Talkback
E-mail
Printer Friendly
Reprints
The switch policies also allowed us to limit the traffic both to and from the attached devices on each port, and the TAM could optionally force a vulnerability assessment scan of the device using Nessus.
Using either VLAN assignment or port policies, the Sentinel system can appropriately limit access of the client systems based on both the identity of the user and the posture of the system. Using the network IDS to detect changes in traffic to or from a client, Sentinel could even trigger changes to the network configuration in response -- a great asset for larger organizations defending against zero-day attacks.
Furthermore, the port-level policies allowed us to configure ports to permit only the traffic that made sense for each user and device. For example, telephones could talk only to the call manager, and guests could access the Internet only on certain ports. We could also lock down the network using predefined policies based on user identity, effectively ensuring that only appropriate traffic could be sent or received.
On the downside, the policy configuration for Sentinel was quite complex, especially since it crossed the boundaries of multiple products. But once the general concepts were stored in the system, creating new policies was typically a matter of duplicating other policies and modifying the specific protocols, networks, and other traffic limitations for each policy. And in this case, the extra effort can pay off. Per-port policies are powerful, providing an extra level of protection that’s attractive in these days of nasty network surprises.
McAfee Policy Enforcer 2.0
 Click for larger view. |
MPE provides an effective visual summary of the current status of compliance by systems, subnets, and switches. It allows an administrator to drill into the details but provides a color-coded picture of the current state of the environment. The system represents an intuitive and highly visual view into the compliance status of the network.
Based on host posture, the system uses VLAN assignment to move hosts onto appropriate VLANs for remediation or quarantine. The system is unique in this roundup in that it does not depend on McAfee hardware or agents. MPE can gather posture information through an amazing variety of agents, including all the leading anti-virus clients, and it handles agentless systems through guest access policies.
Steve Hultquist is a contributing editor of the InfoWorld Test Center.
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
