Security Solutions
3-75
Designing Access Controls
Choose Endpoint Integrity Testing Methods
Example. Because the PCU network administrators are relying on users to
perform setup steps, they maintain most choices they made based on user
sophistication. However, because this factor includes only ease of setup and
not potential ways users can evade testing, ActiveX is more desirable.
Table 3-51. Testing Methods for Administrative Workload
Network Overhead
Initial installation, pre-connect testing, and post-connect testing all add over-
head to network traffic. You should factor in the amount of traffic you are
likely to have and whether pre-testing is likely to create a surge of traffic. For
example, does everyone in your organization arrive at approximately the same
time and start their computers within a half-hour time span? Can your network
handle the traffic created by the testing?
The time and bandwidth required to complete an endpoint integrity check
depends on the NAC policy. The more tests, clearly, the longer the check
will take.
The High Security NAC policy, a pre-defined policy that includes approxi-
mately 20 tests, can be taken as a general high mark. The NAC 800 passes
approximately 9 to 16 kilobytes of total data between itself and an endpoint
to complete a single testing session with this policy. On a typical LAN, the
testing process would typically take between 5 and 10 seconds.
Example. In the PCU environment, the pre-test and post-test times are likely
to be staggered throughout the day. However, there could be a surge when
each class begins, depending on how many students use their endpoints in
class. Downloading an ActiveX agent might slightly prolong the testing
process.
The one-time installation of the agents may generate high levels of traffic for
a few days at the beginning of the school year, but the lower traffic for the rest
of the year is especially attractive.
Factor Public Wired Private Wired Public Wireless Private Wireless Remote
Administrative workload ActiveX
NAC EI agent
ActiveX
NAC EI agent
Agentless
ActiveX
NAC EI agent
ActiveX
NAC EI agent
Agentless
ActiveX
NAC EI agent
Agentless