2.4. Taking Action Based on the Security Posture
At this point, the device has been assessed and its security posture communicated to other necessary components of the NAC/NAP solution. So, now what?
This question is as much political and philosophical as it is technical. The real question is "What does your company want to do, and does it have the strength to stand behind that decision?"
There are a number of logical action items that can be taken against devices. These actions depend upon whether or not Mobile NAC or LAN-based NAC is being used.
2.4.1. Mobile NAC Action
Mobile devices are in a unique situation. It doesn't do any good to be able to quarantine a noncompliant laptop to only certain areas of the corporate LAN if the laptop is sitting at a Starbucks and isn't connected to the LAN. The restriction that will protect that device must relate to its current environment. This point will be made very clear in Chapter 3, "What Are You Trying to Protect?"
As such, here are some action options to consider for noncompliant devices with Mobile NAC:
Prohibit the device from connecting to the corporate LAN via VPN
Prohibit the device from connecting via Wi-Fi
Quarantine the mobile device so that it can only access certain areas of the Internet, such as remediation servers that can fix any security issues
Restrict the use of certain applications, such as Internet Explorer and e-mail, when in a noncompliant state
Automatically fix the problem!
Based upon the fact that the mobile device ...
Get Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
