1 Technology Blueprint Enforcing Endpoint Compliance on the network Police your managed and unmanaged systems with Network Access Control (NAC)
2 LEVEL SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL Security Connected The Security Connected framework from McAfee enables integration of multiple products, services, and partnerships for SECURITY CONNECTED centralized, efficient, and REFERENCE ARCHITECTURE effective risk mitigation. Built on LEVEL more than two decades 2 of 4 5 proven security practices, the Security Connected approach helps organizations of all sizes and segments across all geographies improve security postures, optimize security for greater cost effectiveness, and align security strategically SECURITY with business CONNECTED initiatives. The REFERENCE Security Connected ARCHITECTURE Reference Architecture provides a concrete LEVEL path from ideas 2 to 4 5 implementation. Use it to adapt the Security Connected concepts to your unique risks, infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to keep our customers safe. Police your managed and unmanaged systems with Network Access Control (NAC) The Situation What happens when employees bring in their own laptops, tablets, and smartphones or a business unit decides to hire contractors? You have a mix of permanent and temporary employees roaming your halls and networks with unmanaged devices. That s just one of the challenges IT faces in increasing support for remote and mobile endpoints while maintaining compliance with endpoint policies. Driving Concerns Less than a decade ago, all computing devices resided inside the corporate perimeter under the direct control of IT services. Since the organization owned and managed all these computing assets, PCs didn t exhibit policy drift over time. Now, however, several influences combine to mean today s network may be expected to support more unmanaged devices than traditional managed endpoints: Mobile laptops outnumber stationary desktops Smartphones and tablets are being adopted at a record-setting rate Macs are becoming commonplace corporate endpoints Desktop and server virtualization is exploding, making it easier to create rogue, unmanaged clients Personal PCs are used for remote access to corporate networks, and also in Bring your own PC initiatives to cut capital costs Many companies rely on contracted and outsourced labor, a workforce with its own set of laptops, smartphones, and tablets Inevitably, criminals are expanding their threat and malware development programs to this rich assortment of devices. For example, threats such as botnets and worms are becoming more common on mobile platforms. This combination of factors makes measuring and enforcing endpoint policies very difficult, yet these policies are important to protect intellectual property, prevent infection of enterprise assets, and enable adherence to industry and regulatory guidelines. Requiring adherence to policy before permitting network access isn t a new concept, but traditionally it has required complex, manual, labor-intensive processes that enable fairly binary access to the network: either full access or zero access. For the last few years, IT has used Network Access Control (NAC) to automate these processes. Real-time enforcement by endpoint agents has ensured policy compliance or forced remediation before allowing access. However, this traditionally challenging task has become even more cumbersome because of the disappearing perimeter of the network, the changing nature of the endpoint, and the changing requirements of end users. Infrequently used and disconnected laptops and rogue or stale virtual machines compound the problem. To reassert control over this endpoint environment, IT must implement a network access architecture that will handle: Unmanaged clients. Limit but allow access to the internal network by unmanaged clients, a range of personally-owned computing devices such as smartphones, tablets, personal laptops, and personal PCs. Monitor systems after access to prevent post-admission infections and compliance violations (such as deactivation of anti-virus). Managed clients. Enforce and document policy compliance of traditional managed endpoints, as well as virtual machines. Monitor managed clients to ensure systems are not infected by malware after they 2 Enforcing Endpoint Compliance
3 have gained access. Privileges. Different devices have different degrees of security. Different users merit different access freedoms. The architecture should enforce different access policies for different devices (smartphones vs. PCs) and user communities (executives vs. contractors). It should enable secure access to appropriate network resources such as the Internet, printers, contractor database, etc. Rogue devices. Many companies are unaware of all of the devices attached to their networks. Personal laptops, game consoles, virtual machines, medical devices, Linux or Macintosh machines, unauthorized printers, and rogue wireless access points: all of these devices can exist in the environment and pose a threat. Plus, the ease of creation and portability of unapproved or stale virtual machines are yet another vector of potential risk from unapproved software or outdated security settings. Solution Description Today, many companies break these issues up into three implementations, depending upon the business problem. Employee-owned smartphones and tablets demand a purpose built mobile solution. Employeeowned PCs or Home machines require a different approach to network access control than that for managed clients. And finally, many companies are looking to VDI to address the problem in a new and innovative way creating a managed client to run on unmanaged