Dodging Silver Bullet Syndrome or: How I Learned to Stop Worrying and Prepared for NAP (Part 1)
I find it both interesting and exciting to see all the continued industry buzz around the whole network access control space (read: the long list of acronyms like Microsoft NAP (MNAP), Cisco NAC (CNAC), TCG's TNC (TNC), et al). Perhaps one of the interesting twists to this space is the combined industry effort to define such "nac" solutions as a simple, single silver bullets for what ills today's highly interconnected networks rife with mobile workers, network guests, and those evil doers - the malicious attacker.
Granted, I'm not attempting to cast a stone within a glass house (i.e. Microsoft is marketing NAP as a solution offering in this space), but instead hope to reset the reality versus marketing that is potentially being put into the market place. (read: your humble blogger is attempting to "stir the pot", not "kick-up of storm"...I think).
First and foremost, no offering, from any vendor should be viewed as the single, one stop solution for improving the security of your network. Instead, I strongly suggest you view these various solutions/products -- from end-point products, to appliances, to full-network overlays -- as tools in your arsenal to enforce the policies you already have.
Wait.
You have policies, right?
No, not those "No Smoking" or "Don't Surf Porn" policies.
I mean the policies that outline what a healthy computer looks like. Like, what does it mean to be or what does it take to get in compliance.
I like to call these your pile of paper policies (or PPP -- not that point-to-point protocol). Many of you have already (hopefully) created a basic set of requirements for what it means to be in compliance. This was likely driven by a malware outbreak (i.e "dang, if only we installed that patch or actually made people turn on AV" ) and/or as the result of an external audit.
Good. You've got those.
Next, you need to revisit them to make sure they are not only up to date, but comprehensive enough to be meaningful. For example, it's not just good enough to say you need antivirus and some patches here and there. You'll need to think about how you'll treat, for example, guest workers. What about the latest versions of LOB applications?
Yes. You're right that we don't want to run before we can walk, but it is both good and important to build in a process that enables your organization to revisit these PPP on a regular basis and update as needed (especially as threats change). For example, it's no longer enough to just switch on Automatic Updates since attackers have been working their way up the application stack now, and the result are attacks that target things like licensing mechanisms for the applications you may have installed en masse (a la CA's "calic" vulnerability a few years back).
My recommendation is you take a look at some of my favorite bits of Microsoft guidance and industry best practices to help support these efforts. You don't necessarily need to reinvent the wheel. Instead, you can add some of those neat Aquatreds to provide some more agility.
Some of my fav's and great places to start include:
- Microsoft Security Risk Management Guide (which we did a Security360 on way back a few years ago)
- Microsoft Threats and Countermeasures Guide
- Microsoft Windows Vista Security Guide
Once you have your health policies in order, you'll need to next look at how you want your logical network to defined. Yup, the logical network. A key mindset you'll need to adopt is around shifting the way you think of your network from what is today defined by the physical topology (i.e. the wires, radio waves, and routing gear) to one that is based on and driven by policy.
We like to call this policy-driven (network) access. I added the "network" there to help scope what we're talking about.
My next posting will look at how to start modeling your network, and what tools/solutions are available to you today (like Server and Domain Isolation and Secure Wireless LAN with IAS).
Post Script
So, just yesterday morning we were meeting with some representatives of a large OEM of Microsoft's, and was quite surprised by the fact they were not hearing a lot of buzz from their customers around the whole NAC space.
"Wow!" I said. "This is one of the hottest areas of buzz and discussion in the network security space."
Still. No dice.
"Back your statement with data," was a very appropriate response from the OEM's relationship manager to me. Granted, it was early, so I couldn't pull any great stats out.
Well, groups like TheInfoPro have shown that NAC is a hot space, as detailed in this January 2007 article posted to IT Security:
"A recent survey by TheInfoPro shows that 30 percent of the Fortune 1000 companies polled already have NAC in use. That installed base appears poised to grow. More than half of TheInfoPro’s survey participants had NAC somewhere in their technology adoption plans. Fourteen percent of the respondents reported piloting or evaluating NAC technology, 12 percent cited NAC in their near-term plans, and 27 percent considered NAC a long-term implementation item. "
It's just one set of data points, but there is certainly a lot of buzz out there!
Comments
Anonymous
January 01, 2003
While it has been nearly three months since I moved from the role as product manager for Windows ServerAnonymous
January 01, 2003
The Short NAP is a quick list of Microsoft Network Access Protection and Server/Domain Isolation relatedAnonymous
January 01, 2003
That's it! It's my turn to throw my hat into the Forefront Team Blog ring! Okay...I'm not 100% what that