NAC smorgasbord: Four ways to police the network
Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access controlFollow @infoworld
The system is also limited to determining the host posture, so, unlike gateways and switch-based solutions, it cannot enforce policy based on traffic appearing from a system that already has access. This limits its ability to address a zero-day attack, although McAfee offers additional products to do so.
McAfee Policy Enforcer stands out with its friendly, visual interface for managing host posture for network access. Using standards-based VLAN assignment, it provides fine-grained rules definition, which allows administrators specific visibility into and control of hosts. The ability to collect host posture information from other vendors’ anti-virus clients is a big plus.
Symantec Network Access Control
The Symantec Network Access Control (SNAC) system is a family of products -- including Symantec Network Access Control 5.1 MR2, Symantec Sygate Enterprise Protection 5.1 MR2, and the Symantec Network Access Control 6100 Enforcer Appliance -- that address multiple aspects of network access control. The system uses gateway and DHCP-based enforcement appliances controlled by a common policy management system. (We did not
Click for larger view.
Deployments will include the Symantec Policy Management Console and one or both of the Symantec LAN Enforcer and Gateway Enforcer, plus optionally the Sygate Protection Agent for Windows clients. The LAN Enforcer uses agent posture to determine access rights, with VLAN assignment on the infrastructure switches as the enforcement method. The Gateway Enforcer implements policy as traffic flows through it.
For this test, the LAN Enforcer was set up as a device on the network, while we directed traffic between an edge switch and the core via the Gateway Enforcer. The Gateway Enforcer is the primary method for controlling guest access in the Symantec Network Access Control system.
Click for larger view.
Firewall policies are the specific connections that are allowed or disallowed based on host posture or packet inspection. For example, you could create a policy that specified, except for specific developer workstations, only port-80 traffic is allowed from all desktops to your intranet Web server.
Host integrity policies protect the host system from attack by making sure the required security applications are up-to-date and running properly; OS protection policies define the applications allowed to run on the system.