Security Solutions
3-63
Designing Access Controls
Choose Endpoint Integrity Testing Methods
Advantages and Disadvantages of ActiveX Testing
The ActiveX agent does not remain on the endpoint and does not require
maintenance or upgrades—saving overhead. Generally, the NAC 800 can test
an endpoint through its firewall, automatically opening the necessary ports.
However, while the NAC agent requires a one-time installation and user
interaction, the ActiveX agent requires that interaction every time an endpoint
connects. Although the user may not notice the installation if the endpoint
allows ActiveX content without prompting, the installation does add overhead
to network traffic.
Internet Explorer must be open for the NAC 800 to test the endpoint. If a user
closes Internet Explorer after his or her endpoint has gained access, the NAC
800 cannot retest the endpoint. The user can continue to connect to the
network—even if the endpoint becomes non-compliant—for as long as IE is
closed.
Agentless
RPC was designed to provide a flexible framework for a variety of communi-
cations between remote devices. The NAC 800 uses RPC to run integrity
checks on endpoints, which must support RPC.
In order for an endpoint to accept the RPC messages, the NAC 800 must submit
credentials for an administrator of that endpoint. On the NAC 800, these
credentials are called agentless credentials and can be:
■ Configured in cluster settings—Enter the credentials of an adminis-
trator in the endpoint’s domain.
■ Submitted by the end-user—This option allows agentless testing of a
user who is not a member of your domain. However, because users often
do not know, or are reluctant to share, the proper credentials, this option
is not generally recommended.
Caution Never make agentless testing the only method available to test non-domain
members. Because you will not know the administrator credentials for these
endpoints, agentless testing will not succeed. Depending on your configura-
tion, the user will probably be placed in a test or quarantine VLAN.