B-whitepaper Comprehensive Network Access Control 08-2008.en-us

8/3/2019 B-whitepaper Comprehensive Network Access Control 08-2008.en-us

1/24

WHITE

PA

PER:cusTom

IzE

WHITE

PA

PER:EndPoInT

sEcuRITy

Symantec Network

Access Control

Comprehensive Network

Access Control

cfiee i a ete wrl.


2/24


3/24

Contents

Executive summary 4

Maintaining a secure and managed state 5

The Symantec Network Access Control architecture 6

Symantec endpoint evaluation technologies: flexible and comprehensive 8

Peritet aget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

dilvable aget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Rete vlerability aig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Symantec Enforcers: flexible enforcement options for eliminating IT

and business disruptions 12

Ht-Bae Efreet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

netwrk-Bae Efreet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

ne t w r k a e t r l i t r y f r a e w r k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Symantec policy management: comprehensive, integrated endpoint

security management 18

Single management console 19

Unified agent 20

Eliminating network access control obstacles 20

E n d - t o - e n d e n d p o i n t c o m p l i a n c e 2 1

White Paper: Epit serity

Symantec Network Access Control

Comprehensive Network Access Control


4/24

Executive summary

The aage tate f a rgaizati iivial epit play a ritial rle i the verall

erity a availability f it IT ifratrtre a relate bie perati. The ew wave

f phitiate rieware t ly target peifi paie, bt it al target ektp

a laptp a bakr etryway it the eterprie bie perati a valable

rere. T afegar theelve agait thee targete threat, rgaizati t have

a ea t garatee that eah epit tially plie with rprate erity a

figrati aageet pliie. Failre t garatee epit pliy pliae leave

rgaizati vlerable t a wie array f threat, ilig the prliferati f alii

e thrght the eterprie, irpti f bie-ritial ervie, ireae IT revery

a aageet t, expre f fietial ifrati, aage t rprate bra, a

reglatry fie e t -pliae.

syate netwrk Ae ctrl eable rgaizati t ere the prper figrati

a erity tate f er epitilig the f ite eplyee, rete eplyee,

get, tratr, a teprary wrkerbefre they are allwe t ae rere

the rprate etwrk. It iver a evalate epit pliae tat, prvii the

apprpriate etwrk ae, a prvie reeiati apabilitie t ere that epit

erity pliie a taar are et. syate netwrk Ae ctrl i osetrala eaily itegrate with ay etwrk ifratrtre, akig it ipleetati re

preheive, eaier, fater, a re t-effetive tha petig lti.

By leveragig the epit pliae verifiati a efreet apabilitie f syate

netwrk Ae ctrl, rgaizati a ejy:

Reducedpropagationofmaliciouscodesuchasviruses,worms,spyware,andotherformsof

rieware

Loweredriskprofilethroughincreasedcontrolofunmanagedandmanagedendpoints

aeig the rprate etwrk

Greaternetworkavailabilityandreduceddisruptionofservicesforendusers

Verifiableorganizationalcomplianceinformationthroughnear-real-timeendpoint

pliae ata

Minimizedtotalcostofownershipasaresultofanenterprise-classcentralized

aageet arhitetre

Verificationthatendpointsecurityinvestmentssuchasantivirusandclientfirewalltechnologies

are prperly eable

syate netwrk Ae ctrlcpreheive netwrk Ae ctrl

4


5/24

5

Maintaining a secure and managed state

IT aiitratr g t great legth t ere that ewly eplye ektp a laptp

are figre arig t rprate pliy, ilig all the appliable erity pate,

apprve appliati et, ativir ftware, firewall ettig, a ther figrati ettig.

ufrtately, a a the ahie are pt it prti, aiitratr fte le

trl f the figrati f the epit. uer itall ew ftware, blk path pate,

iable firewall, r ake ther hage that pt the eviea ltiately the etire IT

ifratrtreat rik. Rete a bile er reate eve greater expre whe they e

their -pliat laptp at Iteret af, htel r, r ther -ere lati where

they are eve re vlerable t attak r ifeti.

se rgaizati eply path aageet r ftware itribti lti that,

a preeterie hele, a evetally hage t-f-pliae pter bak t their

prper tate, bt e the pter ha bee ifete a the ete t the etwrk,

the lti t little, t late. They al prve ieffetal agait er with aiitratr

privilege wh thik they are exept fr rprate pliy a, a relt, blk attept t rll

bak their pter t their prper tate f figrati.

netwrk ae trl lti eable rgaizati t prevet thi behavir fr affetig

the rprate IT ifratrtre. Befre ay pter a ae the prti etwrk a itrere, that pter t be i ttal pliae with etablihe rprate pliy, h a

prper veri level f erity pathe, ativir ftware, a vir efiiti.

