Model 3: End-System Authorization with Assessment
2-10 NAC Deployment Models
Features and Value
InadditiontothefeaturesandvaluesfoundinModel1andModel2,thefollowingarekeypieces
offunctionalityandvaluepropositionssupportedbyModel3,End‐SystemAuthorizationwith
Assessment:
Extensive Security Posture Compliance Verification
Thefollowingdescribesafewexamplesofteststhatcanbeexecutedforconnectingend‐
systemsandtherelevanceofthesetestsfromacomplianceandsecuritystandpoint:
•Antivirussoftwareconfiguration
TheNACsolutioncandetermineifanend‐systemhasantivirussoftwareinstalled,ifitis
properlyconfigured(real‐timeprotection
isenabled),ifitisup‐to‐datewiththemostrecent
virusdefinitionfile,andifitisenabled.Antivirussoftwarehastheabilitytodetectinfections
astheyhappen,andtopreventfurtherpropagationofthevirustootherend‐systems.Itis
importanttoverifythatend‐
systemsareprotectedwithantivirussoftwarewhentheyconnect
tothenetwork,incasetheend‐systemissubsequentlyinfectedwithawormorvirusafter
connectivityisestablished.
•Operatingsystempatchlevel
TheNACsolutioncandetermineiftheend‐systemisup‐to‐datewiththelatestoperating
systempatches.
Thisensuresthatanyvulnerabilitiespresentinservicesrunning on
unpatchedlaptopsareappropriatelyremediated,sothatattacksthattargetthose
vulnerabilitiesarenotsuccessful,iftheyreachthedeviceonthenetwork.
•Malwareinfection
TheNACsolutioncandetermineiftheend‐systemisinfectedwithmalware(worms,viruses,
spyware,
andadware)byidentifyingbackdoorportsonwhichtheend‐systemislistening,
runningprocessesandservices,and/orregistrykeysettings.Byidentifyinginfectedend‐
systemspriortonetworkconnection,theNACsolutionprotectsotherend‐systemsonthe
networkfrompossibleinfectionandpreventstheunnecessaryconsumptionofnetwork
bandwidth.
•Hostfirewallconfiguration
TheNACsolutioncandetermineiftheend‐systemhasahostfirewallenabled.Byhavinga
firewallenabled,theend‐systemcanprotectitselfagainstattackstargetingvulnerableservices
andapplicationsonthedevice.
• Peer‐to‐Peer(P2P)filesharingsoftwareconfiguration
TheNACsolutioncandetermineif
theend‐systemisinstalledwithorisrunningaP2Pfile
sharingapplication.SinceP2Pfilesharingapplicationsfacilitatetheillegalfiletransferof
copyrighteddataonthenetworkandcanbeusedforrecreationalpurposes,itisimportant
thattheNACsolutionvalidatesthatthistypeofapplicationis
notinuseonend‐systemsprior
tonetworkconnection.Thisavoidslegalissuesinvolvedwiththetransferofcopyrighteddata
orlossofproductivityduetoinappropriateonlineactivity.