Talkback
E-mail
Printer Friendly
Reprints
For this test, the LAN Enforcer was set up as a device on the network, while we directed traffic between an edge switch and the core via the Gateway Enforcer. The Gateway Enforcer is the primary method for controlling guest access in the Symantec Network Access Control system.
 Click for larger view. |
Firewall policies are the specific connections that are allowed or disallowed based on host posture or packet inspection. For example, you could create a policy that specified, except for specific developer workstations, only port-80 traffic is allowed from all desktops to your intranet Web server.
Host integrity policies protect the host system from attack by making sure the required security applications are up-to-date and running properly; OS protection policies define the applications allowed to run on the system.
Administrators create new policies using a wizard-based interface in the Policy Management Console, by copying another policy and editing it, or by filling in a blank policy template from scratch. The policy list allows for the editing of the major policy fields through pull-downs on the screen -- a nice touch for quickly viewing options and making changes while being certain that you are choosing viable options.
Rules are defined separately from the policies and, thus, made available to the policy editor. So, for example, an “Allow VPN” rule can be applied or disabled for any of the policies independently but is easily visible when editing the policies. Rules are created, edited, and deleted from within the policy editor.
Once policies are created in the policy library, you assign them to locations where they will be applied. Within each location, the system administers policies based on user authentication status, host integrity status, and applications running on the host.
Policy enforcement is dependent upon the type of Enforcer in use. When configuring switches for the LAN Enforcer, the switch profiles include the VLANs and the VLAN assignment based on authentication status of both the host and the user as well as whether or not the system profile passed. Any combination of pass/fail for these states can cause a VLAN assignment.
Because the Gateway Enforcer manages traffic through inline filtering, and can make decisions based on active traffic, it provides more control than VLAN assignment. For example, the Gateway can detect changes in traffic patterns that could indicate a zero-day infection and isolate the traffic to keep it from spreading.
SNAC conquered all the scenarios we expected it to handle, but like McAfee Policy Enforcer, it does not support policy variation by authentication parameters such as user name or user group. It is not possible to assign policies based on those characteristics. It is, however, possible to assign policies based on whether or not the client passed authentication.
Steve Hultquist is a contributing editor of the InfoWorld Test Center.
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
