Technology Blueprint. Enforcing Endpoint Compliance on the network. Police your managed and unmanaged systems with Network Access Control (NAC)



Similar documents
Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

Total Protection for Compliance: Unified IT Policy Auditing

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Addressing BYOD Challenges with ForeScout and Motorola Solutions

The User is Evolving. July 12, 2011

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Proven LANDesk Solutions

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Reducing the cost and complexity of endpoint management

Whitepaper. Securing Visitor Access through Network Access Control Technology

Power, Patch, and Endpoint Managers Expand McAfee epo Platform Capabilities While Cutting Endpoint Costs

Symantec Mobile Management Suite

How To Buy Nitro Security

How To Use A Microsoft Mobile Security Software For A Corporate Account On A Mobile Device

Athena Mobile Device Management from Symantec

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Symantec Mobile Management for Configuration Manager 7.2

Symantec Mobile Management 7.1

ForeScout Technologies Is A Leader Among Network Access Control Vendors

Technology Blueprint. Protect Your Servers. Preserve uptime by blocking attacks and unauthorized changes

McAfee Security Architectures for the Public Sector

Technology Blueprint. Protect Your VoIP/SIP Servers. Insulating your voice network and its servers from attacks and disruption

Symantec Mobile Management 7.1

Providing a work-your-way solution for diverse users with multiple devices, anytime, anywhere

Avoiding the Top 5 Vulnerability Management Mistakes

ForeScout CounterACT. Continuous Monitoring and Mitigation

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Symantec Mobile Management 7.2

IBM Tivoli Endpoint Manager for Security and Compliance

Embracing BYOD with MDM and NAC. Chris Isbrecht, Fiberlink Gil Friedrich, ForeScout

IBM Endpoint Manager for Mobile Devices

Efficient and easy-to-use network access control and dynamic vlan management. Date: F r e e N A C. n e t Swisscom

Kaseya IT Automation Framework

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

IBM Tivoli Endpoint Manager for Security and Compliance

Best Practices for Secure Mobile Access

Securing BYOD With Network Access Control, a Case Study

Integration Guide. McAfee Asset Manager. for use with epolicy Orchestrator 4.6

McAfee Server Security

SA Series SSL VPN Virtual Appliances

Network Access Control in Virtual Environments. Technical Note

Mobile Device Strategy

McAfee Enterprise Mobility Management

MANAGE SECURE ACCESS TO APPLICATIONS BASED ON USER IDENTITY. EMEA Webinar July 2013

Network Virtualization Network Admission Control Deployment Guide

McAfee Total Protection Reduce the Complexity of Managing Security

CA Anti-Virus r8.1. Benefits. Overview. CA Advantage

McAfee Enterprise Mobility Management

NAC at the endpoint: control your network through device compliance

Preparing your network for the mobile onslaught

Symantec Mobile Security

Embracing Complete BYOD Security with MDM and NAC

McAfee Endpoint Protection Products

Cisco TrustSec Solution Overview

IBM Tivoli Endpoint Manager for Lifecycle Management

Cisco Mobile Collaboration Management Service

Seven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS

Endpoint Security for DeltaV Systems

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

IT Security & Compliance. On Time. On Budget. On Demand.

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

How To Achieve Pca Compliance With Redhat Enterprise Linux

McAfee Certified Product Specialist McAfee epolicy Orchestrator

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Secure iphone Access to Corporate Web Applications

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

The ForeScout Difference

ForeScout MDM Enterprise

WhatWorks in Blocking Network-based Attacks with ForeScout s CounterACT. Automating Network Access, Endpoint Compliance and Threat Management Controls

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

Symantec Client Management Suite 8.0

Best Practices for Outdoor Wireless Security

Endpoint protection for physical and virtual desktops

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Sygate Secure Enterprise and Alcatel

IBM Endpoint Manager for Lifecycle Management

SANS Top 20 Critical Controls for Effective Cyber Defense

How To Write A Mobile Device Policy

Agent or Agentless Policy Assessments: Why Choose?

