12:39 Symantec network access control | |
| Hi! What is the technology of NAC is known to many, and perhaps some of this technology have encountered. In order not to copy-paste here the description of technology are some links to articles describing the principles of the NAC: The Russian experience in the application of NAC, NAC: security enforcement. Next I will discuss on one of the options for implementing technology NAC, namely the implementation of this technology by Symantec. To be quite honest, we bought the company Symantec Sygate, under which the developed product, which is now called Symantec Network Access Control (SNAC). In my opinion, SNAC - this is one of the best options for implementing technology for network access control today. Lest threw tomatoes, I say that unfolded stands with similar solutions from Cisco (Cisco NAC) and the company's Microsoft (NAP). The first advantage, when you deploy SNAC turned out that he is integrated into the management console Symatec Endpoint Protection Manager. From the description of technology NAC (not tied to a specific implementation), we know that NAC is composed of 3 parts: 1. The device requesting access to the 2. Area where policy 3. Decision point. Let us consider each of these parts in the implementation of Symantec NAC. Let's start from the end. The point of decision. In the implementation of Symantec, a point a decision in favor Symantec Endpoint Protection Manager. In the console, set policies that must meet the network devices, as well as the steps you need to do for network devices. Symantec Endpoint Protection Manager can access the outside RADUIS servers, for example to check user authentication, or to check the authentication of network devices. Environment policy enforcement. In the implementation of Symantec NAC, there are 4 versions of the environment policies: 1. Self-Enforcement - «self-defense" - the application of policy occurs at the device requesting access, for example on a laptop user. This option can be realized if the client is installed SEP and the agent SNAC, as the application of the policy is due to components such as SEP, such as firewall and IPS. Self-Enforcement is the easiest and marketable version of the introduction of Symantec NAC in the network. 2. DHCP-Enforcement - application of the policy occurs at the network level at the time of the device IP-address. Depending on the device requesting access to the network, he can be extradited to IP-address from different subnets. Relatively simple option for implementing the network, but requires some modifications in the scheme of DHCP. 3. Gateway-Enforcement - can be called a control at the gateway. That is policy enforcement occurs at the network level, the passage of traffic through the Gateway-Enforcer. This is an appropriate option for access control devices from a single small segment of the network, such as a guest WiFi, or a VPN-gateway. This is because all traffic passes and is processed by Gateway-Enforcer, which can become a bottleneck in the network. Just Gateway-Enforcer does not control the traffic that does not pass through it, for example, when communicating devices within the segment, such as a guest WiFi. According to this more appropriate to use this option on the border of network segments. With the introduction should clearly represent the work of network traffic flows, and opportunities of the Gateway-Enforcer,; sometimes require revision and updating of the existing network layout. 4. LAN-Enforcemet - application of policy at the network device supports protocol 802.1x, for example, such as switches, routers, WiFi-AP. Point of decision making identifies what actions need to commit to this network device and instructs the network equipment, such as to move the device in a dedicated VLAN or place the device into a working VLAN, or to impose certain access control list on a port that is connected to the device. This option is most difficult to implement and exacting as to the structure of the network and the network equipment, which built the network, but this option has the most functional. When implementing Symantec NAC may use the various options of combining media and supplements apply policies, as was done in this article describes the stand. Device requesting network access. As a device requesting access to the network can be any device having a MAC-address. Device requesting access to the network can be divided into controllable and uncontrollable. Managed devices - a device which is installed or can be installed agent SNAC, which can provide the requested point of decision-making information. Unmanaged device - the device on which the agent SNAC could not be installed (for example, printers). As written above, Symantec, there are 4 versions of the politician. Alternative Self-Enforcement is realized only by software, the other 3 options are implemented with the help of software and hardware (appliance), in the terminology of Symantec, known as Enforcer. Let's talk more in detail about the Self-Enforcement. This embodiment of the NAC technology involves the application of policies to network devices on the device itself. That is, we have a computer with installed SEP 11 and agent SNAC, a policy of access to the network, and there are quarantine policies, such as firewall quarantine policy, which denied access to the network. The quarantine policy may include rules not only for the firewall, but also for the update servers for antivirus, IPS. The key to Self-Enforcement is the fact that its implementation requires no additional hardware in the form of SNAC Appliance, network architecture is not important and not matter what equipment is built network. This version of SNAC can be easily deployed in virtually any network. The most interesting and most funktsionalnymu option SNAC is variant LAN - Enforcement. This version of SNAC interacts with the network equipment that allows us to implement very complex and yet flexible policies and actions that apply to network devices requesting access. Elaborate on the principle of the LAN-Enforcement. We have a device requesting access to the network - let it be a laptop company employee, and on this laptop installed agent SNAC. There is a network switch, which "understands" the authentication protocol 802.1x, for example, the switch Cisco Catalyst. There is a LAN-Enforcer is the Symantec Endpoint Protection Manager. On the switch ports to which users can connect, set the authentication protocol 802.1x. Once the computer connects to the network, the switch informs LAN-Enforcer about a new device. LAN-Enforcer, based on data received from the agent is installed on the laptop, and based on policies defined in the Symantec Endpoint Protection Manager, decide what to do to connect your laptop, and sends control commands to the switch. A switch, respectively, these commands are executed, and puts the laptop or to a specified VLAN or simply closes the port, depending on the policies. You should add that the LAN-Enforcer will be RADUIS-server for network devices to which users connect. In the version with LAN-Enforcement, there are two operating modes: Transparent mode and Full mode. The difference between these modes is that when we use Transparent mode, we can realize only computer authentication agent installed and tested to comply with set policies, but we can not implement a test user who is authenticated on the computer. In this case, we do not need any external RADIUS. In the Full mode, in addition to authentication, the computer and check for policy compliance, we can also implement a test user who is authenticated on the computer. However, for user authentication, we need an external RADIUS-server. Just in the implementation of SNAC allow guests to access. Under the guest access, we mean providing access to networked computers that do not governed by our Symantec Endpoint Protection Manager. Therefore we can not check the status of these machines installed and running software, etc. - That is, we can not verify these computers for compliance with network policies that apply to our organization. Symantec is invited to check the guest computer to use the downloadable Java or ActiveH component, which after uploading to a computer can perform an inspection and provide the Symantec Endpoint Protection Manager required data for making decisions on access to the network. Unfortunately, this functionality is implemented only on the Gateway Enforcer - so to implement guest access client must connect to the network through a Gateway Enforcer. If a user whose agent SNAC not installed, try to gain access to internal network resources, then it will be offered free SNAC-agent, after which the computer is checked and a decision on granting access to a computer network. This post is certain, squeeze over a large document, which was made after testing the technology SNAC on the stand. The document itself is entirely you can download at this link . | |
|
| |
| Total comments: 0 | |