8
www.mcafee.com White Paper | May 2006 Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control
www.mcafee.com
White Paper | May 2006
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control
www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page �
Table of Contents
Executive Summary 3
Mitigating the Risk of Extended Networks 3
The Price of Admission for Collaborative Business 4
Powerful Policy Enforcement with McAfee Policy Enforcer and Cisco NAC 4
McAfee Policy Enforcer in a Cisco NAC Infrastructure 5
Enforcing Policies Opens Doors 8
Learn More 8
Note: This document is not to be construed as a promise by McAfee to develop, deliver or
market a product with any particular functionality or attribute. McAfee reserves the right to
revise this document or the product described therein and to make changes to the content
of the document or the product described therein, at any time, without obligation to notify
any person or entity.
www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page �
Executive Summary
Extended networks bring risk. Guests and traveling employees
may connect systems that do not comply with your security
policies. Network access control solutions challenge and
evaluate systems when they try to access the network.
Compliant systems are allowed access. Non-compliant
systems are denied access and/or sent to remediation portals.
Cisco provides an enforcement framework for network access
control. McAfee® provides powerful policy management. The
joint solution allows organizations to extend their networks
without risking infection from non-compliant systems.
Mitigating the Risk of Extended Networks
In today’s highly competitive business environment, you must open your enterprise applications to guests, partners, suppliers and customers. Carefully, you extend your reach with offices around the globe and employees who work from home. While collaborative business creates a great advantage in a global economy, it is a challenge to protect and secure critical business information.
You’ve established security policies and put in place an arsenal of system and network protection, but this is not enough. The problem isn’t lack of protection—it’s the lack of compliance with your security policies when systems access your network. While attacks from viruses, worms, spyware, and malicious code may be stopped dead by properly protected systems, you remain vulnerable to the damage that can be caused by endpoints that are not current with operating system patches, anti-virus signatures, and other security applications and updates. These “unhealthy” or non-compliant systems can rapidly spread attacks and infections within your infrastructure. And they will usually spread unchecked until they reach a traditional perimeter defense. While even the most vigilant IT organization may try to implement rigid update guidelines and policies, you still face the challenge of systems that elude your corporate policy—be they managed or not, partner or employee. The damage from breaches carries a greater price than ever, measured in a loss of your customers’ trust, a hit to your revenues, downtime for your critical applications, and the cost to clean up the mess.
To combat today’s highly aggressive attacks, you need to go beyond traditional layered security. Yes, you need anti-virus, anti-spyware, host intrusion prevention, host firewall, and patch management software. But you also need a solution that enforces security policies when endpoints try to access your network. You need to make sure that any device that connects to your network is configured
correctly, possesses up-to-date patches, and has no high-risk viruses or worms. Security experts agree: enforcing policies when devices try to access the network is essential in today’s complex security environment.
“Enterprises experience an average of 501 hours of network downtime every year, and as a result lose millions of dollars in annual productivity and revenue. Overall downtime costs average �.6 percent of annual revenue, a significant number, and one likely to surprise many large organizations. Implementing policy enforcement is important to maintain the integrity of your IT infrastructure and reduce costs associated with network downtime,” said Jeff Wilson, principal analyst of Infonetics Research.
If you proactively enforce IT security policies you can minimize potential damage from security threats that are introduced by users’ desktop PCs, laptops, mobile devices—any endpoint device.
McAfee is working closely with Cisco Systems to address the escalating challenges of endpoint security and to deliver effective network access control:
• Cisco has defined a network architecture and communications framework to protect enterprise networks from users’ systems that do not comply with established IT security policies called Network Admission Control (NAC). Cisco NAC lays the groundwork for enforcement of network access devices (NAD)—such as switches, routers, wireless solutions, or VPN concentrators and McAfee Policy Enforcer (MPE) performs assessments that drive Cisco NAC enforcement actions. When you limit network access to compliant systems, you limit damage from security threats such as viruses, worms, and spyware.
• McAfee Policy Enforcer is the core of McAfee’s network access control solution. It is easy to manage, works with the security and network infrastructure you already have, and can support a dynamic and changing network environment. Policy definition with McAfee Policy Enforcer is intelligent and easy-to-use and McAfee Policy Enforcer provides robust security and compliance assessment and powerful remediation for your Cisco NAC environment. You can centrally define and manage your network access control policies through McAfee ePolicy Orchestrator® (ePO™), leveraging your investment in this enterprise-class scalable management infrastructure. McAfee Policy Enforcer performs deep assessments on all of your systems, and provides multiple enforcement options if systems fail to comply with your security policies. McAfee Policy Enforcer offers the most comprehensive and effective network access control available for your Cisco NAC-enabled infrastructure and beyond.
www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page �
The Price of Admission for Collaborative Business
The business need for more open access to information resources compounds the risk. Opening your corporate network to mobile employees, customers, and partners extends what was once a trusted network across uncontrolled environments like the Internet. Your employees, guests and other users can unwittingly cause significant damage from inside your enterprise walls. The proliferation of mobile employees and the steep rise in the number of contractors, consultants, partners, and customers who need to access your corporate information resources means their computers can become conduits for attacks and misuse.