Hwever, i pite f their ability t prevet -pliat epit fr attahig t

the rprate etwrk, etwrk ae trl lti have t bee ebrae by e

rgaizati fr a variety f rea, ilig the fat that ay lti:

Failtodelivereffectiveenforcementandremediation

Increasethenumberofmanagementagentsthatmustbeinstalledontheendpoints

IntroducetoomuchcomplexityandtoomanydisruptionstotheITinfrastructure

Lacktheflexibilitytomeetorganizationsuniqueneeds,suchasappropriatelyaccommodating

get a teprary wrker

Failtoproperlyintegratewiththeoverallendpointsecuritymanagementinfrastructure

syate netwrk Ae ctrl aree all f thee er with a e-t-e

lti that erely trl ae t rprate etwrk, efre epit erity pliy,

a eaily itegrate with exitig etwrk ifratrtre.



6/24

The Symantec Network Access Control architecture

The syate netwrk Ae ctrl arhitetre prie three key pet:

Endpoint evaluation technologies ae the tate (hek if they are pliat r -

pliat with pliy) f epit atteptig t ae the etwrk

Enforcers at a the gate/r that perit r eie ae t the etwrk

Policy management reate, eit, a aage etwrk ae trl rle r pliie via a

etral aageet le

Figure 1. Symantec Network Access Control architecture.

The efreet evalati tehlgie reprt t a reeive their figrati pliy

ifrati fr the syate Epit Prteti maager, where pliie are reate, eite,

a aage. If the syate epit evalati tehlgy eterie that the epit

i t i pliae with pliy, it will tell the syate Efrer t blk the epit fr

aeig the etwrk.

Bae pliie et by the IT aiitratr (a bae the type f efreet pti

eplye), the syate efreet tehlgie are able t atatially brig -pliat

epit it pliae. Thi i aplihe by perfrig reeiati tak, h a allig

p a lal path aager t itall the latet pathe r leveragig ther tl italle the

epit fr ther tak.


6


7/24

7

syate netwrk Ae ctrl valiate a a efre pliy pliae fr all type

f epit all type f etwrk. Thi valiati a efreet pre begi prir t a

epit eti t the etwrk a tie thrght the rati f the eti,

with pliy ervig a the bai fr all evalati a ati. Thi etwrk ae trl

pre exete the tep illtrate i figre 2.

Figure 2. Network access control process.

1. Discover and evaluate endpoints diver epit a they et t the etwrk, prir t

aeig rere. Thrgh itegrati with exitig etwrk ifratrtre a the age f

itelliget aget ftware, etwrk aiitratr are are that ew evie etig t

thenetworkareevaluatedaccordingtominimumITpolicyrequirements.

2. Provision network access Fll etwrk ae i grate ly after yte are evalate a

eterie t be i pliae with IT pliy. syte t i pliae, r failig t eet the

minimumsecurityrequirementsforanorganization,arequarantinedwithlimitedornoaccess

t the etwrk.



8/24

3. Remediate non-compliant endpoints Atati reeiati f -pliat epit

empowersadministratorstoquicklybringendpointsintocomplianceandsubsequentlyalter

etwrk ae arigly. Aiitratr a either flly atate the reeiati pre,

reltig i a flly traparet pre t the e er, r prvie reeiati ifrati t

the er fr aal reeiati.

4. Proactively monitor compliance Aheree t pliy i a fll-tie ie. A h, syate

netwrk Ae ctrl atively itr, a aiitratr-et iterval, the pliae

ptre fr all epit. If at ay tie the epit pliae tat hage, will the

etwrk ae privilege f the epit.

Symantec endpoint evaluation technologies: flexible and comprehensive

netwrk ae trl a prtet the etwrk fr alii e a fr kw r

athrize epit by verifyig that epit etig t the etwrk are figre

prperly that they will be prtete fr lie attak. netwrk ae trl typially

ivlve hekig fr ativir, atipyware, a italle pathe. Hwever, t rgaizati

quicklyexpandwellbeyondthesetypicalchecksaftertheinitialnetworkaccesscontrol

eplyet. Regarle f the gal, the pre begi with evalatig the epit. de t

the ivere ber f epit that et t the etwrk (e.g., aage epit, repit prre by the pay, a aage epit, r epit t prre

by the pay, h a teleter ig their he pter, tratr, teprary

eplyee, a parter that ight e their w laptp), syate netwrk Ae ctrl

ffer three itit epit evalati tehlgie t eterie epit pliae:

Persistentagents

Dissolvableagents

Remotevulnerabilityscanning


8


9/24

9

Figure 3. Endpoint evaluation technologies.

Persistent agents

crprate-we a ther aage yte e a aiitratr-italle aget t eterie

pliae tat. The aget hek ativir, atipyware, italle pathe, a well a

plex yte tat harateriti h a regitry etrie, rig pree, a file

attribte. Peritet aget prvie the t i-epth, arate, a reliable yte pliae

ifrati, while al fferig the t flexible reeiati a repair ftiality f

aeet pti.

syate believe that the key t efl etwrk ae trl al begi by eplyig

a peritet agetbae lti. de t the way ektp peratig yte fti, t

effetively exaie a reeiate whether ertai ftware i prperly italle a rig

a if the epit pter i prperly figre r i a aeptable tate, a etwrk

ae trl lti t be able t exaie the epit pre table a regitry, a

perhap eve ify ertai etrie. The bet way t aplih thi i thrgh a aget that

ha aiitratr privilege a that ha bee italle the epit at the tie f iitial

eplyet. slti that are pletely -aget-bae t give the aiitratr

sufficientpermissionstoadequatelyoraccuratelyexaminetheendpointforcompletecompliance.

Al, -aget-bae lti will very likely t have ffiiet perii t ake the

eeary ifiati t the epit t brig the it pliae.



10/24

syate netwrk Ae ctrl prvie the pti f a peritet a aiitratr-

italle efreet aget t eterie the pliae tat f epit. The aget a

hek fr ativir, atipyware, italle pathe, a plex yte tat harateriti,

ilig regitry etrie, rig pree, a file attribte. Thi peritet aget pti

prvie the t i-epth, arate, a reliable yte pliae ifrati eee t

ere pliae with rprate pliy.

Figure 4. Persistent agent.

Dissolvable agents

oe f the bigget hallege i the area f etwrk ae trl i the prper halig f

the aii f get er t the etwrk. Prtivity a be igifiatly a egatively

ipate witht a atate way t prvii etwrk ae t teprary wrker a

get. Tie a ey i wate if tratr r teprary eplyee hw p t wrk,

Symantec Network

Access Control

persistent agent

Onsite or remote laptop

Quarantine

Protected

network

Symantec EndpointProtection Manager

Remediation

resources

Compliance pass: Apply Office

firewall policy

Host Integrity Rule

Antivirus on

Antivirus updated

Personal firewall on

Service pack updated

Patch updated

Compliance fail: Apply Quarantine

firewall policy

Network Access

Control Agent performs

self-compliance

checks

Client connects

to network and

validates policy

Status


10


11/24

11

bt at ae the etwrk fr ay r week e t aal prviiig f etwrk ae.

siilarly, the ae i tre if atate etwrk ae trl lti eearily blk

thee er ae.

Effetive etwrk ae trl lti t have the ability a flexibility t verify that a ew

r teprary epit e t pe a threat t the etwrk, a well a eterie what level f

etwrk ae hl be grate t the epit. The t arate way t ae a epit

i t itall a fll-tie etwrk ae trl aget t the epit, bt it t ally i the

bet iteret f the rgaizati r the get t eply a fll-tie aget t a epit that

e t belg t the rgaizati.

T are thi ie, syate netwrk Ae ctrl prvie a teprary, ilvable

aget. Thi a be e fr -rprate evie r yte t rretly aage by

aiitratr. Thee Java-bae aget are elivere -ea a witht aiitrative

privilege t evalate epit pliae ptre. At the e f the ei, thee aget

atatially reve theelve fr the yte. Fr exaple, whe a get epit trie

t et t the etwrk, a etwrk-bae efreet lti a regize that it t a

kw epit evie a eliver the ilvable, -ea aget. The aget will perfr

the apprpriate pliae hek, bae the pliie that the aiitratr ha efie fr

get. If it pliat, the epit a be grate ae t the prti etwrk. Whe theetwrk ei e, the aget will atatially reve itelf fr the epit.

I aiti t ig thi reireti apability fr teprary epit, reireti a al

be e fr epit belgig t ew eplyee. I thi ae, whe the aget i elivere t

the epit, there ight be a pti fr get a ather pti fr eplyee. If the er

elet the eplyee pti, a etwrk-bae efrer a eterie if the epit i a aet

that belg t the rgaizati. If it i e f the rgaizati epit, the a fll-tie a

peritet etwrk ae trl aget a be eplye itea f the ipable aget.

By prviig ltiple pti fr verifyig pliae with pliie fr epit tat

a figrati, syate netwrk Ae ctrl ere that the eplyee a get

that attept t ae a rgaizati etwrk eet it ii erity taar a

requirements.



12/24

Remote vulnerability scanning

Ather pleetary epit aeet eth that paie a eply whe they

t have the pti t itall a peritet aget i t tilize rete vlerability aig. Rete

vlerability aig prvie pliae ifrati t the syate netwrk Ae ctrl

efreet ifratrtre bae p rete reetiale vlerability a relt fr the

syate netwrk Ae ctrl saer. Rete aig exte the ifrati-gatherig

ftiality t yte fr whih there i aget-bae tehlgy rretly available.

depeig the ifferet type f epit that et t the etwrk, paie ay

he t e a ixtre f thee three epit evalati tehlgie fr plete verage.

Symantec Enforcers: flexible enforcement options for eliminating IT and

business disruptions

Eachorganizationsnetworkenvironmentisuniqueinhowithasevolvedovertime,andasa

relt, igle efreet eth a effetively trl ae t all pit the etwrk.

netwrk ae trl lti t be flexible egh t eaily itegrate ltiple efreet

eth it the exitig eviret witht ireaig aageet a aiteae

verhea. syate netwrk Ae ctrl allw rgaizati t elet the t apprpriate

efreet eth fr ifferet part f their etwrk witht ireaig peratial plexityr t.

Figure 5 clae f syate efreet pti.

Self-Enforcement

Host-Based

Enforcement Methods

Network-Based

Enforcement Methods

Gateway Enforcer (appliance)

LAN 802.1X Enforcer (appliance)

Peer-to-Peer Enforcement

DCHP Enforcer (appliance)

DCHP Enforcer (plug-in)

Microsoft NAP Enforcer (plug-in)


12


13/24

13

Host-Based Enforcement

syate ffer iple Ht-Bae Efreet eth, ilig self-Efreet a

Peer-t-Peer Efreet. Thee eth e the syate ektp firewall t perit r ey

ae. The firewall i alreay ile a part f the syate Epit Prteti prt

fferig.

may rgaizati heitate t eply etwrk ae trl lti beae ay

offeringsareinherentlydisruptiveindesign.Oftentheyrequireexpensiveandtime-intensive

etwrk ifratrtre pgrae a hage. may lti are verly plex a t iffilt

todeploy.Somesolutionsrequirethatendpointagentsbedeployedsimultaneouslywithupgrades

beig ae t the etwrk ifratrtre. Prble etere either the aget r etwrk

efreet ie f the eplyet relt i a -ftiig lti that a be extreely

iffilt t trbleht a relve, a that a al ae er t be iapprpriately blke

fr aeig the etwrk.

syate help eliiate thee irpti by prviig a bra array f efreet

pti that a be eplye ig a iple, phae apprah t eplyig effetive a

preheive etwrk ae trl. netwrk ae trl a eaily be eplye with a

Symantechost-basedenforcementoption.Deploymentsofthistyperequirenoinfrastructure

hage a tie-ig eplyet effrt. orgaizati that are alreay ig thesyate Epit Prteti lti alreay have the aget eplye, a iply ee t

eable etwrk ae trl t take avatage f that apability. The Ht-Bae Efreet

pti i the fatet a eaiet way t t etwrk ae trl fr a aage epit.

Self-Enforcement

TheadvantageofusingSelf-Enforcementisthatitdoesnotrequirethedeploymentofanetwork-

bae efreet pet t plie ae t the etwrk. Rather, it e the syate

ektp firewall t plie etwrk ae, prviig the eaiet a fatet efreet

eplyet pti. It i eve eaier t ipleet if the rgaizati ha alreay eplye the

syate Epit Prteti prt.



14/24

Peer-to-Peer Enforcement

syate al ffer Peer-t-Peer Efreet, whih ere that liet-t-liet

iati a r ly betwee epit that are we a aage by the

rgaizati a betwee epit that are pliat with efie epit erity pliie.

The self-Efreet a Peer-t-Peer Efreet pti ly wrk fr aage

epit. They at are the prble f aage epit, h a get r

teprary wrker, etig t the etwrk. syate netwrk Ae ctrl aree the

ie aiate with aage epit thrgh etwrk bae efreet eth.

Network-Based Enforcement

syate al ffer vari netwrk-Bae Efreet eth that are available a

appliae r plg-i. orgaizati a ipleet, at their w pae, aitial, etwrk-

bae efreet pti ffere by syate t ppleet ht-bae efreet pti.

netwrk-bae efrer are a eeary pet t trl aage epit etig

t the etwrk. Thee aitial key netwrk-Bae Efreet fferig ile:

Gateway EnforcerI-lie efreet at etwrk hke pit

DHCP EnforcerDHCP-basedapproachforLANandwirelessnetworksoveranyinfrastructure

MS NAP EnforcerMSNAPbasedapproachforLANandwirelessnetworks LAN 8021X EnforcerOut-of-bandstandards-basedapproachforLANandwirelessnetworks

Jt like the etwrk ae trl aget, the syate Efrer fferig are etwrk

os-etral a a eaily itegrate with ay etwrk ifratrtre. Thee lti are

erity ver-etral, eaig they will wrk with ther leaig ativir, firewall, a ht

itri preveti lti. sie thee lti have iheret etwrk r ifratrtre

epeeie, rgaizati a take a phae apprah t their ipleetati, eplyig the

at their w ireti a their w tietable.

Aitially, t frther iplify aiitrati a pliae efreet, the efrer

are all etrally aage thrgh syate Epit Prteti maager a are the syate

netwrk Ae ctrl epit evalati tehlgie.

Gateway Enforcer

GatewayEnforcerfromSymantecisanin-lineenforcementappliancedeployedatnetworkchoke

pit, eablig it t trl a blk the flw f traffi fr rete epit bae the

epit pliae with etablihe rprate pliy. Whether the hke pit i at perieter

networkconnectionpoints,suchasWANlinksorVPNs,oroninternalsegmentsaccessingcritical


14


15/24

15

businesssystems,GatewayEnforcerefficientlyprovidescontrolledaccesstoresources,aswellas

reeiati ervie t brig -pliat epit bak it pliae.

TypicaldeploymentscenariosforGatewayEnforcermightbebehindanIPSecVPN,WAN

connectionsbetweenaremotebranchofficeandcorporateheadquarters,onwirelessnetworks,

feree r etwrk, i frt f ritial erver, r i frt f all ata eter.

Figure 6. Gateway Enforcer.

DHCP Enforcer

The dHcP Efrer fr syate i eplye i-lie betwee epit a a rgaizati

exitig dHcP ervie ifratrtre. dHcP Efrer ie a retritive dHcP leae aigetif a epit i t rig the etwrk ae trl aget, i t-f-pliae, r it

compliancestatusisunknown.Thisrestrictiveleaseassignmentisanon-routableorquarantined

IP are that prvie ree ae t the etwrk.

dHcP Efrer a al iate with the epit aget t iitiate eeary

reeiati ati t brig the epit i pliae with pliy. oe i pliae, the

endpointwillinitiateaDHCPreleaseandrenewrequest.OnceDHCPEnforcerreceivesthe

Symantec Network

Access Control

Enforcement Agent

Remote User IPSec VPN Gateway Enforcer

Quarantine

Protected

Network

Symantec Endpoint

Protection Manager

Remediation

Resources

Gateway Enforcer Options

Block Client

HTTP Redirect for Client

Display Pop-up on Client

Restrict Network Access

Agent present and compliance

pass: Allow access

Host Integrity Rule

Antivirus On

Antivirus Updated

Personal Firewall on

Service Pack Updated

Patch Updated

Enforcer validates

policy and checks

compliance status

Gateway Enforcer

requests policy and

compliance data

Client attempts

to connect to

network

Status



16/24


16

renewalrequestanddeterminesthattheendpointisincompliance,theendpointwillbegranteda

dHcP leae the ral prti etwrk, allwig fll ae t the etwrk.