systems. The ideal solution should make it easy for these specialized implementations to work together for operational efficiency in management, auditing, and compliance reporting. The core requirements are: Unmanaged clients. Automate network access by unknown and personally-owned devices using a network-based NAC sensor»the» solution should intercept the initial connection attempt and use a temporary agent to detect and assess the security and compliance state of personally-owned PC platforms as they connect to the network»to» ensure compliant remote access via VPN from an unknown, unmanaged device such as a home PC with corporate VPN software installed a network-based NAC sensor deployed with the corporate VPN concentrator should intercept, authenticate, assess, and provision appropriate network access based on system health»the» provisioning process should use the same IT policy checks that are applied to managed machines, thus reducing the manual, labor-intensive moves/adds/changes process»the» solution should continue to enforce policies post-admission, checking on a scheduled basis to ensure continuous compliance Managed clients. Measure and maintain system health of known corporate assets»to» ensure that a wide range of corporate endpoints such as desktops, laptops, and virtual machines adhere to IT or regulatory policies, an agent on the endpoint should scan the software, validate required software is in place (such as patches and DAT releases), block or remediate systems with issues, and allow access for approved and compliant devices. This is a traditional scenario sometimes known as health-based NAC.»To» enforce compliance of virtual desktops, the solution should allow the same admission controls with virtual machines as those used with a physical PC, Linux, or Mac platform.»the» solution should continue to enforce policies post-admission, checking patches, configurations, and security software levels on a scheduled basis or at a network change to validate continuous compliance. This function ensures users are healthy when they initially connect and that they stay healthy after they re granted access. A movie theater analogy helps illustrate this: A teenager purchases a movie ticket and enters the multiplex (pre-admission). After the movie is over, the teen decides to sneak into another theater and watch another movie without paying for it (postadmission). A NAC solution that only performs pre-admission checks could expose an organization to Decision Elements The best solution for your organization will depend on your specific goals and the range of managed, unmanaged, and unmanageable clients you need to handle. The following internal and external forces may affect your architecture: Does your organization need to adhere to company, IT, or regulatory policies, such as appropriate use, PCI, SOX, HIPAA, or FDCC? For the above requirements, for which devices would you need to provision, measure, and enforce compliance? How frequently are you planning to allow network access from personally owned PCs or laptops? From smartphones or tablet PCs? From virtualized infrastructure? Do you have any currently deployed solutions, such as network IDS/IPS, that could assist in the integrated detection and management of unknown or badly-behaving devices (outdated or rogue virtual machine images and hosts) on your network? Enforcing Endpoint Compliance
4 post-admission health changes or violations. Privileges. The solution will allow different policies to be written and enforced on different types of devices based on device capabilities and users, accommodating different access modes, times of day, and other variables that could affect compliance and risk. Network segmentation and a guest portal will allow unknown users to have highly restricted access to the public Internet and other networked resources as appropriate. Rogues. A solution must continually scan the network for any unmanaged or unmanageable IP-based device and notify IT staff Technologies Used in the McAfee Solution McAfee offers an integrated product suite to address the full spectrum of network access requirements. We combine host-based software on managed endpoints with network appliances that control and monitor unmanaged devices. For smartphones and tablets, we use dedicated mobility management software to allow access and enforce policies specific to smartphones and tablets. A centralized management platform connects these components with the rest of your security and compliance infrastructure. Agent/Host-Hosted Service Network Network/Host McAfee NAC Client Software DB 2 epolicy Orchestrator Guest NAC Appliance NAC Appliance Mail Servers Remote Workers and WAN 2 NAC Appliance Appliance Branch Office Appliance Desktop Laptop Guest Guest Firewall Router Server Guest Enterprise Headquarters Typical Enterprise NAC deployment The architecture graphic shows a fully configured solution that would handle all of the above requirements. The proper McAfee solution for your needs depends on your existing environment and security goals. At a minimum, you would start with identity- and health-based access to specific subnets or applications, implemented throughout the network using a McAfee NAC appliance or the McAfee Network Security Platform (NSP) with NAC Module. This control would apply to all clients: managed, unmanaged, and unmanageable (such as printers and cameras). 4 Enforcing Endpoint Compliance
