Scribd
Upload
292 views4 pages

NAC Implementation Checklist-2023

This document is a checklist for evaluating network access control solutions. It contains questions about the solution's architecture, authentication methods, endpoint scanning, traffic monitoring, policy enforcement, and performance. The checklist ensures the solution can integrate into existing networks without changes, leverage various authentication sources, conduct pre- and post-admission endpoint scans, audit and control traffic at layer 7, and enforce granular policies without impacting network performance.

Uploaded by

sharad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
292 views4 pages

NAC Implementation Checklist-2023

This document is a checklist for evaluating network access control solutions. It contains questions about the solution's architecture, authentication methods, endpoint scanning, traffic monitoring, policy enforcement, and performance. The checklist ensures the solution can integrate into existing networks without changes, leverage various authentication sources, conduct pre- and post-admission endpoint scans, audit and control traffic at layer 7, and enforce granular policies without impacting network performance.

Uploaded by

sharad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Tata Motors Finance Official #_x000D_

Network Access Control Implementation Checklist -2023


Pass Area

Fail

Basic Architecture

Simple authentication

Compliance Posture check

Complete LAN visibility

Complete post-admission control of


users

_x000D_ Tata Motors Finance Official


#
Tata Motors Finance Official #_x000D_

Complete post-admission control of


users

Zero-day malware containment

Wire-speed LAN performance

Protection of critical applications

_x000D_ Tata Motors Finance Official


#
Tata Motors Finance Official #_x000D_

Network Access Control Implementation Checklist -2023


Control Status
Can the solution drop into your existing LAN, without changes to the endpoints, switches, VLANs,
ACLs, and identity stores?
Is the system self-contained, avoiding dependence on dynamically reconfiguring switches for
enforcement?
Does the solution operate independently of a centralized policy server?
Can you "turn off" the system for troubleshooting without affecting network operation?
Does the system support high-availability deployments and provide redundant power supplies?

Does the solution leverage existing authentication databases, such as Active Directory, RADIUS, and
LDAP, without any changes?
Can you use multiple authentication mechanisms, including 802.1X and captive portal, regardless of
user location, but also allow users to log into the network the same way they always have, such as
to a Windows Domain?
Does the solution make LAN authentication easy, allowing IT to leverage 802.1X where it's installed
or avoid 802.1X supplicant interoperability issues where it's not?
Does the system provide a way for non-user devices (such as printers or VoIP phones) to be
authenticated onto the network but still controlled?
Does the system require an agent for endpoints to be authenticated and controlled?

Does the system scan machines both before and after admission to the LAN?
Can you run these checks on managed and unmanaged devices?
Can the solution leverage existing best-of-breed endpoint agents for managed solutions?
Does the scan include more than just a simple check that certain software is installed, actually
looking for the presence of adware or spyware or for specific Windows Registry values?

Can you configure the solution to scan only certain machines, based on IP address or group
membership?
Can the scan take place without needing admin login credentials on the endpoint?

Can the system audit and monitor all traffic, tied to a username, to speed incident response?

Can you audit traffic on a per-user, per-application basis for compliance with regulations such as PCI,
HIPAA and SOX?
Can you set up access policies but have the system just log events, giving you a way to test your
policies without impacting users or business processes?
Can you easily look into any security violation, immediately knowing the user involved and the policy
that was violated?
Can the solution provide application-level inspection at Layer 7 rather than simple SNMP or NetFlow
statistics?
Can you easily compile aggregated data to provide LAN activity reports to management and to
demonstrate compliance?

Does the system see all traffic after users are on the LAN, to control user access and protect against
threats?
Does the system make it easy to apply policies based on a user's identity and role in the
organization?
Can you set both universal and context-based controls, where one policy could span wired, wireless,
VPN, or local connections and another could limit access from remote locations, for example?

_x000D_ Tata Motors Finance Official


#
Tata Motors Finance Official #_x000D_

Can you control user access to servers and to applications without any other tools, such as
VLANs/ACLs, and does the system enable Layer 7 identification of applications instead of just Layer
4?
Does the system let you see and control application content, such as file names in Microsoft File
Services (CIFS), FTP, or IM transactions or HTTP content such as URLs?
Does the system provide control close to the user's point of entry on the LAN?
Does the system protect against evasion by a user applying a static IP or MAC address?

Does the system provide a means for continuously detecting and blocking new, unknown attacks,
without dependence on signatures and without hindering network performance?
Can you decide whether to block just the infected application or everything coming from an infected
user?

Can the system provide full policy enforcement without slowing down your users?

Can the system extend beyond users to also protect vital services such as a voice over IP (VoIP) call
manager?
Does the system apply application-based policies to prevent non-user devices from being used for
attacks, such as controlling that a printer can receive traffic only from a print server?

_x000D_ Tata Motors Finance Official


#

You might also like