Security Solutions
2-38
Customer Needs Assessment
Determine Your Endpoint Integrity Requirements
■ Networks to which the endpoint connects—This check helps you to
determine whether more endpoints than bargained for may be connecting
through a single endpoint. For example, students at some universities
transform their endpoints into wireless routers (connected to the univer-
sity network on the Ethernet port and an ad hoc wireless network with a
wireless card) and offer their friends access to the university network.
■ Security settings for macros—Macros record a specific input sequence
and output sequence. Then, when the same sequence is inputted, the
corresponding sequence is outputted. For example, a graphic designer
might create a macro for a FAQ box, which all marketing writers must
import and use in specific situations. However, imported macros can pose
a risk: hackers can easily exploit macros, using them to execute malicious
commands. As always, when determining the level of protection that your
organization needs, meet with users. Find out whether they require mac-
ros. If you intend to enforce a high security level, do the users know how
to add trusted sources for macros so that they can continue to use the
macros they need?
■ Local security settings—These settings determine how users are
allowed to access the endpoint. Does your organization have policies
about the passwords users set on their endpoints? If so, you can enforce
these policies with your NAC 800.
Software—Windows
The Software—Windows tests check software installed on an endpoint. Some
tests look for required software, such as personal firewalls and anti-virus
software. Another test scans for known viruses and other malware.
Other tests look for prohibited software, such as file sharing software and IM
software. This is where your network evaluation will become extremely
useful. Although you may be inclined to prohibit such software (the option
that provides better security), you need to consider the needs of your com-
pany’s employees. If they are using IM to collaborate on work projects,
requiring them to disable this software could create problems.
You can also require software. For example, managers may prefer employees
to use particular applications or versions of applications. You could meet with
managers and compile a list of necessary software, for which the NAC 800
scans. Of course, you may not want to deny a user network access simply
because his or her endpoint doesn’t have a piece of software. However, you
can configure the NAC 800 to send you an email notification—without inter-
fering with the user’s access. Then you can get in touch with the user and
install the missing software.