5 McAfee NAC Appliance The McAfee NAC appliance controls network access for both managed and unmanaged endpoints. It can be deployed inline or out of band, the latter using 802.x or SNMP to manage access at the switch port level. Access policies can be configured to include user identity (based on Active Directory status), systems health status from the NAC client, and much more. Unmanaged devices can be presented with temporary, network-segmented access or offered a dissolvable client that assesses its health posture against policy. Hosts can then be directed to a guest remediation portal or other network resources for self or automated remediation.»» McAfee Network Security Platform (NSP) with NAC Module Optionally, the NAC sensor can be added on to a McAfee Network Security Platform IPS system. This option adds post-admission network monitoring it checks on the health of machines that have already been admitted to a network, both managed and unmanaged clients. This in-line monitoring will catch systems that become infected with malware, such as bots or worms, for full post-admission threat mitigation and host quarantining. For customers with the Network Security Platform, in-line NAC can be added easily. The next concern would be exerting extra control over managed clients. For this capability, you would deploy NAC clients to your managed endpoints. McAfee NAC client software. This agent can be purchased as part of McAfee Endpoint Protection Advanced Suite or McAfee Total Protection for Endpoint Enterprise Edition, or as a standalone solution. Completely customizable, it ensures that endpoints have the correct security configurations, up-to-date operating system patches, and other required applications. The consolidated McAfee NAC policy library allows companies to use a single, common policy dictionary to define policy requirements across hosts. In addition to the 000 native checks in our policy library, you can directly import any XCCDF or OVAL content. These McAfee components are connected by the McAfee epolicy Orchestrator (McAfee epo ) management platform. Integration with McAfee epo reduces the number of management consoles and simplifies reporting for all network devices. Using this centralized management console, the administrator defines a system health policy that includes benchmarks with rules based on checks. New checks can be created here to supplement those provided in our policy library or imported from external sources. McAfee epo pushes the policy to managed clients. The clients (through the agent) perform a selfassessment against the policy and are provisioned with appropriate network access depending on system health. Health status can be monitored and reported through McAfee epo. To allow different privileges for different groups, policies can be created for different classes of users, leveraging existing user populations in your Active Directory or LDAP directory. This flexibility replaces binary yes/no access with truly granular, automated, policy-driven network access and better alignment with business goals instead of a one size fits all method. Smartphones and tablets including Apple iphones, Apple ipads, and Android devices require one addition to your deployment. Although the NAC network appliance (or NAC module on the McAfee Network Security Platform) will treat these devices as unmanageable clients, McAfee Enterprise Mobility Management allows you to exert policy-based control. McAfee Enterprise Mobility Management (McAfee EMM). McAfee EMM is a full featured mobile device management snap-in for McAfee epolicy Orchestrator that allows mobile devices to participate securely in the corporate infrastructure. McAfee EMM combines secure mobile application access, anti-malware, strong authentication, high availability, a scalable architecture, and compliance reporting in a seamless system. It configures mobile devices to match corporate security policies and enforces compliance prior to network access. To accommodate the different functionalities of different smartphones, device policies (such as the ability to install apps), are managed via EMM. Enforcing Endpoint Compliance 5
6 These are the basic elements of your NAC solution. They can be configured to handle some of the specific business requirements we have covered: Guest and Contractor Access. When an unmanaged guest device requests network access (over Wi-Fi, VPN, or LAN connection), the McAfee NAC Appliance or NAC add-on to the McAfee Network Security Platform will assess whether an endpoint is a managed client or an unidentified device and then place that user into a pre-admission network. Appropriate access can be granted and automatically provisioned based on system health or user credentials. That user will then be placed into the appropriate network segment based on policy. Rogues. McAfee can help you discover unapproved IP-enabled devices attaching to your network, from smartphones, printers, and gaming consoles to medical devices and cameras. The McAfee solution needed for this is the Rogue System Detection capability in McAfee epo. It will scan your network for any unmanaged or unmanageable IP-based device and alert IT staff for action. Impact of the Solution Deploying a full-spectrum McAfee NAC solution can help you: Enforce compliance. Enforce policy-driven compliance in real time as hosts join and leave the network, reducing the need for helpdesk calls Streamline operations. Slash or virtually eliminate the need for manual moves/adds/changes to improve the user experience, reduce help desk calls, and allow IT staff to focus on more critical areas Lower security spending. Unified management reduces the number of consoles needed to administer a perimeter-to-end node NAC deployment, drastically lowering TCO Leverage existing investments. Snap-in NAC agents, add-on network IPS modules, and McAfee epo integration allow organizations to leverage past investments in McAfee software and hardware and greatly reduce implementation time 6 Enforcing Endpoint Compliance
