NAC and "Story Time"

Started by deanwebb, November 01, 2017, 07:16:58 PM

Previous topic - Next topic

deanwebb

When I taught high school, it was pretty easy for me to get drawn out from covering a subject and wind up doing "story time", where I'd go off the script and do a deep dive on some topic, like how opium was introduced to Southeast Asia or the insanity of the Ukrainian resistance in WW2... we all had a good time, but I definitely had to make up the time some other way.

Well, when you do a NAC project, once your system is hooked up to all the switches and WLCs, you're going to see stuff on the network that will make you ask if it should be allowed or blocked. You will see stuff that is a mystery as far as its function and role, so you will have to go and ask the guys in charge of that gear what it is and what it's doing... and that's story time.

You will learn lots of interesting things, but you will also be in a very slow phase of your project. Speeding it up and skipping over story time risks either blocking too much or not getting sensitive devices properly handled - both bad things. What you want to be able to get out of your story time are the following things:

1. Is there a way to manage the device? (SSH or SNMP are good candidates)
2. Is there a way to identify it as owned by your company?
3. Is there a way to segment it, either physically or with a port ACL, so that if it's not manageable or identifiable as your own, it's at least not able to harm other devices on your network when it becomes compromised?

You can't accept three "no" answers and be secure. You may have to work with management to get a resolution, but at least your time invested in story time gives you the ability to think about the device, its role, its importance, and possible engineering solutions for it.

Hope this helps.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.