Pages

Tuesday, May 15, 2007

Deployment Best Practices Series – Deployment Expertise

Background:

NAC Appliance is a product that can looks very easy to install. For most people, this can be the start of many problems. It is important to realize that the product is made to be easy and that level can be obtained, but a lot of hours are required to realize the Ins and Outs of NACA. This post is all about the misconceptions about what level of knowledge a deployment engineer should have, as well as the steps engineers can do to get to that level.

Understanding the Learning Curve:

NAC Appliance is a product that does deploy very quickly. For smaller deployments, it can be stood up and working in just hours, but this is for engineers that have taken the time to understand it. The more hours you spend looking into the CAM GUI the easier things get. This product gets confusing in a few instances:
  • Customization of Posture Assessment and Remediation
    • Going above and beyond the normal of Windows HotFixes and AV Installation/Definitions
    • Truly enforcing security policy with CCA
  • Deploying on a complex network
    • The network is not following best practice design methods
    • There is not a deterministic Layer 2 or Layer 3 path from the client to a central point
I cannot tell you how many times something simple becomes complex as a result to the preceding topics. It is a best practice to work with this product before deploying to a production environment. One of the best parts of this product is the fact that it does fit into so many Diverse Networks, unlike others. As an administrator, it is important to note that it does "plop" right into ANY network, but implementing NAC is a perfect time to gain more knowledge and conform better to best practice network design.

Getting the most of NACA:

The reason that Expertise in deployments is so important for a successful rollout is the fact that the product has so many small caveats and non-publicized features that can truly make or break the deployment. I personally would like to advertise the interesting custom checks that an experienced NACA engineer can use to enforce security policy. A minor list of examples being Preventing Instant Messenger, Peer-to-Peer, Sniffer Applications or checking for Group Policy features.

Making sure you do not fall victim of lack of expertise:

The following are best practice ways to ensure that the deployment goes well by ensuring that you have the skills it takes to deploy NACA. Any one topic will help you get experience, but the more you perform the better the deployment will go:

Formal Training – Find a class that teaches NAC Appliance. Ensure that the content matches your deployment strategy and the instructor ACTUALLY has experience with NACA in the real world. Stay astray from the “cookie cutter” type classes. Priveon, a security training company, has really world class training program for this type of training or you can always request custom training from a local Cisco Partner.

Research – Use the resources available to you to inform yourself about NACA Deployments. This can be performed via the NACA Chalktalks, NACA Documentation, whitepapers, etc.

Lab Experience – Getting NACA into the lab so that you can test the features and functionality that you want to deploy in a controlled environment can give you the knowledge and experience to become prepared for the real deployment is key to a successful deployment. This phase should come before any pilots.

Consultant Help – There are many external resources available for you to either give you a turn key solution or assist in your deployment of NACA. The reasons behind this investment could be resources or technical expertise, but the key to using this resource to your ability is making sure you shadow and learn from the consult deploying NACA.

Summary:

Many organization fall victim to “I thought I could get it working” and then really do not receive the benefits of NAC Appliance. This is the reason why to have a successful deployment you must have experience with the product.

No comments:

Post a Comment