sie dHcP Efrer wrk a a i-lie dHcP prxy, it i patible with ay exitig dHcP

ifratrtre a a wrk i ay exitig etwrk eviret with pgrae f harware

r ftware. A a alterative t a dHcP Efrer appliae, syate ffer a dHcP Efrer

plg-i that a be italle iretly mirft dHcP erver. The mirft dHcP erver

ipleetati eable the mirft dHcP erver t at a the efreet pit.

Microsoft Network Access Protection Enforcer

The syate netwrk Ae ctrl Itegrate nAP Efrer i a plg-i that a be italle

iretly mirft netwrk Pliy server (nPs), eablig ter t exte a aget

their mirft netwrk Ae Prteti (nAP) ipleetati with the liate pliy

figrati a re preheive rage f pliae hekig pti prvie by

syate netwrk Ae ctrl. Epit pliae hekig i perfre by the syate

netwrk Ae ctrl liet. Thi liet reeive pliae pliie fr the nPs via the

epit mirft nAP liet. After it ha perfre it hek, syate netwrk Ae

ctrl relay the pliae hekig relt t the nAP liet, whih the iate tat

t the nPs fr efreet.syate netwrk Ae ctrl exte the eplyability a aageability f mirft

NAPincustomerenvironmentsbyofferingasingleSystemHealthVerifier(SHV),singlepolicy

le, igle aget, re gralar hekig pti, a the ability t reate t hek.

Iterperability with nAP will ake syate netwrk Ae ctrl eplyet eve eaier:

ter will be able t leverage the pwer f syate netwrk Ae ctrl exteive

apabilitie i a pe, ltiver eviret. I aiti, syate netwrk Ae ctrl

NAPimplementationisfullycompliantwithTrustedComputingGroupsTNCstandards.

LAN 802.1X Enforcer

TheLAN802.1XEnforcerfromSymantecisanout-of-band802.1XRADIUSproxysolutionthat

workswithallmajorswitchingvendorssupportingthe802.1Xstandard.Nearlyallwiredand

wirelessEthernetswitchmakerssupporttheIEEE802.1XAdmissionControlProtocol.LAN

Efrer e thi lik-level prtl t evalate epit pliae, prvie atati prble

reeiati, a ait pliat epit t the rprate etwrk.

Duringenforcement,theSymantecagentontheendpointuses802.1Xtotransmit

complianceinformationtothenetworkswitch,whichrelaysittoLANEnforcer.Iftheendpoint


17/24

17


isnotincompliancewithpolicy,LANEnforcerwillplaceitinaquarantinenetworkwherethe

epit a be reeiate witht ipatig ay f the pliat epit. oe syate

NetworkAccessControlremediatestheendpointandbringsitintocompliance,the802.1X

prtl will attept t re-athetiate the er a grat ae t the etwrk.

LANEnforcercanparticipatewithexistingAAAidentity-managementarchitectures

t athetiate er a epit, r it a at a a iepeet RAdIus lti fr

environmentsthatonlyrequireendpointcompliancevalidation,alsoknownastransparent

mode.Intransparentmode,theadministratorsimplyconfigurestheswitchtouseLANEnforcer

a the RAdIus erver, allwig the appliae t athetiate epit bae pliae

withdefinedpolicy.RunningLANEnforcerintransparentmoderequiresnoadditional

infrastructureandisasimplewaytoimplementasecure,VLAN-switching-basednetworkaccess

controlsolution.Furthermore,theLANEnforceroffersenhancedMACaddressauthentication

functionalityforunmanageddevicesin802.1x-enabledenvironments.TheLANEnforcercan

hek the mAc are f a evie etig t a 802.1x-eable with prt, valiate it

agait a tre f kw/athrize mAc aree, a allw r blk the evie epeig

whether it fi a ath.

Figure 7. LAN (802.1X) Enforcer.


