Customer Needs Assessment
Determine Your Endpoint Integrity Requirements
■Networks to which the endpoint connects—This check helps you to determine whether more endpoints than bargained for may be connecting through a single endpoint. For example, students at some universities transform their endpoints into wireless routers (connected to the univer- sity network on the Ethernet port and an ad hoc wireless network with a wireless card) and offer their friends access to the university network.
■Security settings for macros—Macros record a specific input sequence and output sequence. Then, when the same sequence is inputted, the corresponding sequence is outputted. For example, a graphic designer might create a macro for a FAQ box, which all marketing writers must import and use in specific situations. However, imported macros can pose a risk: hackers can easily exploit macros, using them to execute malicious commands. As always, when determining the level of protection that your organization needs, meet with users. Find out whether they require mac- ros. If you intend to enforce a high security level, do the users know how to add trusted sources for macros so that they can continue to use the macros they need?
■Local security settings—These settings determine how users are allowed to access the endpoint. Does your organization have policies about the passwords users set on their endpoints? If so, you can enforce these policies with your NAC 800.
Software—Windows
The Software—Windows tests check software installed on an endpoint. Some tests look for required software, such as personal firewalls and anti-virus software. Another test scans for known viruses and other malware.
Other tests look for prohibited software, such as file sharing software and IM software. This is where your network evaluation will become extremely useful. Although you may be inclined to prohibit such software (the option that provides better security), you need to consider the needs of your com- pany’s employees. If they are using IM to collaborate on work projects, requiring them to disable this software could create problems.
You can also require software. For example, managers may prefer employees to use particular applications or versions of applications. You could meet with managers and compile a list of necessary software, for which the NAC 800 scans. Of course, you may not want to deny a user network access simply because his or her endpoint doesn’t have a piece of software. However, you can configure the NAC 800 to send you an email notification—without interfering with the user’s access. Then you can get in touch with the user and install the missing software.
