Security Solutions
3-71
Designing Access Controls
Choose Endpoint Integrity Testing Methods
Post-Connect Testing
If you implement endpoint integrity testing only when users first connect to
the network, sophisticated users quickly learn that they can change their
security settings after this pre-connect testing is completed. For example, the
user can change the browser’s security settings to an acceptable level, wait
until testing is complete, and then drop the settings to a lower level. To ensure
that endpoints remain compliant with your security policies, you should
implement post-connect testing.
Some testing methods permit post-connect testing more easily than others.
The NAC EI agent is always available, and once it is installed, users cannot
interfere with the testing process unless they manually uninstall the agent.
Post-connect testing with the agentless test method will work seamlessly unless
the user disables file and print sharing, closing the four ports required with this
testing method. If this happens, users will be prompted to enable file and print
sharing with the appropriate ports so that post-connect testing can run.
Post-connect testing with ActiveX can be circumvented more easily. The user
must keep IE open on the desktop to enable this testing. If the user closes this
application—whether in an attempt to evade testing or simply because he or
she no longer wants to access the Internet—the post-connect testing cannot
be completed.
Table 3-46. Testing Methods by Post-Connect Testing
Example. Knowing that some students will change their endpoint security
settings after the pre-connect testing is completed, the PCU network admin-
istrators plan to implement post-connect testing. On the private wired, private
wireless, and remote zones, PCU network administrators want to use the NAC
EI agent and agentless testing methods because it is not as easy to circumvent
them. This will ensure that the endpoints on the private zones remain compli-
ant, decreasing the network’s vulnerability to attacks.
Agentless ActiveX NAC EI Agent
Criteria for post-connect
testing
The NAC 800 can retest
endpoints by initiating
another agentless session.
The ActiveX component must
be installed prior to each test.
Once installed, the agent is
always available for testing.
User evasion None Close browser None