Monday, August 13, 2007

CAA Requirement Best Practices - Enforce Types

In the world of NAC Appliance, when using the NAC Agent, there are 3 different type of enforcement types. At first look you have the ability to use the following enforce types:

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is generated. The report results (pass or fail) do not affect user network access.

—Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking "Next"). The client system does not have to meet the requirement for the user to proceed or have network access.

Mandatory—Enforce requirement. The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

So why is this so important for NAC Deployments.... This gives administrators the ability to deploy with the least impact as possible. All deployments should start with AUDIT type requirements. By doing this we are able to see how many users are coming onto the network without compliant workstations. From this information we can see if all methods of users getting patches, updates, etc are correctly working. (E.G. if WSUS or EpolicyOrch is not working correctly you will immediately see almost all hosts out of compliance)

Next, you should change all of the previous AUDIT requirements to OPTIONAL requirements. This will still allow users access, in case of any discrepancy in your policy or remediation strategy, but will get them through any hurdles of learning how to self-remediate.

Finally, utilize MANDATORY requirements to ensure that all policy is enforced.

The last major idea that should be taken into account is how to schedule this type of roll out. I typically recommend 30-45 days for AUDIT requirements and then 30-60 days for OPTIONAL requirements, but this must be determined on a per organization basis. The key thing to take from this posting is that you do have this wonderful option to phase the enforcement of policy for your NAC deployment and it will help ensure a smooth transition for administrators and end users. One less talked about configuration option that you can use to make your NAC deployment more successful.

No comments: