Posture Assessments

What does it mean to perform a posture assessment and why is the NAC used to perform them on unknown devices that connect to the network? This may be more of a security question but it was on my N+ practice exam. Thanks in advance.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

sys_teck

The posture assessment is the evaluation of system security based on the applications and settings that a particular system is using.

Network Admission Control - Wikipedia, the free encyclopedia
http://www.opus1.com/www/whitepapers/nac_deployment.pdf

Since it perfprms evaluation based on the application settings for that particular system, most devices signatures stored in Windows registry, so if a device signature is not found NAC can block it.

Darril

Good research sys_teck.

It seems rather deep for Network+, but here's a little more.

Network access control (NAC) will often inspect the "health" of clients when they connect. Health is based on pre-configured conditions and can be considered a posture assessment, or assessing the current state of the client.

For example, when a computer connects, NAC can inspect the computer to determine if patches are up-to-date, if antivirus software is installed, running, and has up-to-date signatures, and if the firewall is enabled. If the computer passes all these tests it passes the assessment and is given a health certificate. The computer can use this health certificate to access the network. If the computer doesn't meet the assessment, it doesn't get a health certificate and is only granted limited access to the network. In some cases, it will be granted access to a quarantined network where it can access resources to get healthy.

Here's another example.

Imagine a company regularly has visitors that bring their laptops and these visitors want to connect to the Internet through the wireless network. NAC can be used to determine if these devices are known or unknown by simply checking to see if they can authenticate. Internal computers will have accounts and passwords and authenticate when they connect to the network, but visitor computers will not have computer accounts in the network and are unknown. Unknown computers can be restricted to a quarantined network that provides access to the Internet, but no access to internal system resources. Known computers (computers that can authenticate) can be checked for health before being granted full access to the network.

HTH,

sys_teck

Darril

I agreed. Seems to me that its crossover between Network+ and Security+. still good.

RoyalTech

Darril, your first example seems a lot like what Kerberos does with the granting of tickets. With the second example, the restricting of computers to a quarantined area seems familiar. I may have heard about it on a CBT video but I don't know if it had anything to do with this. On a completely different note, does your security book come with a PDF?

Sys-tech, thanks for your response and good-luck with your exam. I should be taking mine this week. I'm just waiting for the place I'm taking it to get a new shipment of vouchers.

Darril

RoyalTech wrote: »

Darril, your first example seems a lot like what Kerberos does with the granting of tickets.

They may sound similar, but Kerberos and NAC are used for different purposes. Kerberos primarily uses tickets for authentication. In other words, Kerberos provides a method for secure authentication so that clients can prove their identity. Once an identity is known, users are granted access based on their proven identity.

In contrast, NAC controls access based on other factors and is not used for secure authentication. NAC may check to see if the client authenticated, but NAC is not part of the authentication process. Another difference is that Kerberos is a standardized protocol (V5 is specified in RFC 4120). NAC isn't a protocol or standard, but rather a group of different methods used to control network access. I gave a couple of detailed examples of NAC but it can be as simple as using MAC address filtering on a network device for port security.

RoyalTech wrote: »

With the second example, the restricting of computers to a quarantined area seems familiar. I may have heard about it on a CBT video but I don't know if it had anything to do with this.

The quarantined area is often associated with a restricted network that includes resources to help make a client healthy. For example, it may have a server that can deploy patches to bring a system up-to-date, or a with antivirus software and up-to-date signature files that the client can use to install.

The phrase "quarantined network" or "quarantined area" may be used elsewhere, but right now I'm drawing a blank.

RoyalTech wrote: »

On a completely different note, does your security book come with a PDF?

Sorry, but no. Adding a CD/DVD would have increased the cost of the book too much and no PDFs are available for the book. I instead decided to make the Kindle available for only $9.99. Some people want both the paperbook and the Kindle. Some people just get one or the other. A cool thing about the Kindle edition is that a Kindle isn't needed. Amazon provides free applications that work on just about any platform for Kindle ebooks so people can read Kindle ebooks on their computer or mobile device.

HTH

RoyalTech

Darril wrote: »

Sorry, but no. Adding a CD/DVD would have increased the cost of the book too much and no PDFs are available for the book. I instead decided to make the Kindle available for only $9.99. Some people want both the paperbook and the Kindle. Some people just get one or the other. A cool thing about the Kindle edition is that a Kindle isn't needed. Amazon provides free applications that work on just about any platform for Kindle ebooks so people can read Kindle ebooks on their computer or mobile device.

HTH

That's a shame as I live on PDFs. I'm still very interested in your book though as it seems highly rated and I love the explanations you give me here.