Symantec Network Access Control
Hello!
What is the technology NAC, many people know, and probably some have come across this technology. In order not to copy-paste the description of the technology here, I will cite some links to articles describing the principles of the work of NAC:
Russian experience with NAC ,
NAC: security by force .
Next, I will discuss one of the options for implementing NAC technology, namely, the implementation of this technology by Symantec.
')
To be completely honest, Symantec bought the company Sygate, in which it developed the product, which is now called Symantec Network Access Control (SNAC).
In my opinion, SNAC is one of the best options for implementing network access control technology today. In order not to shower tomatoes, I will say that I deployed stands with similar solutions from Cisco (Cisco NAC) and Microsoft (NAP).
The first plus when deploying SNAC was that it integrates into the management console of Symatec Endpoint Protection Manager.
From the description of NAC technology (without being tied to a specific implementation), we know that NAC consists of 3 parts:
1. Device requesting network access
2. Policy Environments
3. Decision point.
Consider each of these parts in a Symantec NAC implementation. Let's start from the end.
The decision point. In a Symantec implementation, the decision point is the Symantec Endpoint Protection Manager. The console defines the policies that must be met by the network devices, as well as the actions that must be taken on the network devices. Symantec Endpoint Protection Manager can access third-party RADUIS servers, for example, to verify user authentication, or to verify network device authentication.
Environments policy application. There are 4 policy enforcement environments in the Symantec NAC implementation:
1. Self-Enforcement - "self-defense" - the application of the policy occurs on the device itself requesting access, for example, on the user's laptop. This option can be implemented if the client has SEP and an SNAC agent installed, since the policy is applied at the expense of such SEP components as, for example, a firewall and IPS. Self-Enforcement is the easiest and fastest way to implement Symantec NAC in an organization’s network.
2. DHCP-Enforcement - policy is applied at the network level when the device receives an IP address. Depending on the status of the device requesting access to the network, it may be given an IP address from different subnets. A relatively simple option for network deployment, but requires some modification in the DHCP scheme.
3. Gateway-Enforcement - can be called control on the gateway. That is, the application of the policy occurs at the network level, when traffic passes through the Gateway-Enforcer. This option is appropriate when controlling access to devices from a separate small network segment, such as, for example, guest WiFi, or a VPN gateway. This is due to the fact that all traffic passes and is processed by the Gateway-Enforcer, which can be a bottleneck in the network. Also, the Gateway-Enforcer does not control traffic that does not pass through it, for example, when communicating devices within a segment, such as guest WiFi. Therefore, this option is more appropriate to apply at the border of network segments. When deploying, it is necessary to clearly understand the operation of the network, the traffic flows, and the capabilities of the Gateway-Enforcer itself; Sometimes it is necessary to revise and upgrade the existing network layout.
4. LAN-Enforcemet — Apply policy at the level of network devices supporting the 802.1x protocol, such as switches, routers, WiFi access points. The decision point determines what actions to take with this network device and gives the command to the network equipment, for example, move the device to a specialized VLAN or put the device into a working VLAN, or impose a specific access control list on the port to which the device is connected. This option is the most difficult to implement and demanding both to the network structure and to the network equipment on which the network is built, however this option has the greatest functionality.
When implementing Symantec NAC, it is possible to use various options for combining and supplementing policy enforcement environments, as was done in the booth described in this article.
Device requesting network access. As a device requesting network access, there can be any device with a MAC address. Devices requesting access to the network can be divided into managed and unmanaged. Managed devices are devices on which an SNAC agent is installed or can be installed, which can provide information requested by the decision point. Unmanaged devices are devices on which the SNAC agent cannot be installed (for example, printers).
As it was written above, Symantec has 4 options for applying policies. The Self-Enforcement option is implemented only by software, the remaining 3 options are implemented using software-hardware complexes (appliance), in Symantec terminology, called the Enforcer.
Let's talk in more detail about Self-Enforcement. This implementation of NAC technology involves applying policies to a network device on the device itself. That is, we have a computer with SEP 11 installed and an SNAC agent, there are network access policies, and there are quarantine policies, such as the quarantine firewall policy, in which access to the network is prohibited. Quarantine policy can include rules not only for the firewall, but also for update servers, for antivirus, IPS.
The key point of Self-Enforcement is that its implementation does not require any additional equipment in the form of a SNAC Appliance, the network architecture is not important and it does not matter what equipment the network is built on. This SNAC option can be easily deployed on almost any network.
The most interesting and most functional version of SNAC is the LAN - Enforcement option. This version of SNAC interacts with network equipment, which allows implementing very complex and at the same time flexible policies and actions applied to network devices requesting access.
