NAC smorgasbord: Four ways to police the network
Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access controlFollow @infoworld
Click for larger view.
The installation of the hardware is typical for a gateway, with one port connected to an edge device and the other connected to the core. All traffic passing through the Network VirusWall Enforcer must pass the configured policies, and the real-time dashboard provides insight into what the Enforcer has seen and what areas of concern may exist.
Policies are configured through the Web-based interface, as well. The system provides a concept of Network Zones. Through the use of IP addresses (individually or by subnets), administrators can define areas of the network that are controlled in consistent ways. So, for example, conference rooms may have different policies than office areas of an enterprise, and those policies would need to be defined only once, then applied to the appropriate Network Zones.
When creating policies, administrators specify the kind of agent for which the policy applies (agentless or persistent agent), the type of end point installation method, and what to do with non-Windows and unidentifiable operating systems. You also select how frequently to recheck both compliant and noncompliant end points.
Next, you set the Network Zones that will use this policy and specify whether it applies to authenticated users or unauthenticated users (the latter are considered guests by the Network VirusWall Enforcer). Next, you define the enforcement policies, including anti-virus program, version, and system threats. You can also specify system thread scanning, vulnerabilities, and registry key scans. If the vulnerability scan does not pass, you can set a redirect URL (such as Windows Update) for correction.
Next, you configure the Network Virus Policy, including what to do with end points that are transmitting viruses and the remedy you prefer. Last, you set URL exceptions for remediation servers. You repeat these steps for each policy that you define on the Enforcer.
The Network VirusWall Enforcer correctly handled all of the scenarios that it is designed to take on. Because it integrates with Active Directory and LDAP, it can differentiate between authenticated and unauthenticated guests and employees in those environments.
The system is limited to scanning and intercepting traffic that passes through the gateway. Therefore, neighboring systems are unprotected from worms and other attacks that do not pass through. However, given that most malicious software isn’t judicious in its traffic generation, it’s likely that the gateway will detect such activity quickly and lock the offending system out of the network.