Network Access Control Technologies and Symantec Compliance on Contact
NAC solutions require multiple enforcement methods and policy flexibility to cover the entire enterprise network. As an innovator in NAC solutions, Symantec provides the most comprehensive and flexible set of options for deploying NAC to best fit your enterprise needs. Read this paper to learn more about the theory behind Symantec’s technology.
Click here to download PDF

The Essential Elements of Comprehensive Endpoint Security
Description: For today’s computing environments, there is little question that endpoint security is a required component of an overall enterprise security strategy. Read this paper is to clarify the various aspects of the endpoint security problem and to identify the functional requirements of a comprehensive endpoint security solution.
Click here to download PDF

Internet Security Threat Report
The Highlights of this volume reveals the security threat environment continues to be populated by lower-profile, targeted attacks as cyber criminals identify new ways to steal information or provide remote access to user systems. This report offers analysis and discussion of threat activity, including: Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends.
Click here to download PDF

Cisco, TCG deliver on basic end point security

Setup can be difficult, but well worth the effort

End-point security assessment can be the killer component that makes NAC a worthwhile investment. Testing end-point security assessment required the most lab time and effort, but it also proved to be the NAC realm least fraught with problems.

Of our three standard use scenarios: employee, guest and agentless device – we concentrated on employee end-point security first.

In addition to its own Cisco Secure Services Client (CSSC) assessment tool, Cisco brought in five end-point security assessment tools, including products from Trend Micro, McAfee, LANDesk, and Bigfix. For TCG/TNC, we had tools from PatchLink, Symantec and Juniper.

Simply checking for antivirus and personal firewall status turned out to be too easy for both schemes. First up into our test bed were simple end-point security tools from Trend Micro (on CNAC) and Symantec (on TCG/TNC). We set up a policy for employees that required their machines to have current and active software versions or they would be quarantined accordingly. Clearly, end-point security vendors have done a good job integrating their wares with the NAC client tools (Cisco CSSC/CTA for CNAC and Juniper UAC client for TCG/TNC) on the laptops we were testing.

We went on to verify that McAfee and LANDesk both integrated successfully and handled quarantine and remediation without relevant incident. Although, getting those tools installed took a long time – with these enterprise-sized tools and you don’t just slam them in; you have to do all this installation, self-training, configuration and linking different tools together -- the actual integration with the Cisco ACS policy engine was fairly simple.

The biggest problem we ran into was getting all of the different scenarios integrated into the Cisco ACS GUI. Because Cisco ACS grew out of a standalone RADIUS server into this NAC policy engine, the pieces of policy definition and different conditions are scattered around the GUI in a very confusing manner. However, to be fair, we were pushing Cisco ACS beyond what a normal enterprise would do: no one is going to run McAfee, LANDesk, and Trend Micro on their desktops, all at the same time.

Buoyed by the success in integrating simpler end-point security tools, we turned to the bigger dogs, represented by patch management and compliance vendors BigFix (CNAC) and PatchLink (TCG/TNC) Both vendors were early in their NAC integration stages, so we had a bit of intensive technical support and some quick bug fixes to get everything stitched together in the NAC environment. This made the total integration more difficult than with the simpler packages, but when everything was working… well, everything worked.

Our experience with the patch management tools was better, overall, than with the simpler end-point assessment products because these tools had very strong remediation strategies. If you have been looking for an excuse to go to a more comprehensive patch management and compliance tool, NAC is another arrow in the quiver. And if you are already running patch management, you’ll find that the user experience with both TCG/TNC and CNAC is excellent.

For example, these patch management tools are good at putting up dialog boxes telling the user what is going on and why. Rather than simply say “You are quarantined”, a user gets a feeling for what is happening and that he will actually emerge from purgatory once the patch management tool has done its job. In some cases, the patch management tools also engaged in self remediation, such as turning on virus scanners that had been simply turned off.

We also verified that continuous protection was in place: users who went out of compliance during their sessions were detected, quarantined, and only let back onto the LAN once they had come back into compliance. This worked well in both CNAC and TCG/TNC.

Mac woes

Moving off of our Windows XP environment, we had less success.

Our employee-owned Mac laptops were hampered by the same problems we had when trying to authenticate: the lack of a NAC client means there is no way to pass posture information from the client back to the NAC policy server.

The only way to get these systems onto the network with posture checking enabled was to have them act as guest users: don’t run 802.1X, but fail through to a guest virtual LAN (VLAN) and get an IP address. From there, once they were on the guest VLAN, Cisco offered up an easy solution, based on the QualysGuard scanning technology we’d used to gain guest access previously. With CNAC, we were able to define a policy that allowed users onto the network based on the results of the QualysGuard audit launched on them as guest users.

In the TCG/TNC network, Juniper took a different approach to the problem by suggesting we use the built-in posture checking tools of its UAC appliance. Based on the same technology as the Juniper SSL VPN product line, the UAC posture checker is supported on Mac and Linux platforms. In our tests, once the Mac user connected to the captive portal, the UAC appliance pushed down an end-point security checking tool into the browser and it checked the posture and allowed access accordingly. This approach would also work well for employees who have personal or unmanaged Windows machines without a NAC client on them.

Agentless devices, like our printers, Palm TX, and Nokia E61 and VoIP phones posed no real challenge — because there was no end-point security to test. We continued to use the tools we had installed during the authentication phases of our testing for agentless status checking, including the QualysGuard scanner, the Beacon appliance, and QRadar, all of which could act as pieces of an end-point security posture checking strategy. We discovered that the QualysGuard scanner was a little too aggressive for our slow wireless PDA devices, causing several crashes on the Nokia E61 smartphone. Beacon worked well when integrated it with both Cisco CNAC and our TCG/TNC frameworks, helping to detect a Linux laptop that was pretending to be a Cisco VoIP phone.

Lessons learned about end-point security

The promise of adding end-point security, user authentication and access control together to make a solid NAC deployment seems very well fleshed-out in both the CNAC and TCG/TNC frameworks. We found that higher-end patch management systems, such as PatchLink and BigFix, offered users an outstanding experience. If compliance to policy is important, all of the tools we tested were solid performers.

CNAC certainly has enormous marketing muscle behind it, and offered us a wider variety of end-point security posture checking tools than we could find with the TCG/TNC framework. At the same time, Juniper’s UAC appliance gave us some hope for Mac and Linux posture checking.

The problem of guest users and their posture seems to be a hard one. Whether you want to audit guest users or try to push a posture checker into their browsers will depend on your own security policy, and how you want to handle end-point security in employees and guests.

While both CNAC and TCG/TNC have tools to help with this, network managers might want to look at adding other protective technologies, such as an intrusion-prevention system between any guest users and the rest of the network. This would give a greater security than posture checking that the systems are not actually infected or engaged in malicious activity.

What can NAC do for you now? Part 1 of 5

NAC authentication with XP clients is a snap Part 2 of 5

NAC enforcement tools fall short Part 3 of 5

NAC management can be a headache Part 5 of 5

Back to top

Click here to submit a story for consideration by Cram Session Editor, stories@cramsessionnac.com