Does anyone use HIP check on the local LAN as a NAC solution?

Reply
Highlighted
L3 Networker

Does anyone use HIP check on the local LAN as a NAC solution?

I understand that a HIP check can be used on the local LAN when the GlobalProtect client connects to the internal gateway.

 

  • How effective is this as a NAC solution for the internal LAN?
  • Without 802.1x authentication, does a machine without GP installed simply bypass the internal gateway (and HIP check)?

Thanks

Tags (2)
L7 Applicator

Re: Does anyone use HIP check on the local LAN as a NAC solution?

  • How effective is this as a NAC solution for the internal LAN? 

Depneding on how you setup your HIP check it could make a pretty effective 'NAC' enviroment. You could HIP check to make sure that they were within your networks requipments (av current and ran in a timely manner, domain joined), and then setup security policies that wouldn't allow anybody to your different security policies unless they had a named user account.

  • Without 802.1x authentication, does a machine without GP installed simply bypass the internal gateway (and HIP check)?

You could potentially deny any non-named user access to anything within your network, or outside internet access with ease as long as you setup your security zones with this in mind. Otherwise you could just make it so that your servers/internal resources were in a dedicated 'zone' that the user would not have access to unless they had logged into GlobalProtect and recieved a GP address that had security policies that allowed zone access.

 

This can, and has been, done. It works well as long as you are aware that, like any NAC solution, you will likely run into occasional issues. It doesn't act as a true 'NAC' as you don't have all of the checks that a traditional NAC would employ to verify that the device was supposed to be on your network. That being said most people don't utilize any of the features in a NAC deployment that couldn't be done with a HIP check and the proper security policies on the firewall. I wouldn't really want to make this change in a working enterprise enviroment though, as switching over to something like this would be a fairly substantial upgrade; NAC has the advantage of being something that you can easily tune and assure management that it's working prior to a full roll-out. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!