of 24
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
1/24
WHITE
PA
PER:cusTom
IzE
WHITE
PA
PER:EndPoInT
sEcuRITy
Symantec Network
Access Control
Comprehensive Network
Access Control
cfiee i a ete wrl.
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
2/24
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
3/24
Contents
Executive summary 4
Maintaining a secure and managed state 5
The Symantec Network Access Control architecture 6
Symantec endpoint evaluation technologies: flexible and comprehensive 8
Peritet aget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
dilvable aget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Rete vlerability aig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Symantec Enforcers: flexible enforcement options for eliminating IT
and business disruptions 12
Ht-Bae Efreet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
netwrk-Bae Efreet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
ne t w r k a e t r l i t r y f r a e w r k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Symantec policy management: comprehensive, integrated endpoint
security management 18
Single management console 19
Unified agent 20
Eliminating network access control obstacles 20
E n d - t o - e n d e n d p o i n t c o m p l i a n c e 2 1
White Paper: Epit serity
Symantec Network Access Control
Comprehensive Network Access Control
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
4/24
Executive summary
The aage tate f a rgaizati iivial epit play a ritial rle i the verall
erity a availability f it IT ifratrtre a relate bie perati. The ew wave
f phitiate rieware t ly target peifi paie, bt it al target ektp
a laptp a bakr etryway it the eterprie bie perati a valable
rere. T afegar theelve agait thee targete threat, rgaizati t have
a ea t garatee that eah epit tially plie with rprate erity a
figrati aageet pliie. Failre t garatee epit pliy pliae leave
rgaizati vlerable t a wie array f threat, ilig the prliferati f alii
e thrght the eterprie, irpti f bie-ritial ervie, ireae IT revery
a aageet t, expre f fietial ifrati, aage t rprate bra, a
reglatry fie e t -pliae.
syate netwrk Ae ctrl eable rgaizati t ere the prper figrati
a erity tate f er epitilig the f ite eplyee, rete eplyee,
get, tratr, a teprary wrkerbefre they are allwe t ae rere
the rprate etwrk. It iver a evalate epit pliae tat, prvii the
apprpriate etwrk ae, a prvie reeiati apabilitie t ere that epit
erity pliie a taar are et. syate netwrk Ae ctrl i osetrala eaily itegrate with ay etwrk ifratrtre, akig it ipleetati re
preheive, eaier, fater, a re t-effetive tha petig lti.
By leveragig the epit pliae verifiati a efreet apabilitie f syate
netwrk Ae ctrl, rgaizati a ejy:
Reducedpropagationofmaliciouscodesuchasviruses,worms,spyware,andotherformsof
rieware
Loweredriskprofilethroughincreasedcontrolofunmanagedandmanagedendpoints
aeig the rprate etwrk
Greaternetworkavailabilityandreduceddisruptionofservicesforendusers
Verifiableorganizationalcomplianceinformationthroughnear-real-timeendpoint
pliae ata
Minimizedtotalcostofownershipasaresultofanenterprise-classcentralized
aageet arhitetre
Verificationthatendpointsecurityinvestmentssuchasantivirusandclientfirewalltechnologies
are prperly eable
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
4
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
5/24
5
Maintaining a secure and managed state
IT aiitratr g t great legth t ere that ewly eplye ektp a laptp
are figre arig t rprate pliy, ilig all the appliable erity pate,
apprve appliati et, ativir ftware, firewall ettig, a ther figrati ettig.
ufrtately, a a the ahie are pt it prti, aiitratr fte le
trl f the figrati f the epit. uer itall ew ftware, blk path pate,
iable firewall, r ake ther hage that pt the eviea ltiately the etire IT
ifratrtreat rik. Rete a bile er reate eve greater expre whe they e
their -pliat laptp at Iteret af, htel r, r ther -ere lati where
they are eve re vlerable t attak r ifeti.
se rgaizati eply path aageet r ftware itribti lti that,
a preeterie hele, a evetally hage t-f-pliae pter bak t their
prper tate, bt e the pter ha bee ifete a the ete t the etwrk,
the lti t little, t late. They al prve ieffetal agait er with aiitratr
privilege wh thik they are exept fr rprate pliy a, a relt, blk attept t rll
bak their pter t their prper tate f figrati.
netwrk ae trl lti eable rgaizati t prevet thi behavir fr affetig
the rprate IT ifratrtre. Befre ay pter a ae the prti etwrk a itrere, that pter t be i ttal pliae with etablihe rprate pliy, h a
prper veri level f erity pathe, ativir ftware, a vir efiiti.
Hwever, i pite f their ability t prevet -pliat epit fr attahig t
the rprate etwrk, etwrk ae trl lti have t bee ebrae by e
rgaizati fr a variety f rea, ilig the fat that ay lti:
Failtodelivereffectiveenforcementandremediation
Increasethenumberofmanagementagentsthatmustbeinstalledontheendpoints
IntroducetoomuchcomplexityandtoomanydisruptionstotheITinfrastructure
Lacktheflexibilitytomeetorganizationsuniqueneeds,suchasappropriatelyaccommodating
get a teprary wrker
Failtoproperlyintegratewiththeoverallendpointsecuritymanagementinfrastructure
syate netwrk Ae ctrl aree all f thee er with a e-t-e
lti that erely trl ae t rprate etwrk, efre epit erity pliy,
a eaily itegrate with exitig etwrk ifratrtre.
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
6/24
The Symantec Network Access Control architecture
The syate netwrk Ae ctrl arhitetre prie three key pet:
Endpoint evaluation technologies ae the tate (hek if they are pliat r -
pliat with pliy) f epit atteptig t ae the etwrk
Enforcers at a the gate/r that perit r eie ae t the etwrk
Policy management reate, eit, a aage etwrk ae trl rle r pliie via a
etral aageet le
Figure 1. Symantec Network Access Control architecture.
The efreet evalati tehlgie reprt t a reeive their figrati pliy
ifrati fr the syate Epit Prteti maager, where pliie are reate, eite,
a aage. If the syate epit evalati tehlgy eterie that the epit
i t i pliae with pliy, it will tell the syate Efrer t blk the epit fr
aeig the etwrk.
Bae pliie et by the IT aiitratr (a bae the type f efreet pti
eplye), the syate efreet tehlgie are able t atatially brig -pliat
epit it pliae. Thi i aplihe by perfrig reeiati tak, h a allig
p a lal path aager t itall the latet pathe r leveragig ther tl italle the
epit fr ther tak.
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
6
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
7/24
7
syate netwrk Ae ctrl valiate a a efre pliy pliae fr all type
f epit all type f etwrk. Thi valiati a efreet pre begi prir t a
epit eti t the etwrk a tie thrght the rati f the eti,
with pliy ervig a the bai fr all evalati a ati. Thi etwrk ae trl
pre exete the tep illtrate i figre 2.
Figure 2. Network access control process.
1. Discover and evaluate endpoints diver epit a they et t the etwrk, prir t
aeig rere. Thrgh itegrati with exitig etwrk ifratrtre a the age f
itelliget aget ftware, etwrk aiitratr are are that ew evie etig t
thenetworkareevaluatedaccordingtominimumITpolicyrequirements.
2. Provision network access Fll etwrk ae i grate ly after yte are evalate a
eterie t be i pliae with IT pliy. syte t i pliae, r failig t eet the
minimumsecurityrequirementsforanorganization,arequarantinedwithlimitedornoaccess
t the etwrk.
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
8/24
3. Remediate non-compliant endpoints Atati reeiati f -pliat epit
empowersadministratorstoquicklybringendpointsintocomplianceandsubsequentlyalter
etwrk ae arigly. Aiitratr a either flly atate the reeiati pre,
reltig i a flly traparet pre t the e er, r prvie reeiati ifrati t
the er fr aal reeiati.
4. Proactively monitor compliance Aheree t pliy i a fll-tie ie. A h, syate
netwrk Ae ctrl atively itr, a aiitratr-et iterval, the pliae
ptre fr all epit. If at ay tie the epit pliae tat hage, will the
etwrk ae privilege f the epit.
Symantec endpoint evaluation technologies: flexible and comprehensive
netwrk ae trl a prtet the etwrk fr alii e a fr kw r
athrize epit by verifyig that epit etig t the etwrk are figre
prperly that they will be prtete fr lie attak. netwrk ae trl typially
ivlve hekig fr ativir, atipyware, a italle pathe. Hwever, t rgaizati
quicklyexpandwellbeyondthesetypicalchecksaftertheinitialnetworkaccesscontrol
eplyet. Regarle f the gal, the pre begi with evalatig the epit. de t
the ivere ber f epit that et t the etwrk (e.g., aage epit, repit prre by the pay, a aage epit, r epit t prre
by the pay, h a teleter ig their he pter, tratr, teprary
eplyee, a parter that ight e their w laptp), syate netwrk Ae ctrl
ffer three itit epit evalati tehlgie t eterie epit pliae:
Persistentagents
Dissolvableagents
Remotevulnerabilityscanning
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
8
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
9/24
9
Figure 3. Endpoint evaluation technologies.
Persistent agents
crprate-we a ther aage yte e a aiitratr-italle aget t eterie
pliae tat. The aget hek ativir, atipyware, italle pathe, a well a
plex yte tat harateriti h a regitry etrie, rig pree, a file
attribte. Peritet aget prvie the t i-epth, arate, a reliable yte pliae
ifrati, while al fferig the t flexible reeiati a repair ftiality f
aeet pti.
syate believe that the key t efl etwrk ae trl al begi by eplyig
a peritet agetbae lti. de t the way ektp peratig yte fti, t
effetively exaie a reeiate whether ertai ftware i prperly italle a rig
a if the epit pter i prperly figre r i a aeptable tate, a etwrk
ae trl lti t be able t exaie the epit pre table a regitry, a
perhap eve ify ertai etrie. The bet way t aplih thi i thrgh a aget that
ha aiitratr privilege a that ha bee italle the epit at the tie f iitial
eplyet. slti that are pletely -aget-bae t give the aiitratr
sufficientpermissionstoadequatelyoraccuratelyexaminetheendpointforcompletecompliance.
Al, -aget-bae lti will very likely t have ffiiet perii t ake the
eeary ifiati t the epit t brig the it pliae.
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
10/24
syate netwrk Ae ctrl prvie the pti f a peritet a aiitratr-
italle efreet aget t eterie the pliae tat f epit. The aget a
hek fr ativir, atipyware, italle pathe, a plex yte tat harateriti,
ilig regitry etrie, rig pree, a file attribte. Thi peritet aget pti
prvie the t i-epth, arate, a reliable yte pliae ifrati eee t
ere pliae with rprate pliy.
Figure 4. Persistent agent.
Dissolvable agents
oe f the bigget hallege i the area f etwrk ae trl i the prper halig f
the aii f get er t the etwrk. Prtivity a be igifiatly a egatively
ipate witht a atate way t prvii etwrk ae t teprary wrker a
get. Tie a ey i wate if tratr r teprary eplyee hw p t wrk,
Symantec Network
Access Control
persistent agent
Onsite or remote laptop
Quarantine
Protected
network
Symantec EndpointProtection Manager
Remediation
resources
Compliance pass: Apply Office
firewall policy
Host Integrity Rule
Antivirus on
Antivirus updated
Personal firewall on
Service pack updated
Patch updated
Compliance fail: Apply Quarantine
firewall policy
Network Access
Control Agent performs
self-compliance
checks
Client connects
to network and
validates policy
Status
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
10
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
11/24
11
bt at ae the etwrk fr ay r week e t aal prviiig f etwrk ae.
siilarly, the ae i tre if atate etwrk ae trl lti eearily blk
thee er ae.
Effetive etwrk ae trl lti t have the ability a flexibility t verify that a ew
r teprary epit e t pe a threat t the etwrk, a well a eterie what level f
etwrk ae hl be grate t the epit. The t arate way t ae a epit
i t itall a fll-tie etwrk ae trl aget t the epit, bt it t ally i the
bet iteret f the rgaizati r the get t eply a fll-tie aget t a epit that
e t belg t the rgaizati.
T are thi ie, syate netwrk Ae ctrl prvie a teprary, ilvable
aget. Thi a be e fr -rprate evie r yte t rretly aage by
aiitratr. Thee Java-bae aget are elivere -ea a witht aiitrative
privilege t evalate epit pliae ptre. At the e f the ei, thee aget
atatially reve theelve fr the yte. Fr exaple, whe a get epit trie
t et t the etwrk, a etwrk-bae efreet lti a regize that it t a
kw epit evie a eliver the ilvable, -ea aget. The aget will perfr
the apprpriate pliae hek, bae the pliie that the aiitratr ha efie fr
get. If it pliat, the epit a be grate ae t the prti etwrk. Whe theetwrk ei e, the aget will atatially reve itelf fr the epit.
I aiti t ig thi reireti apability fr teprary epit, reireti a al
be e fr epit belgig t ew eplyee. I thi ae, whe the aget i elivere t
the epit, there ight be a pti fr get a ather pti fr eplyee. If the er
elet the eplyee pti, a etwrk-bae efrer a eterie if the epit i a aet
that belg t the rgaizati. If it i e f the rgaizati epit, the a fll-tie a
peritet etwrk ae trl aget a be eplye itea f the ipable aget.
By prviig ltiple pti fr verifyig pliae with pliie fr epit tat
a figrati, syate netwrk Ae ctrl ere that the eplyee a get
that attept t ae a rgaizati etwrk eet it ii erity taar a
requirements.
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
12/24
Remote vulnerability scanning
Ather pleetary epit aeet eth that paie a eply whe they
t have the pti t itall a peritet aget i t tilize rete vlerability aig. Rete
vlerability aig prvie pliae ifrati t the syate netwrk Ae ctrl
efreet ifratrtre bae p rete reetiale vlerability a relt fr the
syate netwrk Ae ctrl saer. Rete aig exte the ifrati-gatherig
ftiality t yte fr whih there i aget-bae tehlgy rretly available.
depeig the ifferet type f epit that et t the etwrk, paie ay
he t e a ixtre f thee three epit evalati tehlgie fr plete verage.
Symantec Enforcers: flexible enforcement options for eliminating IT and
business disruptions
Eachorganizationsnetworkenvironmentisuniqueinhowithasevolvedovertime,andasa
relt, igle efreet eth a effetively trl ae t all pit the etwrk.
netwrk ae trl lti t be flexible egh t eaily itegrate ltiple efreet
eth it the exitig eviret witht ireaig aageet a aiteae
verhea. syate netwrk Ae ctrl allw rgaizati t elet the t apprpriate
efreet eth fr ifferet part f their etwrk witht ireaig peratial plexityr t.
Figure 5 clae f syate efreet pti.
Self-Enforcement
Host-Based
Enforcement Methods
Network-Based
Enforcement Methods
Gateway Enforcer (appliance)
LAN 802.1X Enforcer (appliance)
Peer-to-Peer Enforcement
DCHP Enforcer (appliance)
DCHP Enforcer (plug-in)
Microsoft NAP Enforcer (plug-in)
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
12
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
13/24
13
Host-Based Enforcement
syate ffer iple Ht-Bae Efreet eth, ilig self-Efreet a
Peer-t-Peer Efreet. Thee eth e the syate ektp firewall t perit r ey
ae. The firewall i alreay ile a part f the syate Epit Prteti prt
fferig.
may rgaizati heitate t eply etwrk ae trl lti beae ay
offeringsareinherentlydisruptiveindesign.Oftentheyrequireexpensiveandtime-intensive
etwrk ifratrtre pgrae a hage. may lti are verly plex a t iffilt
todeploy.Somesolutionsrequirethatendpointagentsbedeployedsimultaneouslywithupgrades
beig ae t the etwrk ifratrtre. Prble etere either the aget r etwrk
efreet ie f the eplyet relt i a -ftiig lti that a be extreely
iffilt t trbleht a relve, a that a al ae er t be iapprpriately blke
fr aeig the etwrk.
syate help eliiate thee irpti by prviig a bra array f efreet
pti that a be eplye ig a iple, phae apprah t eplyig effetive a
preheive etwrk ae trl. netwrk ae trl a eaily be eplye with a
Symantechost-basedenforcementoption.Deploymentsofthistyperequirenoinfrastructure
hage a tie-ig eplyet effrt. orgaizati that are alreay ig thesyate Epit Prteti lti alreay have the aget eplye, a iply ee t
eable etwrk ae trl t take avatage f that apability. The Ht-Bae Efreet
pti i the fatet a eaiet way t t etwrk ae trl fr a aage epit.
Self-Enforcement
TheadvantageofusingSelf-Enforcementisthatitdoesnotrequirethedeploymentofanetwork-
bae efreet pet t plie ae t the etwrk. Rather, it e the syate
ektp firewall t plie etwrk ae, prviig the eaiet a fatet efreet
eplyet pti. It i eve eaier t ipleet if the rgaizati ha alreay eplye the
syate Epit Prteti prt.
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
14/24
Peer-to-Peer Enforcement
syate al ffer Peer-t-Peer Efreet, whih ere that liet-t-liet
iati a r ly betwee epit that are we a aage by the
rgaizati a betwee epit that are pliat with efie epit erity pliie.
The self-Efreet a Peer-t-Peer Efreet pti ly wrk fr aage
epit. They at are the prble f aage epit, h a get r
teprary wrker, etig t the etwrk. syate netwrk Ae ctrl aree the
ie aiate with aage epit thrgh etwrk bae efreet eth.
Network-Based Enforcement
syate al ffer vari netwrk-Bae Efreet eth that are available a
appliae r plg-i. orgaizati a ipleet, at their w pae, aitial, etwrk-
bae efreet pti ffere by syate t ppleet ht-bae efreet pti.
netwrk-bae efrer are a eeary pet t trl aage epit etig
t the etwrk. Thee aitial key netwrk-Bae Efreet fferig ile:
Gateway EnforcerI-lie efreet at etwrk hke pit
DHCP EnforcerDHCP-basedapproachforLANandwirelessnetworksoveranyinfrastructure
MS NAP EnforcerMSNAPbasedapproachforLANandwirelessnetworks LAN 8021X EnforcerOut-of-bandstandards-basedapproachforLANandwirelessnetworks
Jt like the etwrk ae trl aget, the syate Efrer fferig are etwrk
os-etral a a eaily itegrate with ay etwrk ifratrtre. Thee lti are
erity ver-etral, eaig they will wrk with ther leaig ativir, firewall, a ht
itri preveti lti. sie thee lti have iheret etwrk r ifratrtre
epeeie, rgaizati a take a phae apprah t their ipleetati, eplyig the
at their w ireti a their w tietable.
Aitially, t frther iplify aiitrati a pliae efreet, the efrer
are all etrally aage thrgh syate Epit Prteti maager a are the syate
netwrk Ae ctrl epit evalati tehlgie.
Gateway Enforcer
GatewayEnforcerfromSymantecisanin-lineenforcementappliancedeployedatnetworkchoke
pit, eablig it t trl a blk the flw f traffi fr rete epit bae the
epit pliae with etablihe rprate pliy. Whether the hke pit i at perieter
networkconnectionpoints,suchasWANlinksorVPNs,oroninternalsegmentsaccessingcritical
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
14
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
15/24
15
businesssystems,GatewayEnforcerefficientlyprovidescontrolledaccesstoresources,aswellas
reeiati ervie t brig -pliat epit bak it pliae.
TypicaldeploymentscenariosforGatewayEnforcermightbebehindanIPSecVPN,WAN
connectionsbetweenaremotebranchofficeandcorporateheadquarters,onwirelessnetworks,
feree r etwrk, i frt f ritial erver, r i frt f all ata eter.
Figure 6. Gateway Enforcer.
DHCP Enforcer
The dHcP Efrer fr syate i eplye i-lie betwee epit a a rgaizati
exitig dHcP ervie ifratrtre. dHcP Efrer ie a retritive dHcP leae aigetif a epit i t rig the etwrk ae trl aget, i t-f-pliae, r it
compliancestatusisunknown.Thisrestrictiveleaseassignmentisanon-routableorquarantined
IP are that prvie ree ae t the etwrk.
dHcP Efrer a al iate with the epit aget t iitiate eeary
reeiati ati t brig the epit i pliae with pliy. oe i pliae, the
endpointwillinitiateaDHCPreleaseandrenewrequest.OnceDHCPEnforcerreceivesthe
Symantec Network
Access Control
Enforcement Agent
Remote User IPSec VPN Gateway Enforcer
Quarantine
Protected
Network
Symantec Endpoint
Protection Manager
Remediation
Resources
Gateway Enforcer Options
Block Client
HTTP Redirect for Client
Display Pop-up on Client
Restrict Network Access
Agent present and compliance
pass: Allow access
Host Integrity Rule
Antivirus On
Antivirus Updated
Personal Firewall on
Service Pack Updated
Patch Updated
Enforcer validates
policy and checks
compliance status
Gateway Enforcer
requests policy and
compliance data
Client attempts
to connect to
network
Status
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
16/24
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
16
renewalrequestanddeterminesthattheendpointisincompliance,theendpointwillbegranteda
dHcP leae the ral prti etwrk, allwig fll ae t the etwrk.
sie dHcP Efrer wrk a a i-lie dHcP prxy, it i patible with ay exitig dHcP
ifratrtre a a wrk i ay exitig etwrk eviret with pgrae f harware
r ftware. A a alterative t a dHcP Efrer appliae, syate ffer a dHcP Efrer
plg-i that a be italle iretly mirft dHcP erver. The mirft dHcP erver
ipleetati eable the mirft dHcP erver t at a the efreet pit.
Microsoft Network Access Protection Enforcer
The syate netwrk Ae ctrl Itegrate nAP Efrer i a plg-i that a be italle
iretly mirft netwrk Pliy server (nPs), eablig ter t exte a aget
their mirft netwrk Ae Prteti (nAP) ipleetati with the liate pliy
figrati a re preheive rage f pliae hekig pti prvie by
syate netwrk Ae ctrl. Epit pliae hekig i perfre by the syate
netwrk Ae ctrl liet. Thi liet reeive pliae pliie fr the nPs via the
epit mirft nAP liet. After it ha perfre it hek, syate netwrk Ae
ctrl relay the pliae hekig relt t the nAP liet, whih the iate tat
t the nPs fr efreet.syate netwrk Ae ctrl exte the eplyability a aageability f mirft
NAPincustomerenvironmentsbyofferingasingleSystemHealthVerifier(SHV),singlepolicy
le, igle aget, re gralar hekig pti, a the ability t reate t hek.
Iterperability with nAP will ake syate netwrk Ae ctrl eplyet eve eaier:
ter will be able t leverage the pwer f syate netwrk Ae ctrl exteive
apabilitie i a pe, ltiver eviret. I aiti, syate netwrk Ae ctrl
NAPimplementationisfullycompliantwithTrustedComputingGroupsTNCstandards.
LAN 802.1X Enforcer
TheLAN802.1XEnforcerfromSymantecisanout-of-band802.1XRADIUSproxysolutionthat
workswithallmajorswitchingvendorssupportingthe802.1Xstandard.Nearlyallwiredand
wirelessEthernetswitchmakerssupporttheIEEE802.1XAdmissionControlProtocol.LAN
Efrer e thi lik-level prtl t evalate epit pliae, prvie atati prble
reeiati, a ait pliat epit t the rprate etwrk.
Duringenforcement,theSymantecagentontheendpointuses802.1Xtotransmit
complianceinformationtothenetworkswitch,whichrelaysittoLANEnforcer.Iftheendpoint
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
17/24
17
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
isnotincompliancewithpolicy,LANEnforcerwillplaceitinaquarantinenetworkwherethe
epit a be reeiate witht ipatig ay f the pliat epit. oe syate
NetworkAccessControlremediatestheendpointandbringsitintocompliance,the802.1X
prtl will attept t re-athetiate the er a grat ae t the etwrk.
LANEnforcercanparticipatewithexistingAAAidentity-managementarchitectures
t athetiate er a epit, r it a at a a iepeet RAdIus lti fr
environmentsthatonlyrequireendpointcompliancevalidation,alsoknownastransparent
mode.Intransparentmode,theadministratorsimplyconfigurestheswitchtouseLANEnforcer
a the RAdIus erver, allwig the appliae t athetiate epit bae pliae
withdefinedpolicy.RunningLANEnforcerintransparentmoderequiresnoadditional
infrastructureandisasimplewaytoimplementasecure,VLAN-switching-basednetworkaccess
controlsolution.Furthermore,theLANEnforceroffersenhancedMACaddressauthentication
functionalityforunmanageddevicesin802.1x-enabledenvironments.TheLANEnforcercan
hek the mAc are f a evie etig t a 802.1x-eable with prt, valiate it
agait a tre f kw/athrize mAc aree, a allw r blk the evie epeig
whether it fi a ath.
Figure 7. LAN (802.1X) Enforcer.
