I personally would like to have some additional layer of monitoring above and beyond good-faith adherence to policy and the desire to do the right thing. The various Open Source NAC toolsets that are out there (many which seem to be developed within Universities) such as packetfence, FreeNAC, or RINGS seem like overkill and clearly inappropriate for this sort of user base.
What I had in mind was something much lighter weight that:
- Runs with user-level privileges
- Requires minimal level of installation, perhaps simple Ruby/Python script minimal to no third party libraries
- Communicates to a server vs. having the server interrogate the client (i.e. no agent listening for connections back from a centralized server)
- Provides flexible execution (run as a startup script or within desktop environment, gnome-session something or other)
- User authentication against to some sort of directory server (so we can associate a given endpoint with a user)
- Linux kernel version and running kernel modules
- Last apt-get update
- Hardware (both real and virtual)
- Whether or not filesystem encryption is enabled (look for /dev/mapper stuff)
- Information about packages (such as the output of a dpkg -l)
- Listening services (netstat or lsof)
- Network information (interfaces, routing)
That being said, as easy as this is to imagine, I'm sort of ambivalent about the usefulness of something like this (perhaps I've heard too many of the arguments about NAC "fighting the last war"), but it doesn't seem like it would be terribly difficult or time consuming to whip up a small client script that pulled together some basic Linux system information and sent it to a CRUD webapp to provide some basic auditing and reporting. And it wouldn't be much of a stretch to add some policy definition/enforcement based on the data or tie it to a iptables/PF box with anchors to implement different access profiles. Obviously, unlike most of the commercial (or even the Open Source) NAC solutions) this is a L3, n-hop-away solution. No 802.1x, no DHCP, no VLAN assignment, but it is actually deployable and might immediately provide some useful (and perhaps even actionable) information that is higher fidelity than a scan the endpoint with Nmap/Non-Auth Nessus or use passive device/app fingerprinting which seems a waste of time for the problem at hand.
Is there anything out there along these lines?
No comments:
Post a Comment