Your employees use their corporate laptops and mobile devices on the road or at home, and then later reconnect to your trusted enterprise network. Although they use a system that has the appropriate security software and patches, they may still introduce a threat into your network. By using their laptop on an unprotected network, perhaps at home or at an airport hotspot, their system may become infected with new malicious code—before they can get the latest protection with their regularly scheduled security update. Your employees in branch offices may have PCs with outdated anti-virus definition (DAT) files or that may not be compliant with your current security standards.
Your IT department has little control over the security standards for computers used by guests, consultants, and other visitors, either onsite or remote. Even your employees, customers, and partners who connect via an IPsec or SSL VPN can unknowingly introduce an infection to your enterprise network.
Policy enforcement at the time of network access can mitigate your risk in this landscape of shifting threats. A policy enforcement or network access control solution for the enterprise encompasses both policy control and an enforcement framework:
• Policy control, provided by McAfee Policy Enforcer, is the “brains” of your network access control solution. It enables you to centrally define the IT security network access policy for all systems—managed and unmanaged—that connect to your network through the WAN/LAN or remotely. MPE works with multiple enforcement methods, such as a Cisco NAC-enabled infrastructure. It also enables you to assess whether endpoints measure up to your security policies and determines what remediation actions to take.
• The enforcement framework, as provided by a Cisco NAC-enabled infrastructure, is the “brawn” of your network access control solution. It detects new systems as they request a network connection and enforces compliance based on what the MPE tells it to do..
Powerful Policy Enforcement with McAfee Policy Enforcer and Cisco NAC
Together, McAfee and Cisco provide complete network access control for a Cisco NAC-enabled infrastructure. Leaders in system security and networking, McAfee and Cisco have collaborated to deliver a robust policy definition, system discovery, system assessment, quarantining, and remediation solution for network access control. McAfee Policy Enforcer integrates with Cisco NAC APIs for a complete policy enforcement solution in conjunction with your Cisco NAC-enabled network.
McAfee Policy Enforcer delivers an intelligent, integrated flexible approach to enforce security-policy compliance and remediation on non-compliant endpoints when they attempt to access a Cisco NAC-enabled infrastructure. McAfee Policy Enforcer offers scalable policy creation and management, all from your ePolicy Orchestrator console. It provides deep system assessments that include checks for infections, malware, and worms, leveraging the embedded powerful McAfee Foundstone® engine. It scans both managed and unmanaged systems, and can use either a remote- or host-based scanner. McAfee Policy Enforcer also supports system remediation to ensure that systems comply with specified application and patch levels before being granted network access.
Cisco NAC discovers systems as they attempt to access the network and enforces the policies set by McAfee Policy Enforcer. Cisco NAC allows you to determine and enforce the level of network access to grant to an endpoint, based on the security posture that delivered by the MPE
Figure 1: Managed and Unmanaged Systems
www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 5
assessment. Systems are not permitted on your network until the assessment is complete, and only when the system is compliant with your policies. With MPE, McAfee protects against internal and external threats in a Cisco NAC-enabled network.
McAfee Policy Enforcer extends management, enforcement, and support for Cisco networks. You can use McAfee ePO to define measure and manage your system security policy. The highly tunable centralized management framework of ePO provides a single console for your system security and network access control products. McAfee Policy Enforcer simplifies deployment of the Cisco NAC framework with the ability to use ePO’s enterprise-scalable centralized management to deploy the Cisco Trust Agent (CTA) to all ePO-managed systems. McAfee Policy Enforcer helps simplify administration for your non-threat platforms (like printers and phones) by allowing the creation of both a dynamic rules-based approach that automatically allows access to certain devices based on their hardware profile or specified exception lists.
McAfee Policy Enforcer in a Cisco NAC Infrastructure
Together, Cisco and McAfee provide a complete end-to-end solution for network access control. Use McAfee Policy Enforcer to define security policies, assess systems to determine their security posture, and remediate systems
as appropriate. McAfee also adds critical management capabilities, such as the ability to set company-wide policies and effective management reporting and auditing. Cisco NAC provides active enforcement by discovering systems as they request network connections and enforcing the policies (either by blocking or limiting access to certain subnets), by quarantining non-compliant systems, or permitting access for compliant systems.