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
18/24
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
18
Network access control industry framework support
syate netwrk Ae ctrl a rretly perate iepeetly r i jti with
ci netwrk Aii ctrl. Al, it will wrk with ther etwrk ae trl
itry fraewrk, ilig mirft netwrk Ae Prteti a the Trte cptig
GroupsTrustedNetworkConnectstandard.BoththeMicrosoftandCiscotechnologiesare
arhitetral fraewrk that f bilig prtl a iterfae that a be e by
ltiple ver t prvie plete etwrk ae trl lti. The Trte cptig
Groupisaconsortiumofover80ITindustrycompaniesthathavesponsoredtheTrustedNetwork
cet taar, whih i iilar i itet a arhitetre t the mirft a ci effrt,
bt i itee t perate ay type f etwrk harware ifratrtre a ay ht peratig
yte.
Allofthesedifferentframeworkstypicallyrequiresoftwareorhardwarefromseveral
ifferet ver i rer t bil a plete lti, fte reltig i ltiple layer
ofcomplexitytodeploy.However,SymantecNetworkAccessControldoesnotrequirethe
exitee f ay f thee itry fraewrk tehlgie t prvie e-t-e effetive a
preheive etwrk ae trl. still, syate netwrk Ae ctrl will pprt,
ehae, a ealely perate algie thee itry fraewrk, allwig eterprie t
eply the tehlgie that they feel bet fit their ee.
Symantec policy management: comprehensive, integrated endpoint
security management
A rgaizati have ha t eal with grwig er pplati that ile ite eplyee,
rete eplyee, hrt-ter eplyee, get, tratr, a ther teprary wrker,
they have bee ireaigly eptible t a vat array f threat tryig t eter the etwrk.
serity er ile vire, pyware, zer-ay attak, a kw explit, all f whih
try t fi their way t the bie etwrk thrgh peig reate by epit evie that
are t pliat with etablihe rprate erity pliie.
Symantecbelievesthattrueendpointsecurityrequirestheseamlesscouplingofendpoint
prteti tehlgie with epit pliae tehlgie. syate eable rgaizati
t take a re hliti apprah t epit erity t are thi threat thrgh it tight
itegrati f syate Epit Prteti (epit prteti) a syate netwrk
Ae ctrl (epit efreet). Thee fferig ealely iterperate t prvie
a preheive a ifie ltilayere epit prteti lti that eable IT
aiitratr t eflly trike the balae betwee etwrk ae, e-er prtivity,
a erity, while iplifyig epit erity aiitrati.
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
19/24
19
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
Figure 8. Endpoint Securitythe seamless combination of Endpoint Protection and Endpoint Enforcement.
Single management console
Key t thi hliti aageet apprah i the ability prvie by the syate Epit
Prteti maager t etrally reate, eply, aage, a reprt all epit erity
ativitie. Fr a igle aageet le, aiitratr a et pliie that trl all
apet f the itegrate syate netwrk Ae ctrl pet, h a the syate
evalati tehlgie a syate Efrer i aiti t the syate Epit Prteti
pliie. The pliy aager eterprie-la etralize aageet arhitetre a ale
t eet the t eaig eviret, prvie gralar trl t all aiitrative tak,while iplifyig a ifyig all epit erity aageet effrt t ree ttal t f
werhip.
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
20/24
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
20
Unified agent
Fr rgaizati that have alreay eplye the syate Epit Prteti prt, the
etwrk ae trl peritet aget ftiality i alreay preet the aget. I ther
wr, it i t eeary t eply a aitial aget t ipleet etwrk ae trl.
The etwrk ae trl apability itegrate it the syate Epit Prteti aget
a be eaily eable thrgh the prhae f a liee. The liati f all thee erity
capabilitiesintoasingleagentreducescomplexityandsystemresourcesandrequiresnochange
t the liet whe aig etwrk ae trl. Aitially thi igle, ifie aget i
aage via the syate Epit Prteti maager.