In more detail we will stop on the principle of work of LAN-Enforcement. We have a device requesting access to the network - let it be a laptop of an employee of the company, and the SNAC agent is installed on this laptop. There is a network switch that "understands" the 802.1x authentication protocol, for example, a Cisco Catalyst switch. There is a LAN-Enforcer and there is a Symantec Endpoint Protection Manager.
On the switch, the ports to which users can connect are configured to authenticate using 802.1x protocol. As soon as the computer connects to the network, the switch informs the LAN-Enforcer about the appearance of a new device. LAN-Enforcer, based on data received from the agent installed on the laptop and based on the policies set in the Symantec Endpoint Protection Manager, decides what to do with the connected laptop and passes control commands to the switch. And the switch, respectively, executes these commands, and puts the laptop in either the specified VLAN or simply closes the port, depending on the policy.
It is necessary to add that the LAN-Enforcer will be the RADUIS server for network devices to which users connect.
In the version with LAN-Enforcement, there are two modes of operation: Transparent mode and Full mode. The difference between these modes is that when we use Transparent mode, we can only authenticate the computer with the installed agent and check for compliance with the specified policies, but cannot implement the validation of the user who has authenticated on this computer. At the same time, we do not need any external RADIUS. In the Full mode, in addition to computer authentication and checking for compliance with policies, we can also implement verification of a user who has authenticated himself on a computer. However, to authenticate users, we need an external RADIUS server.
Also in the implementation of SNAC provides guest access. By guest access, we mean providing network access to computers that are not managed by our Symantec Endpoint Protection Manager. Consequently, we cannot check the status of these computers, installed and running software, etc. - that is, we cannot check these computers for compliance with the network policies applied in our organization.
Symantec offered to test guest computers to use a downloadable Java or ActiveX component, which, after downloading it to a computer, can verify it and provide the Symantec Endpoint Protection Manager with the required information to make a decision about access to the network. Unfortunately, this functionality is implemented only on the Gateway Enforcer - therefore, to implement guest access, the client must connect to the network through the Gateway Enforcer. If a user whose SNAC agent is not installed tries to access the internal resources of the network, he will be offered to download the SNAC agent, after which the computer will be checked and a decision will be made to grant the computer access to the network.
This post is a kind of extract of a larger document that was made after testing SNAC technology on the stand. The entire document itself can be downloaded from this link.
.
What is the technology NAC, many people know, and probably some have come across this technology. In order not to copy-paste the description of the technology here, I will cite some links to articles describing the principles of the work of NAC:
Russian experience with NAC ,
NAC: security by force .
Next, I will discuss one of the options for implementing NAC technology, namely, the implementation of this technology by Symantec.
')
To be completely honest, Symantec bought the company Sygate, in which it developed the product, which is now called Symantec Network Access Control (SNAC).
In my opinion, SNAC is one of the best options for implementing network access control technology today. In order not to shower tomatoes, I will say that I deployed stands with similar solutions from Cisco (Cisco NAC) and Microsoft (NAP).
The first plus when deploying SNAC was that it integrates into the management console of Symatec Endpoint Protection Manager.
From the description of NAC technology (without being tied to a specific implementation), we know that NAC consists of 3 parts:
1. Device requesting network access
2. Policy Environments
3. Decision point.
Consider each of these parts in a Symantec NAC implementation. Let's start from the end.
The decision point. In a Symantec implementation, the decision point is the Symantec Endpoint Protection Manager. The console defines the policies that must be met by the network devices, as well as the actions that must be taken on the network devices. Symantec Endpoint Protection Manager can access third-party RADUIS servers, for example, to verify user authentication, or to verify network device authentication.
Environments policy application. There are 4 policy enforcement environments in the Symantec NAC implementation:
1. Self-Enforcement - "self-defense" - the application of the policy occurs on the device itself requesting access, for example, on the user's laptop. This option can be implemented if the client has SEP and an SNAC agent installed, since the policy is applied at the expense of such SEP components as, for example, a firewall and IPS. Self-Enforcement is the easiest and fastest way to implement Symantec NAC in an organization’s network.
2. DHCP-Enforcement - policy is applied at the network level when the device receives an IP address. Depending on the status of the device requesting access to the network, it may be given an IP address from different subnets. A relatively simple option for network deployment, but requires some modification in the DHCP scheme.