Organizations need to ensure their Cisco network environments are NAC-enabled as they work to meet their specific business-security requirements and timelines. So, depending on your Cisco NAC migration timeline, your organization may require multiple enforcement methods, such as Cisco NAC, IPsec VPN, SSL VPN, 80�.1X or McAfee’s built-in enforcement methods for legacy Cisco or heterogeneous environments for both managed and unmanaged systems. Regardless of the enforcement methods used, with McAfee Policy Enforcer the process of centrally defining policies, assessing systems against policy, and remediating non-compliant systems remains the same. Policy Enforcer gives you the most intelligent policy enforcement available.
1. Define network access policies: The first step to a strong enforcement foundation is when you define the rules by which systems are judged as compliant. In a Cisco NAC framework, your administrators can set policies at the network-access level using the Cisco Secure Access Control Server (ACS), an implementation of RADIUS.
Subject Enforcement Decision & Remediation
Cisco ACS 4.0
Directory
McAfeePolicyEnforcer
OtherVendorServers
McAfeeRemediationServer
LAN
WAN
Remote
Figure 2: Cisco-NAC infrastructure with McAfee Policy Enforcer
INTERNET
ANY
www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 6
That may not be enough. You may want a more robust way to set security policies across all enforcement methods that provides strong management, reporting, and monitoring capabilities.
McAfee is the leader in providing enterprise-class, scalable policy management. McAfee Policy Enforcer enables you to easily define, measure, and manage system security policy for a Cisco NAC infrastructure. With McAfee, you can set policies governing the required security patches for a particular operating system and the minimum versions of anti-virus, firewall, and host intrusion prevention software plus much more. Role-based access makes it easy to define and manage policies. McAfee Policy Enforcer leverages McAfee ePO for centralized management and consolidated reporting, which makes policy enforcement easier to deploy and administer. For example, you may be using a Cisco NAC-enabled network with a Cisco IPsec VPN as well as a Juniper SSL VPN. In this instance, with McAfee Policy Enforcer, you would centrally create the security policies for all these enforcement methods.
McAfee Policy Enforcer also manages the deployment and installation of Cisco Trust Agent (CTA) software on endpoints, significantly easing the task of deploying and updating this client software. Tight integration between the Policy Enforcer scanner agent and the CTA API provides an agent-based, comprehensive system security scanner.
McAfee Policy Enforcer also eases ongoing operations. Tight integration with the Cisco Host Credentials Authorization Protocol (HCAP) API facilitates centralized policy definition using ePO. You may save hours or weeks of deployment time, as well as ongoing management time. McAfee Policy Enforcer provides the ability to centrally define and administer policies across a variety of enforcement methods, enabling you to intelligently set network access policy based on your corporate security requirements, rather than based on the limitations of each enforcement method.
�. Discover new systems: Cisco NAC-enabled network access devices discover systems as they attempt to access the network, whether the connection is a wired LAN, wireless LAN, through an IP Phone, a VPN connection or a WAN connection. When a desktop PC, server, laptop, or any other endpoint attempts to connect to the network through a Cisco NAC-enabled switch, router, or other compatible network access device, the access device first requests posture credentials from the endpoint in addition to the usual user authentication credentials. If the Cisco Trust Agent (CTA) is installed on the endpoint, the request for credentials is sent to
McAfee Policy Enforcer scanner. Otherwise, posture information will be determined by the agentless McAfee Policy Enforcer assessment engine integrated into the Cisco NAC framework through the Generic Authorization Message Exchange (GAME) protocol API.
�. Assess systems: Next, the system is assessed for compliance with the specified security policy. McAfee Policy Enforcer provides agent and agentless scanners that perform hundreds of checks. Systems are assessed at the time of network access, and then continuously—based on pre-configured rules—throughout the network session.
• Host-based assessment: If the system has both the Cisco Trust Agent (CTA) and the Policy Enforcer scanner (software update to McAfee ePO agent), the CTA asks the Policy Enforcer scanner to assess and collect the most current security policy information to determine the system’s security posture. That information is forwarded to the Cisco Secure ACS via the CTA. In turn, and based on the system posture provided by McAfee Policy Enforcer, the Cisco Secure ACS returns an admissions decision to the Cisco Network Access Device that enforces the decision
• Agentless assessment: For systems without the CTA installed, McAfee provides agentless scanning to determine compliance and threat levels. Integration with the Cisco Generic Authorization Message Exchange (GAME) API facilitates deep scanning of systems without the CTA agent as well as for accurate platform identification. McAfee’s agentless scanner can run credentialed checks, non-credentialed checks, and OS/platform-fingerprinting algorithms to determine a comprehensive risk assessment for each device attempting to access the network.