Eliminating network access control obstacles
syate help eliiate the btale t leveragig the beefit f etwrk ae trl by
eliverig a preheive a itegrate epit erity lti that:
Deliverseffectivepolicycomplianceenforcementandremediation
Reducesthenumberofsecuritymanagementagentsthatmustbeinstalledtoasingleagent
SimplifiesITcomplexitywhileeliminatingdisruptionstothebusinessandITinfrastructure
Providestheflexibilitytoaddressorganizationsuniquenetworkaccesscontrolimplementation
ee, ilig apprpriately aatig get a teprary wrker Seamlesslyintegrateswithanorganizationsoverallendpointsecuritymanagement
ifratrtre
T frther help rgaizati leverage the beefit f syate netwrk Ae ctrl,
syate prvie a rage f ltig, tehial eati, a pprt ervie t gie the
thrgh it eplyet a aageet, eablig biee t realize the fll vale f their
ivetet.
syate Eterprie spprt servie have three level f prteti eige t eet the
ee f the all bie a well a the large eterprie. syate Eati ha a prtfli
oftrainingcoursesdesignedtogetusersuptospeedquickly.SymantecConsultingService
prvie aitae with lti eig, eplyet plaig, itallati pakage reati, a
tetig thrgh either it Reiey servie, where syate cltat wrk ie-by-ie with
ter IT taff, r operatial servie, where the etire epit erity fti a be
tre t syatethe erity expert.
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
21/24
21
syate netwrk Ae ctrlcpreheive netwrk Ae ctrl
End-to-end endpoint compliance
I tay highly phitiate a ager threat laape, IT aiitratr t prtet
theelve t ly fr rgaize attak agait their peifi pay, bt al fr targete
attak that leverage ektp a laptp a bakr etryway it the eterprie
bie perati a valable rere. T aitai the itegrity f the rprate IT
ifratrtre a it epit, rgaizati a lger allw heke ae t the
etwrk. With the igifiat ireae i the ber a type f epit aeig the
etwrk, rgaizati t be able t verify the health a ptre f epit, bth prir t
etig t rere a well a a tial bai after epit et.
syate netwrk Ae ctrl i a e-t-e lti that erely trl ae t
rprate etwrk, efre epit erity pliy, a eaily itegrate with exitig etwrk
ifratrtre. Regarle f hw epit et t the etwrk, syate netwrk Ae
ctrl iver a evalate epit pliae tat, prvii the apprpriate etwrk
ae, prvie atate reeiati apabilitie, a tially itr epit fr
hage i pliae tat. The relt i a etwrk eviret where rprati realize
igifiat reti i erity iiet, ireae level f pliae t rprate IT erity
pliy, a fiee that epit erity ehai are prperly eable.
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
22/24
Figure 9. Symantec Network Access Control architecture.
With it array f ltiple aget aeet tehlgie a ltiple efreet
pti, alg with beig os- a etwrk ver-etral, syate netwrk Ae
ctrl i the t flexible a iterperable etwrk ae trl lti the
arket. Thi high level f flexibility a iterperability al allw rgaizati
toeasilyandquicklydeploythecombinationofnetworkaccesscontrolassessment
a efreet pti the way they ee t a whe they ee t. T frther ai
i eplyet, a well a t help pee the retr a rgaizati ivetet,
syate al prvie a rage f ltig, tehial eati, a pprt
ervie.
syate i a glbal leaer i ifratrtre ftware, a well a epit erity,
eablig biee a er t have fiee i a ete wrl. syate
help ter prtet their ifratrtre, ifrati, a iterati by eliverig
ftware a ervie that are rik t erity, availability, pliae, a
perfrae.
22
syate netwrk Ae ctrl: cpreheive netwrk Ae ctrl
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
23/24
8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us
24/24
About Symantec
syate i a glbal leaer i
prviig erity, trage, a
yte aageet lti t
help biee a er
ere a aage their ifrati.
HeadquarteredinCupertino,Calif.,
syate ha perati i re
tha 40 trie. mre ifrati
i available at www.yate..
Fr peifi try ffie a
tat ber, pleae viit
r Web ite. Fr prt
ifrati i the u.s., all
tll-free 1 (800) 745 6054.
syate crprati
WorldHeadquarters
20330 steve creek Blevar
cperti, cA 95014 usA
+1 (408) 517 8000
1 (800) 721 3934
www yate
cpyright 2007, 2008 syate crprati. Allrightsreserved.Symantec,theSymantecLogo,and
SymantecAntiVirusaretrademarksorregistered
traeark f syate crprati r it affiliate
i the u.s. a ther trie. mirft i either a
regitere traeark r a traeark f
mirft crprati i the uite state a/r
ther trie. Java i a traeark r regitere
traeark f s miryte, I., i the u.s. r
ther trie. other ae ay be traeark f
their repetive wer. Prite i the u.s.A.
08/08 12516470-2