7 Q&A I ve heard NAC is confusing and difficult to deploy. Have you made it easier? Yes. NAC has matured over the years from science project technology to a mainstream solution. McAfee s multi-method deployment options (host and network) allow an organization to leverage an existing McAfee epo endpoint management deployment or McAfee Network IPS installation to deploy NAC rapidly, enterprise wide. The McAfee NAC consolidated policy library allows companies to use a single common policy dictionary to define policy requirements across both network and hosts. Cisco included a NAC solution with a recent networking purchase that we made. Why do I need anything else? Cisco is a networking company; they don t have the McAfee heritage of over 20 years of dedicated security focus. McAfee offers a proven security research team that allows us to provide much more than a top 20 approach to NAC. McAfee s policy library alone includes more than 000 native checks as well as the ability to directly import any XCCDF or OVAL content. I understand NAC is aimed at Microsoft operating systems, what about my Mac/Linux machines? McAfee Network Access Control (MNAC) supports installation on a range of enterprise operating systems, including Microsoft Windows, Mac OS X, and Red Hat. Additionally, McAfee Enterprise Mobility Manager adds full control of smartphone and tablet platforms such as iphones, ipads, and Android. Enforcing Endpoint Compliance 7
8 Additional Resources McAfee Network Access Control how does it work? (Video) For more information about the Security Connected Reference Architecture, visit: About the Author Michael Ward has 5 years of security engineering experience including several in the Network Access Control and directory enabled networking fields. He holds a Bachelors of Arts in Economics from George Mason University and is both a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH). The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. 282 Mission College Boulevard Santa Clara, CA McAfee, McAfee Enterprise Mobility Management, McAfee EMM, McAfee epolicy Orchestrator, McAfee epo, McAfee Network Access Control, McAfee Network Security Platform, and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 20 McAfee, Inc. 705bp_endpt-compliance-L_0
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
WHITE PAPER Security Best Practices for Mobility in Education Securing Networks as Mobile Devices Proliferate in Education Copyright 2011, Juniper Networks, Inc. 1 Table of Contents Executive Summary........................................................................................................
Nine Essential Requirements for Web Security Enabling safe, productive access to social media and other web applications Table of Contents Executive Summary...3 Introduction...4 Web Security Concerns....4
CENTRIFY WHITE PAPER, FEBUARY 2012 Improving Mobile Device Security and Management with Active Directory An overview of mobile device market trends, challenges and approaches to securing and managing smart
White Paper Secure Network Access for Personal Mobile Devices What You Will Learn People around the globe are enamored with their smartphones and tablet computers, and they feel strongly that they should
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
G DATA TechPaper #0273 Mobile Device Management G DATA Application Development TechPaper_#0273_2015_04_21 Contents 1. 2. 3. 4. Introduction... 3 Mobile devices in the enterprise... 3 2.1. Benefits... 4
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
Vodafone Global Enterprise Mobile Device Management Technical paper Vodafone Global Enterprise Introduction Managing for the future Secure control over your mobile data, devices and applications. The multi-national
IBM Software Thought Leadership White Paper February 2012 Automated, centralized management for enterprise servers Servers present unique management challenges but IBM Endpoint Manager is up to the job
Keep Your Enemies Closer: Three Steps to Bring Mobile Devices into Your Security Infrastructure A Call to Action for IT and Security Professionals Introduction Newer mobile computing models are pushing
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Network World and Robin Layland present The 2013 Next Generation Firewall Challenge Next Generation Firewalls provide the needed protection against Advance Evasion Techniques 2013 The 2013 Next Generation
The Microsoft Office 365 Buyer s Guide for the Enterprise Guiding customers through key decisions relative to online communication and collaboration solutions. Version 2.0 April 2011 Note: The information
MOBILE FIRST ENTERPRISE 1 White Paper Mobile-first Enterprise: Easing the IT Burden 10 Requirements for Optimizing Your Network for Mobility 2 MOBILE FIRST ENTERPRISE Table of Contents Executive Summary
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
Server Virtualization Products And Information Security William J. Sparks Daniel G. James ICTN 6883 Semester Project 4/8/2008 Author Bio s Daniel G. James is a fulltime employee/fulltime graduate student
WHITE PAPER: LICENSE MANAGEMENT........................................ Symantec Workspace Streaming: Enabling the Dynamic Management of Software Licenses Who should read this paper IT organizations that
10 Things Your Next Firewall Must Do Introduction Without question, your network is more complex than ever before. Your employees are accessing any application they want, using work or personal devices.
expanding web single sign-on to cloud and mobile environments agility made possible the world of online business is rapidly evolving In years past, customers once tiptoed cautiously into the realm of online