Symantec tops the NAC ticket with its breadth of coverage

No silver bullet put Symantec Network Access Control on the top of the heap. Rather it edged out the competition for its breadth of coverage in the areas of deployment options, end point assessments and flexible policy creation.

Symantec Network Access Control

Cost: $18,009 for 1,000 users

Score: 4.48

Symantec Network Access Control (SNAC) is the product that has evolved from endpoint-security technology the company picked up from its 2005 acquisition of Sygate. In our evaluation, there was no silver bullet that put Symantec on the top of the heap. Rather it edged out the competition for its breadth of coverage in the areas of deployment options, endpoint assessments and flexible policy creation.

SNAC comprises two primary components – Policy Manager and Enforcers. The Policy Manager is the central management server that executes all policy settings. The Enforcers are the distributed devices that perform the endpoint assessments and enforcements. Enforcers can be deployed in three ways: LAN (802.1X), Gateway (in-line) and DHCP integration (delivered as either an appliance or as a Microsoft DHCP plug-in). An appliance can function as any enforcer type, but it cannot function as multiple enforcer types at the same time. For example, it is either deployed as an in-line gateway or used within an 802.1X-enabled LAN, but not both simultaneously. Multiple enforcers can be deployed to provide high availability and redundancy.

For testing, we deployed a Gateway Enforcer 1U appliance sitting between the access and distribution layer of the test be network.

A captive Web portal – dubbed OnDemand by Symantec – supports guest users and is where they pick up a browser-based disposable agent used for both authentication and assessment purposes. Remote access can be supported by either placing a gateway Enforcer in-line behind the remote-access termination point, or Symantec provides API integration with some SSL and IPSec VPN products -- such as Aventail, Check Point, Cisco, Juniper and Nortel -- that provides the ability to assess the endpoint as a condition of the remote-access system granting network access. Both of these scenarios require Symantec’s agent software to be running on the remote machines.

For testing, we also deployed a gateway Enforcer in-line behind the Cisco VPN Concentrator and set up Symantec’s On-Demand component to provide the captive portal, which is a scenario you would use for remote devices that do not have the NAC agent installed.

User authentication can occur through user accounts local to the SNAC Policy Manager or via integration with an Active Directory, Lightweight Directory Access Protocol or RADIUS back end. Likewise, user groups are defined internally to SNAC or are imported along with the user information pulled from the existing repository. For testing, we configured SNAC to tap into our Active Directory user and group information without issue, and for the Windows clients in our test bed, this integration allowed for single sign-on capability and NAC-protected network connections.

Devices that do not need to be assessed, such as printers and UPSes, can be excluded by taking their IP address range out of the assessments.

Endpoint assessment is performed by a persistent (as deployed by standard software-distribution tools) or on-demand agent (run as needed through the captive portal described above). Assessment timing can be set on a per-policy basis, ranging from occurring minutes to days apart.

During these assessments, a little more than the standard information is gathered about the endpoint – user, IP address, MAC address, domain and some computer information, such as what applications are resident there.

Out-of-the-box coverage for antivirus and personal firewall products is strong, supporting the first- and second-tier vendors in each space. They include McAfee, Trend Micro, Panda, ZoneAlarm and ISS). Symantec embeds its own patch-checking software in the product, but you need to configure the Microsoft Knowledge Base number, which provides a good level of granularity. A checkbox for patches or something based on criticality, such as integration with Windows Server Update Service, would be a useful addition to this product.

Custom assessment checks are defined by an if/then tree. For example, you could define the check as if a certain noncompliance is process running. Then you instruct SNAC to get a system time stamp and run a script to kill the process in question. This provides a lot of flexibility, but has a bit of a learning curve to really take advantage of the functionality.

Vulnerability assessment is available through the use of Symantec’s SCAN scanner, which can be a component of the endpoint’s compliance assessment. SNAC does not provide the ability to identify actively infected devices, but this functionality is available when combined with the Symantec Sygate Enterprise Protection (SEP) personal firewall, which is licensed separately. Symantec does not include support for responding to external network intrusion-detection system and intrusion-prevention system events.

We tested to make sure Sophos AV was running and that critical Windows security patches were applied. All checks performed as expected. We also created complex custom check to look at a registry key and running process. Custom check also functioned as expected.

SNAC easily facilitates assigning policy based on a user’s location. Different policies can be applied to a device if it is situated on the corporate network, connected over the corporate remote-access solution or living on the edge on a wireless network at the local coffee shop. While you may be able to achieve similar functionality with some of the other products, such as Vernier, through various complex policy/access configurations, Symantec makes this configuration process very easy.

The desired parameters of the assessment checks are defined within the process of setting up the host (endpoint) integrity policies. These policies can then be applied based on a location as mentioned above, a defined group or a specific user. These options make SNAC adaptable to many environments and provide more flexibility in policy setting than other products tested.

Enforcement actions include blocking network access when the gateway functions, such as a firewall or changing a virtual-LAN assignment when an 802.1X-based Enforcer is in the mix, downloading a necessary file, launching a program and displaying a message pertinent to the failure of the check. All enforcement tests ran as expected with the in-line gateway Enforcer we tested.

The logs generated by SNAC are informative, providing detailed event information on authorization, assessment results, restoration (remediation) and enforcement activities. The challenge is converting the log data in the logs to useful reports. Log data can be queried and exported to syslog or cvs format. A small set of report templates is available, such as those outlining existing policy use and daily-summary statistics, such as health status of environment and memory use. A dashboard showing assessment status and other key metrics would be a great addition. Export options for reports other than HTML would also provide improvement.

Management is performed through a Web-based Java application. The GUI is intuitive and easy to use. However, advanced users may become frustrated with the multiple mouse clicks required to access some resources, such as policy configuration.

Overall, Symantec provides some unique features with SNAC, such as the ability to apply different policies based on location, the ability to build very powerful custom assessment checks and the ability of any Enforcers to function in any of three NAC enforcement scenarios. These features, coupled with its solid performance across the four basic NAC arenas – authorization and authentication, assessment, enforcement and management – helped Symantec edge out the competition in this test.

< Previous story: StillSecure | Next story: Trend Micro >