Tim Greene at Network World just issued a nice story in support of the notion that NAC can be a sort of ‘backstop’ to security tools.

NAC is supposed to do a lot of things and once it’s installed, customers are finding that NAC often does even more than they bargained for.

For instance, NAC can act as a backstop to other applications such as patch management that are supposed to maintain the proper corporate desktop image. Many customers say that when their NAC gear tests the health of endpoints, it often discovers that machines that should have been patched have not been, or that updates that should have been installed haven’t.

One customer had statistics on the improvements. With patch-management software alone, 70% of endpoints were actually patched within 30 days of when the distribution started. With NAC in place, checking for unpatched machines as part if its tests, compliance jumped to 99% within 7 days.

Similarly, the same customer found that vulnerabilities on its endpoints dropped significantly after NAC was installed. On its 50,000-endpoint network, the average number of vulnerabilities was 4.3 per machine. After NAC was in place and testing for some of the items that accounted for vulnerabilities, that number dropped to 1.3 per machine.

While some may debate whether NAC is an effective security platform – and some well-informed security experts say it is not – it is undeniably a risk-mitigation tool. Having patched operating systems, updated antivirus and personal firewalls that are properly configured and turned on all contribute to lower risk. As these numbers from an actual user demonstrate, the benefits can be dramatic.

I am interested in your own stories about success with NAC, so please leave a comment below. Thanks!

OK, you have spent a lot to secure your endpoints, but is your investment going to waste?

IT organizations large and small have invested heavily in endpoint security to address the rapidly evolving security challenge. AntiVirus, AntiSpam, Firewall, Host Intrusion Prevention, Compliance Auditing and more have been deployed to protect and assess endpoints. Much has been made of the “dissolving perimeter problem”, and rightly so. But in today’s economy companies are increasingly looking to also ‘dissolve the controls” in an effort to reduce operational and hardware cost by allowing end users to acquire and manage their own hardware. When many users are allowed to self administer their own computers, it becomes relatively easy for them to install all manner of questionable applications (e.g. peer to peer) and even tamper or disable Antivirus or endpoint firewall policies. This introduces a great challenges to network security staff, as this self imposed ‘back door’ creates a vulnerability and risk that needs a solution.

Enter NAC

NAC (Network Access Control), continues to generate a lot of enthusiasm, and correspondingly, a large number of corporate initiatives to ensure the security and ‘health’ of endpoints connecting to the corporate network. An August survey of McAfee’s customers shows that 68% of companies are evaluating or have already deployed a NAC (Network Access Control) solution. A great potential for a NAC solution is to ensure that machines that are outside of some compliance standards cannot access corporate resources unless they meet a minimal standard of health, such as

• Security tools are up to date: is AV and Anti-Spyware on are signatures within a certain age limit? Are DLP solution installed and working properly?

• Are only acceptable applications present. e.g. no Peer to Peer applications.

• Once a machine is on the network, is it ‘clean’? For example, is it infected with a bot or other malware that a NAC solution can detect.

On October 20^th, McAfee announced Unified Secure Access, our answer to the NAC. Unified Secure Access uniquely enables enterprises to manage access to networks and systems based on in-depth knowledge of system health, compliance and user identity and enforce compliance both pre- and post-admission with a broad array of enforcement options, including end-point, in-line and infrastructure integration options.This along with McAfee’s well established policy management infrastructure enable, for the first time, simplified NAC implementations that reduce operational cost and resources while ensuring reliable access to approved systems and personnel.

NAC has the potential to ensure investments in security tools are maintained. More on this in an upcoming post.