NAC Grows Up

Symantec End Point Protection Client And Network Access Control
Today, Symantec's NAC solution automatically remediates machines that are placed into quarantine. This solution eliminates the need for users to connect to special sites. Symantec offers a layered architecture, where users seeking access are routed through a single gateway enforcer server, a policy manager with a central management console and an end-point client.

Symantec's NAC also works with third-party software patch solutions like Altiris and Microsoft Systems Management Server to automate patch management. Contractors, consultants and even employees that are connecting with other users' machines can take advantage of this flexibility. The users don't need to have persistent access point clients on machines that they're using temporarily.

Now at version 11.0, Symantec's End Point Protection Client and Network Access Control management tools arrive with multiple enforcement options—802.1x, DHCP enforcement, LAN enforcement and a host-based self enforcement. But NAC is more about checking the integrity of end points than it is about figuring out the authentication process through Active Directory, LDAP and 802.1x RADIUS. The self-enforcement option, for instance, is the easiest method to deploy for companies looking to introduce NAC.

Host-based self-enforcement uses personal firewalls installed on end-user machines. In a self-enforcement scenario, devices check their own statuses. If agents don't find them compliant, they will automatically switch the machines into a quarantine state. The process is driven by policies.

Administrators can create quarantine policies for firewalls, antivirus, desktop IDS/IPS and particular device controls. Symantec's NAC tools go beyond network devices, too. The policies work on just about any device that is accessible through IP and SNMP.

The enforcer will detect clients that are trying to connect and will challenge them to see if they have agents installed. Clients without agents are processed through a scanner. Noncompliant clients end up in a quarantine zone or blocked altogether. Symantec's NAC offering also has a peer-to-peer enforcement option. With this option, only employees from the same group can connect into a LAN.

Scanning without agents has one advantage: It doesn't require loading agents. However, it's extremely limited. There's also a delay for users that are trying to come in through gateway, VPN or other external access points.

Dissolvable agents, which can perform the same functions as the permanent agents, tend to be the most popular way to interact with clients. Even the authentication process runs the same way, but as clients pass through the authentication process the agents delete themselves.

Overall, Symantec's NAC solution is simple to deploy and manage. The management interface is intuitive enough that even junior administrators can create sophisticated policies with little assistance. The Test Center found the products quite comprehensive in their coverage.

Next: Sophos NAC Advanced