By James D. Brown, CTO, StillSecure
Network Access Control (NAC) products for the most part aren’t built for DoD IA personnel. They aren’t designed to support and improve the Information Assurance (IA) processes of a DoD organization. This is because nearly all of them lack strong, integrated support for the shared language of the standard Information Assurance Vulnerability Alerts (IAVA).

Some offer no support at all, forcing IA users to manually convert from CVE IDs, Knowledge Base (KB) or Hotfix numbers, OVAL IDs, and other numbering systems into an IAV ID. This makes the NAC tool very difficult to use when tracking the trends of IAV remediation over time. It’s also very error prone, because there is no one-to-one mapping between the different identification systems. This leads to guessing, and makes it nearly impossible to use NAC to remediate IAVs or double-check the results returned by vulnerability scanners.

Other NACs offer integration with other IA tools, such as vulnerability scanners, which do have that tight IAV integration. Unfortunately, rather than directly checking for the existence of an IAV and serving as a mechanism to pre-check and double-check vulnerability scanner results, this method serves only to activate the IAV-aware scanner when an endpoint connects to the network. The NAC, after putting the end user through a minutes-long validation process during which time they exist in limbo, unable to do anything productive on the network, can then use the results of the vulnerability scan to determine whether the endpoint is compliant. What’s the point of NAC depending upon a vulnerability scanner to accomplish its compliance testing? One of NAC’s main jobs in life is to get compliant users on the network as quickly as possible. That can’t be done when every user is subjected to a virtual proctologic exam using a microscope instead of a targeted checkpoint designed for a high traffic thoroughfare.

With integrations like that, the NAC product has no knowledge of or capability to directly test for, report on, match to policy, or remediate IAVs directly. That results in unhappy users, lost productivity on both the part of the user and the IA administrator, and limited capability. In the end, it doesn’t augment your IAV remediation process; it just plugs the hole of end points not being on the network when you run a scan.

StillSecure’s announces August 15, 2012 the final piece of the puzzle in its full IAV integration for its award-winning NAC, Safe Access. Not only does Safe Access directly test for IAVs covering Microsoft Windows client and server operating systems, Microsoft Office, Adobe products, Blackberry Enterprise Server, and others, but it directly displays IAVs in its administration UI and reports. Compliance policies can be defined in terms of IAV checks rather than forcing you to guess and convert from other vulnerability numbering systems, and now all IAV checks have direct in-UI links to the IAV source: the United States Cyber Command website.

This means that Safe Access speaks IAVA natively, with no limitations or caveats. No other tools are necessary, no cheat sheets, no confusion, and no errors. No other NAC product today can make that claim. This means that Safe Access can improve your IA program, serve as a means to do high-speed audits between deep vulnerability scans, and provide you with an up-to-date compliance posture across your entire environment (no matter the size) on a daily basis. You work in IAVAs: Safe Access works for you, in your language, every day.