18/24


18

Network access control industry framework support

syate netwrk Ae ctrl a rretly perate iepeetly r i jti with

ci netwrk Aii ctrl. Al, it will wrk with ther etwrk ae trl

itry fraewrk, ilig mirft netwrk Ae Prteti a the Trte cptig

GroupsTrustedNetworkConnectstandard.BoththeMicrosoftandCiscotechnologiesare

arhitetral fraewrk that f bilig prtl a iterfae that a be e by

ltiple ver t prvie plete etwrk ae trl lti. The Trte cptig

Groupisaconsortiumofover80ITindustrycompaniesthathavesponsoredtheTrustedNetwork

cet taar, whih i iilar i itet a arhitetre t the mirft a ci effrt,

bt i itee t perate ay type f etwrk harware ifratrtre a ay ht peratig

yte.

Allofthesedifferentframeworkstypicallyrequiresoftwareorhardwarefromseveral

ifferet ver i rer t bil a plete lti, fte reltig i ltiple layer

ofcomplexitytodeploy.However,SymantecNetworkAccessControldoesnotrequirethe

exitee f ay f thee itry fraewrk tehlgie t prvie e-t-e effetive a

preheive etwrk ae trl. still, syate netwrk Ae ctrl will pprt,

ehae, a ealely perate algie thee itry fraewrk, allwig eterprie t

eply the tehlgie that they feel bet fit their ee.

Symantec policy management: comprehensive, integrated endpoint

security management

A rgaizati have ha t eal with grwig er pplati that ile ite eplyee,

rete eplyee, hrt-ter eplyee, get, tratr, a ther teprary wrker,

they have bee ireaigly eptible t a vat array f threat tryig t eter the etwrk.

serity er ile vire, pyware, zer-ay attak, a kw explit, all f whih

try t fi their way t the bie etwrk thrgh peig reate by epit evie that

are t pliat with etablihe rprate erity pliie.

Symantecbelievesthattrueendpointsecurityrequirestheseamlesscouplingofendpoint

prteti tehlgie with epit pliae tehlgie. syate eable rgaizati

t take a re hliti apprah t epit erity t are thi threat thrgh it tight

itegrati f syate Epit Prteti (epit prteti) a syate netwrk

Ae ctrl (epit efreet). Thee fferig ealely iterperate t prvie

a preheive a ifie ltilayere epit prteti lti that eable IT

aiitratr t eflly trike the balae betwee etwrk ae, e-er prtivity,

a erity, while iplifyig epit erity aiitrati.


19/24

19


Figure 8. Endpoint Securitythe seamless combination of Endpoint Protection and Endpoint Enforcement.

Single management console

Key t thi hliti aageet apprah i the ability prvie by the syate Epit

Prteti maager t etrally reate, eply, aage, a reprt all epit erity

ativitie. Fr a igle aageet le, aiitratr a et pliie that trl all

apet f the itegrate syate netwrk Ae ctrl pet, h a the syate

evalati tehlgie a syate Efrer i aiti t the syate Epit Prteti

pliie. The pliy aager eterprie-la etralize aageet arhitetre a ale

t eet the t eaig eviret, prvie gralar trl t all aiitrative tak,while iplifyig a ifyig all epit erity aageet effrt t ree ttal t f

werhip.


20/24


20

Unified agent

Fr rgaizati that have alreay eplye the syate Epit Prteti prt, the

etwrk ae trl peritet aget ftiality i alreay preet the aget. I ther

wr, it i t eeary t eply a aitial aget t ipleet etwrk ae trl.

The etwrk ae trl apability itegrate it the syate Epit Prteti aget

a be eaily eable thrgh the prhae f a liee. The liati f all thee erity

capabilitiesintoasingleagentreducescomplexityandsystemresourcesandrequiresnochange

t the liet whe aig etwrk ae trl. Aitially thi igle, ifie aget i

aage via the syate Epit Prteti maager.

Eliminating network access control obstacles

syate help eliiate the btale t leveragig the beefit f etwrk ae trl by

eliverig a preheive a itegrate epit erity lti that:

Deliverseffectivepolicycomplianceenforcementandremediation

Reducesthenumberofsecuritymanagementagentsthatmustbeinstalledtoasingleagent

SimplifiesITcomplexitywhileeliminatingdisruptionstothebusinessandITinfrastructure