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Systems Manager Cloud Based Mobile Device Management

Transcription:

Technology Blueprint Enforcing Endpoint Compliance on the network Police your managed and unmanaged systems with Network Access Control (NAC)

LEVEL 2 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 2 4 5 Security Connected The Security Connected framework from McAfee enables integration of multiple products, services, and partnerships for SECURITY CONNECTED centralized, efficient, and REFERENCE ARCHITECTURE effective risk mitigation. Built on LEVEL more than two decades 2 of 4 5 proven security practices, the Security Connected approach helps organizations of all sizes and segments across all geographies improve security postures, optimize security for greater cost effectiveness, and align security strategically SECURITY with business CONNECTED initiatives. The REFERENCE Security Connected ARCHITECTURE Reference Architecture provides a concrete LEVEL path from ideas 2 to 4 5 implementation. Use it to adapt the Security Connected concepts to your unique risks, infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to keep our customers safe. Police your managed and unmanaged systems with Network Access Control (NAC) The Situation What happens when employees bring in their own laptops, tablets, and smartphones or a business unit decides to hire contractors? You have a mix of permanent and temporary employees roaming your halls and networks with unmanaged devices. That s just one of the challenges IT faces in increasing support for remote and mobile endpoints while maintaining compliance with endpoint policies. Driving Concerns Less than a decade ago, all computing devices resided inside the corporate perimeter under the direct control of IT services. Since the organization owned and managed all these computing assets, PCs didn t exhibit policy drift over time. Now, however, several influences combine to mean today s network may be expected to support more unmanaged devices than traditional managed endpoints: Mobile laptops outnumber stationary desktops Smartphones and tablets are being adopted at a record-setting rate Macs are becoming commonplace corporate endpoints Desktop and server virtualization is exploding, making it easier to create rogue, unmanaged clients Personal PCs are used for remote access to corporate networks, and also in Bring your own PC initiatives to cut capital costs Many companies rely on contracted and outsourced labor, a workforce with its own set of laptops, smartphones, and tablets Inevitably, criminals are expanding their threat and malware development programs to this rich assortment of devices. For example, threats such as botnets and worms are becoming more common on mobile platforms. This combination of factors makes measuring and enforcing endpoint policies very difficult, yet these policies are important to protect intellectual property, prevent infection of enterprise assets, and enable adherence to industry and regulatory guidelines. Requiring adherence to policy before permitting network access isn t a new concept, but traditionally it has required complex, manual, labor-intensive processes that enable fairly binary access to the network: either full access or zero access. For the last few years, IT has used Network Access Control (NAC) to automate these processes. Real-time enforcement by endpoint agents has ensured policy compliance or forced remediation before allowing access. However, this traditionally challenging task has become even more cumbersome because of the disappearing perimeter of the network, the changing nature of the endpoint, and the changing requirements of end users. Infrequently used and disconnected laptops and rogue or stale virtual machines compound the problem. To reassert control over this endpoint environment, IT must implement a network access architecture that will handle: Unmanaged clients. Limit but allow access to the internal network by unmanaged clients, a range of personally-owned computing devices such as smartphones, tablets, personal laptops, and personal PCs. Monitor systems after access to prevent post-admission infections and compliance violations (such as deactivation of anti-virus). Managed clients. Enforce and document policy compliance of traditional managed endpoints, as well as virtual machines. Monitor managed clients to ensure systems are not infected by malware after they 2 Enforcing Endpoint Compliance