3. Gateway-Enforcement - can be called control on the gateway. That is, the application of the policy occurs at the network level, when traffic passes through the Gateway-Enforcer. This option is appropriate when controlling access to devices from a separate small network segment, such as, for example, guest WiFi, or a VPN gateway. This is due to the fact that all traffic passes and is processed by the Gateway-Enforcer, which can be a bottleneck in the network. Also, the Gateway-Enforcer does not control traffic that does not pass through it, for example, when communicating devices within a segment, such as guest WiFi. Therefore, this option is more appropriate to apply at the border of network segments. When deploying, it is necessary to clearly understand the operation of the network, the traffic flows, and the capabilities of the Gateway-Enforcer itself; Sometimes it is necessary to revise and upgrade the existing network layout.
4. LAN-Enforcemet — Apply policy at the level of network devices supporting the 802.1x protocol, such as switches, routers, WiFi access points. The decision point determines what actions to take with this network device and gives the command to the network equipment, for example, move the device to a specialized VLAN or put the device into a working VLAN, or impose a specific access control list on the port to which the device is connected. This option is the most difficult to implement and demanding both to the network structure and to the network equipment on which the network is built, however this option has the greatest functionality.
When implementing Symantec NAC, it is possible to use various options for combining and supplementing policy enforcement environments, as was done in the booth described in this article.
Device requesting network access. As a device requesting network access, there can be any device with a MAC address. Devices requesting access to the network can be divided into managed and unmanaged. Managed devices are devices on which an SNAC agent is installed or can be installed, which can provide information requested by the decision point. Unmanaged devices are devices on which the SNAC agent cannot be installed (for example, printers).
As it was written above, Symantec has 4 options for applying policies. The Self-Enforcement option is implemented only by software, the remaining 3 options are implemented using software-hardware complexes (appliance), in Symantec terminology, called the Enforcer.
Let's talk in more detail about Self-Enforcement. This implementation of NAC technology involves applying policies to a network device on the device itself. That is, we have a computer with SEP 11 installed and an SNAC agent, there are network access policies, and there are quarantine policies, such as the quarantine firewall policy, in which access to the network is prohibited. Quarantine policy can include rules not only for the firewall, but also for update servers, for antivirus, IPS.
The key point of Self-Enforcement is that its implementation does not require any additional equipment in the form of a SNAC Appliance, the network architecture is not important and it does not matter what equipment the network is built on. This SNAC option can be easily deployed on almost any network.
The most interesting and most functional version of SNAC is the LAN - Enforcement option. This version of SNAC interacts with network equipment, which allows implementing very complex and at the same time flexible policies and actions applied to network devices requesting access.
In more detail we will stop on the principle of work of LAN-Enforcement. We have a device requesting access to the network - let it be a laptop of an employee of the company, and the SNAC agent is installed on this laptop. There is a network switch that "understands" the 802.1x authentication protocol, for example, a Cisco Catalyst switch. There is a LAN-Enforcer and there is a Symantec Endpoint Protection Manager.
On the switch, the ports to which users can connect are configured to authenticate using 802.1x protocol. As soon as the computer connects to the network, the switch informs the LAN-Enforcer about the appearance of a new device. LAN-Enforcer, based on data received from the agent installed on the laptop and based on the policies set in the Symantec Endpoint Protection Manager, decides what to do with the connected laptop and passes control commands to the switch. And the switch, respectively, executes these commands, and puts the laptop in either the specified VLAN or simply closes the port, depending on the policy.
It is necessary to add that the LAN-Enforcer will be the RADUIS server for network devices to which users connect.
In the version with LAN-Enforcement, there are two modes of operation: Transparent mode and Full mode. The difference between these modes is that when we use Transparent mode, we can only authenticate the computer with the installed agent and check for compliance with the specified policies, but cannot implement the validation of the user who has authenticated on this computer. At the same time, we do not need any external RADIUS. In the Full mode, in addition to computer authentication and checking for compliance with policies, we can also implement verification of a user who has authenticated himself on a computer. However, to authenticate users, we need an external RADIUS server.
Also in the implementation of SNAC provides guest access. By guest access, we mean providing network access to computers that are not managed by our Symantec Endpoint Protection Manager. Consequently, we cannot check the status of these computers, installed and running software, etc. - that is, we cannot check these computers for compliance with the network policies applied in our organization.
Symantec offered to test guest computers to use a downloadable Java or ActiveX component, which, after downloading it to a computer, can verify it and provide the Symantec Endpoint Protection Manager with the required information to make a decision about access to the network. Unfortunately, this functionality is implemented only on the Gateway Enforcer - therefore, to implement guest access, the client must connect to the network through the Gateway Enforcer. If a user whose SNAC agent is not installed tries to access the internal resources of the network, he will be offered to download the SNAC agent, after which the computer will be checked and a decision will be made to grant the computer access to the network.
This post is a kind of extract of a larger document that was made after testing SNAC technology on the stand. The entire document itself can be downloaded from this link.
.
Source: https://habr.com/ru/post/73039/
All Articles