Designing Access Controls

Choose Endpoint Integrity Testing Methods

Post-Connect Testing

If you implement endpoint integrity testing only when users first connect to the network, sophisticated users quickly learn that they can change their security settings after this pre-connect testing is completed. For example, the user can change the browser’s security settings to an acceptable level, wait until testing is complete, and then drop the settings to a lower level. To ensure that endpoints remain compliant with your security policies, you should implement post-connect testing.

Some testing methods permit post-connect testing more easily than others. The NAC EI agent is always available, and once it is installed, users cannot interfere with the testing process unless they manually uninstall the agent.

Post-connect testing with the agentless test method will work seamlessly unless the user disables file and print sharing, closing the four ports required with this testing method. If this happens, users will be prompted to enable file and print sharing with the appropriate ports so that post-connect testing can run.

Post-connect testing with ActiveX can be circumvented more easily. The user must keep IE open on the desktop to enable this testing. If the user closes this application—whether in an attempt to evade testing or simply because he or she no longer wants to access the Internet—the post-connect testing cannot be completed.

Table 3-46. Testing Methods by Post-Connect Testing

 

Agentless

ActiveX

NAC EI Agent

Criteria for post-connect

The NAC 800 can retest

The ActiveX component must

Once installed, the agent is

testing

endpoints by initiating

be installed prior to each test.

always available for testing.

 

another agentless session.

 

 

User evasion

None

Close browser

None

 

 

 

 

Example. Knowing that some students will change their endpoint security settings after the pre-connect testing is completed, the PCU network admin- istrators plan to implement post-connect testing. On the private wired, private wireless, and remote zones, PCU network administrators want to use the NAC EI agent and agentless testing methods because it is not as easy to circumvent them. This will ensure that the endpoints on the private zones remain compli- ant, decreasing the network’s vulnerability to attacks.

3-71

Page 186 Page 188
Page 187
Image 187
HP Access Control Client Software manual Testing Methods by Post-Connect Testing
Page 186 Page 188
Top Page Image Contents