McAfee provides a deep, granular system assessment of the device’s configuration and critical security applications, including third-party applications. McAfee Policy Enforcer scanner provides a rich set of compliance checks that helps you quickly define flexible and powerful compliance policies and rules (see Table 1: McAfee Provides Comprehensive Enforcement Checks). It checks for active instances of viruses, Trojans, and worms. It verifies the existence and minimum required versions of McAfee and third-party security applications, such as anti-virus, desktop firewall, host intrusion prevention, and anti-spyware. The Policy Enforcer scanner assesses the system configuration for the required operating system version, service pack, patch management products, the overall security health status, and many other factors. McAfee
www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page �
leverages the Foundstone engine for powerful systems scanning. Additionally, McAfee’s sophisticated policy controls can prevent disruption of access to non-threat platforms like printers and phone.
�. Enforce system polices: The Cisco Secure ACS determines the appropriate access action (allow access, deny access, restrict access, or quarantine) based on the system posture as determined by the McAfee
Policy Enforcer scanner. Cisco Secure ACS passes the admission-control decision to the Cisco NAC-enabled network-access device. If the system complies with the policy, it is granted network access. If it does not comply, it may be denied access or restricted to a quarantine network segment with limited access. Preventing a non-compliant system from accessing the network can contain infections before they spreads throughout the network.
Category Supported Products
Threat/Infection Checks • Mydoom• Sasser• Zotob• Bagle• Nachi• Netsky• Plusmanyothers
Host Anti-Virus • McAfeeVirusScan®EnterpriseandMcAfeeVirusScan• SymantecAntiVirusandNortonAntiVirus• TrendMicroOfficeScanandServerProtect• ComputerAssociatesezTrustAV• SophosAnti-Virus
Microsoft Service Packs • MicrosoftWindowsUpdateService• Microsoftpatchesforservicepacks,operatingsystems,andInternetExplorer
Host Firewall • McAfeeDesktopFirewall• SygateFirewall• SymantecFirewall• MicrosoftWindowsXPFirewall
Host Intrusion Prevention • McAfeeEntercept®5.0andHIPS6.0
Patch Management Agents • PatchlinkUpdate• BigFixPatchManager• MicrosoftWindowsUpdate• BMCMarimbaPatchManagementAgent
Host Anti-Spyware • McAfeeAntiSpywareEnterprise• WebrootSpysweeper• ComputerAssociatesPestPatrol
System/Policy Management Agents • MicrosoftSMS• IBMTivoliAgent• SymantecESM
Patch Assessment • MicrosoftSecurityPatches
Table 1: McAfee Provides Comprehensive Enforcement Checks
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 8
5. Remediate non-compliant systems: Remediating non-compliant systems is critical to a successful network access control deployment. Without adequate remediation capabilities, blocking non-compliant systems from the network can impede user productivity and increase help-desk calls. McAfee Policy Enforcer provides enhanced remediation options to ensure that systems comply with specified security policy. Administrators can customize the remediation portal for a user-friendly remediation process with one-click updates. Administrators can also configure the quarantined system to run a McAfee auto-update capability, so that users’ systems can automatically be remediated without calling the helpdesk. Once remediated, the endpoint will automatically be rescanned for compliance and, if the endpoint is then compliant, it will be granted access to the corporate network.
6. Management and reporting: IT managers need greater visibility into policy compliance. McAfee ePO provides comprehensive enforcement reporting, monitoring, auditing, and alerting for McAfee Policy Enforcer. ePO provides proactive notifications and comprehensive reporting on all systems that have accessed your network, including systems blocked or quarantined, and details on all the checks that passed or failed. Because of the shifting landscape of security threats, McAfee Policy Enforcer allows you to periodically evaluate compliance, based on administrator policy. Integration with the Cisco NAC reporting logs enables McAfee to provide centralized graphical reporting, monitoring, and notification.
Enforcing Policies Opens Doors
Today’s business climate is dynamic. Organizations must provide anywhere, anytime access to critical applications, but you must also deliver exacting security and business continuity. That’s not only good business practice—it is more and more a matter of law. You can depend on the security expertise of McAfee and the network expertise of Cisco for an effective network access control solution. With McAfee, you get effective policy management, deep granular assessment, and powerful remediation and reporting. Cisco adds comprehensive admission control across all access methods and all endpoints that prevents non-compliant and rogue endpoints from impacting your network availability. You can implement network access control today by leveraging your existing endpoint security and network infrastructure investments. Powered by the world’s largest dedicated network and security companies, your operation will run more efficiently and you will enhance business continuity with comprehensive protection
Learn More
For more information on network access control, visit:
AboutMcAfee
http://www.mcafee.com/us/enterprise/products/network_access_control/policy_enforcer.html
AboutCisco
http://www.cisco.com/go/nac
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com
McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is
distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006 McAfee, Inc. All rights reserved.
6-sps-mpe-001-0506
