The Conficker worm doesn't directly have anything to do with NAC, but as is the case when any pervasive attack becomes high profile, vendors leap in to point out how their products could have prevented the problem.
In the case of NAC products and Conficker, this is pretty much true. The worm takes advantage of a Windows flaw for which a patch has been written, but that has not been patched in as much as a third of Windows machines, according to some estimates.
If NAC were in place for all machines attaching to networks, machines without the required patch could be denied access. So if the vulnerability has been exploited, the infected machines won’t be able to spread it around on a corporate network because they won’t be able to gain access.
And even if an infected machine does gain access, with post-connect NAC the behavior of the worm probing and propagating could be blocked or the machine could be knocked offline altogether.
So this is the classic black-and-white case in favor of NAC if fighting off this particular infection is important enough.
By all reports Conficker, AKA Downadup, is difficult to remove and alters PC settings to make it difficult for machines to get the needed Microsoft patch or connect to Web sites likely to contain instructions on how to remediate the worm. It’s a good exploit to avoid if possible.
In any case, Conficker on its own is probably not a sufficient reason to run out and buy a NAC product, but it is emblematic of a category of problem that NAC can effectively address.
No comments:
Post a Comment