/2009 11:49 AM
Please respond to
avghacker () gmail com


To
security-basics () securityfocus com
cc

Subject
Re: NAC Question






Well we have the downadup worm floating around our network and are slowly
trying to deal with it.  Our environment has a lot of users who are local
admins so they basically are allowed to download anything here and at
home.  I wanted a way to keep them off the network unless they have
patches and an AV solution.  Many users only pull out their laptops every
couple of weeks so obviously the update server isn't reaching them.

Side note: already have and ids in place
------Original Message------
From: exzactly
To: avghacker () gmail com
To: security-basics () securityfocus com
Subject: Re: NAC Question
Sent: Mar 24, 2009 12:34 PM

Are you sure NAC is the way to go for your issue? An IPS may be a better
option to keep the spread of Malware down. NAC can be expensive, messy to
implement and time consuming, it has it's place but I don't know if your
requirements would warrant it. Can you add a little more information to
your
issue?

--------------------------------------------------
From: <avghacker () gmail com>
Sent: Friday, March 20, 2009 4:39 AM
To: <security-basics () securityfocus com>
Subject: NAC Question

Hey all was wondering if anyone had any experience with deploying or
maintaining a NAC?  I'm looking for recommendations, advice, gotchas,
etc...

Having some serious malware issues in a place that doesn't have patch
management and I'm looking to turn to a NAC to help bring the network
under control.....advice?

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught
by
an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------




Sent from my Verizon Wireless BlackBerry


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]