Providestheflexibilitytoaddressorganizationsuniquenetworkaccesscontrolimplementation

ee, ilig apprpriately aatig get a teprary wrker Seamlesslyintegrateswithanorganizationsoverallendpointsecuritymanagement

ifratrtre

T frther help rgaizati leverage the beefit f syate netwrk Ae ctrl,

syate prvie a rage f ltig, tehial eati, a pprt ervie t gie the

thrgh it eplyet a aageet, eablig biee t realize the fll vale f their

ivetet.

syate Eterprie spprt servie have three level f prteti eige t eet the

ee f the all bie a well a the large eterprie. syate Eati ha a prtfli

oftrainingcoursesdesignedtogetusersuptospeedquickly.SymantecConsultingService

prvie aitae with lti eig, eplyet plaig, itallati pakage reati, a

tetig thrgh either it Reiey servie, where syate cltat wrk ie-by-ie with

ter IT taff, r operatial servie, where the etire epit erity fti a be

tre t syatethe erity expert.


21/24

21


End-to-end endpoint compliance

I tay highly phitiate a ager threat laape, IT aiitratr t prtet

theelve t ly fr rgaize attak agait their peifi pay, bt al fr targete

attak that leverage ektp a laptp a bakr etryway it the eterprie

bie perati a valable rere. T aitai the itegrity f the rprate IT

ifratrtre a it epit, rgaizati a lger allw heke ae t the

etwrk. With the igifiat ireae i the ber a type f epit aeig the

etwrk, rgaizati t be able t verify the health a ptre f epit, bth prir t

etig t rere a well a a tial bai after epit et.

syate netwrk Ae ctrl i a e-t-e lti that erely trl ae t

rprate etwrk, efre epit erity pliy, a eaily itegrate with exitig etwrk

ifratrtre. Regarle f hw epit et t the etwrk, syate netwrk Ae

ctrl iver a evalate epit pliae tat, prvii the apprpriate etwrk

ae, prvie atate reeiati apabilitie, a tially itr epit fr

hage i pliae tat. The relt i a etwrk eviret where rprati realize

igifiat reti i erity iiet, ireae level f pliae t rprate IT erity

pliy, a fiee that epit erity ehai are prperly eable.


22/24

Figure 9. Symantec Network Access Control architecture.

With it array f ltiple aget aeet tehlgie a ltiple efreet

pti, alg with beig os- a etwrk ver-etral, syate netwrk Ae

ctrl i the t flexible a iterperable etwrk ae trl lti the

arket. Thi high level f flexibility a iterperability al allw rgaizati

toeasilyandquicklydeploythecombinationofnetworkaccesscontrolassessment

a efreet pti the way they ee t a whe they ee t. T frther ai

i eplyet, a well a t help pee the retr a rgaizati ivetet,

syate al prvie a rage f ltig, tehial eati, a pprt

ervie.

syate i a glbal leaer i ifratrtre ftware, a well a epit erity,

eablig biee a er t have fiee i a ete wrl. syate

help ter prtet their ifratrtre, ifrati, a iterati by eliverig

ftware a ervie that are rik t erity, availability, pliae, a

perfrae.

22

syate netwrk Ae ctrl: cpreheive netwrk Ae ctrl


23/24


24/24

About Symantec

syate i a glbal leaer i

prviig erity, trage, a

yte aageet lti t

help biee a er

ere a aage their ifrati.

HeadquarteredinCupertino,Calif.,

syate ha perati i re

tha 40 trie. mre ifrati

i available at www.yate..

Fr peifi try ffie a

tat ber, pleae viit

r Web ite. Fr prt

ifrati i the u.s., all

tll-free 1 (800) 745 6054.

syate crprati

WorldHeadquarters

20330 steve creek Blevar

cperti, cA 95014 usA

+1 (408) 517 8000

1 (800) 721 3934

www yate

cpyright 2007, 2008 syate crprati. Allrightsreserved.Symantec,theSymantecLogo,and

SymantecAntiVirusaretrademarksorregistered

traeark f syate crprati r it affiliate

i the u.s. a ther trie. mirft i either a

regitere traeark r a traeark f

mirft crprati i the uite state a/r

ther trie. Java i a traeark r regitere

traeark f s miryte, I., i the u.s. r

ther trie. other ae ay be traeark f

their repetive wer. Prite i the u.s.A.

08/08 12516470-2

Date post:	07-Apr-2018
Category:	Documents
Upload:	latentpot
View:	214 times
Download:	0 times

B-whitepaper Comprehensive Network Access Control 08-2008.en-us

Documents