have gained access. Privileges. Different devices have different degrees of security. Different users merit different access freedoms. The architecture should enforce different access policies for different devices (smartphones vs. PCs) and user communities (executives vs. contractors). It should enable secure access to appropriate network resources such as the Internet, printers, contractor database, etc. Rogue devices. Many companies are unaware of all of the devices attached to their networks. Personal laptops, game consoles, virtual machines, medical devices, Linux or Macintosh machines, unauthorized printers, and rogue wireless access points: all of these devices can exist in the environment and pose a threat. Plus, the ease of creation and portability of unapproved or stale virtual machines are yet another vector of potential risk from unapproved software or outdated security settings. Solution Description Today, many companies break these issues up into three implementations, depending upon the business problem. Employee-owned smartphones and tablets demand a purpose built mobile solution. Employeeowned PCs or Home machines require a different approach to network access control than that for managed clients. And finally, many companies are looking to VDI to address the problem in a new and innovative way creating a managed client to run on unmanaged systems. The ideal solution should make it easy for these specialized implementations to work together for operational efficiency in management, auditing, and compliance reporting. The core requirements are: Unmanaged clients. Automate network access by unknown and personally-owned devices using a network-based NAC sensor»the» solution should intercept the initial connection attempt and use a temporary agent to detect and assess the security and compliance state of personally-owned PC platforms as they connect to the network»to» ensure compliant remote access via VPN from an unknown, unmanaged device such as a home PC with corporate VPN software installed a network-based NAC sensor deployed with the corporate VPN concentrator should intercept, authenticate, assess, and provision appropriate network access based on system health»the» provisioning process should use the same IT policy checks that are applied to managed machines, thus reducing the manual, labor-intensive moves/adds/changes process»the» solution should continue to enforce policies post-admission, checking on a scheduled basis to ensure continuous compliance Managed clients. Measure and maintain system health of known corporate assets»to» ensure that a wide range of corporate endpoints such as desktops, laptops, and virtual machines adhere to IT or regulatory policies, an agent on the endpoint should scan the software, validate required software is in place (such as patches and DAT releases), block or remediate systems with issues, and allow access for approved and compliant devices. This is a traditional scenario sometimes known as health-based NAC.»To» enforce compliance of virtual desktops, the solution should allow the same admission controls with virtual machines as those used with a physical PC, Linux, or Mac platform.»the» solution should continue to enforce policies post-admission, checking patches, configurations, and security software levels on a scheduled basis or at a network change to validate continuous compliance. This function ensures users are healthy when they initially connect and that they stay healthy after they re granted access. A movie theater analogy helps illustrate this: A teenager purchases a movie ticket and enters the multiplex (pre-admission). After the movie is over, the teen decides to sneak into another theater and watch another movie without paying for it (postadmission). A NAC solution that only performs pre-admission checks could expose an organization to Decision Elements The best solution for your organization will depend on your specific goals and the range of managed, unmanaged, and unmanageable clients you need to handle. The following internal and external forces may affect your architecture: Does your organization need to adhere to company, IT, or regulatory policies, such as appropriate use, PCI, SOX, HIPAA, or FDCC? For the above requirements, for which devices would you need to provision, measure, and enforce compliance? How frequently are you planning to allow network access from personally owned PCs or laptops? From smartphones or tablet PCs? From virtualized infrastructure? Do you have any currently deployed solutions, such as network IDS/IPS, that could assist in the integrated detection and management of unknown or badly-behaving devices (outdated or rogue virtual machine images and hosts) on your network? Enforcing Endpoint Compliance

post-admission health changes or violations. Privileges. The solution will allow different policies to be written and enforced on different types of devices based on device capabilities and users, accommodating different access modes, times of day, and other variables that could affect compliance and risk. Network segmentation and a guest portal will allow unknown users to have highly restricted access to the public Internet and other networked resources as appropriate. Rogues. A solution must continually scan the network for any unmanaged or unmanageable IP-based device and notify IT staff Technologies Used in the McAfee Solution McAfee offers an integrated product suite to address the full spectrum of network access requirements. We combine host-based software on managed endpoints with network appliances that control and monitor unmanaged devices. For smartphones and tablets, we use dedicated mobility management software to allow access and enforce policies specific to smartphones and tablets. A centralized management platform connects these components with the rest of your security and compliance infrastructure. Agent/Host-Hosted Service Network Network/Host McAfee NAC Client Software DB 2 epolicy Orchestrator Guest NAC Appliance NAC Appliance Mail Servers Remote Workers and WAN 2 NAC Appliance Appliance Branch Office Email Appliance Desktop Laptop Guest Guest Firewall Router Server Guest Enterprise Headquarters Typical Enterprise NAC deployment The architecture graphic shows a fully configured solution that would handle all of the above requirements. The proper McAfee solution for your needs depends on your existing environment and security goals. At a minimum, you would start with identity- and health-based access to specific subnets or applications, implemented throughout the network using a McAfee NAC appliance or the McAfee Network Security Platform (NSP) with NAC Module. This control would apply to all clients: managed, unmanaged, and unmanageable (such as printers and cameras). 4 Enforcing Endpoint Compliance

McAfee NAC Appliance The McAfee NAC appliance controls network access for both managed and unmanaged endpoints. It can be deployed inline or out of band, the latter using 802.x or SNMP to manage access at the switch port level. Access policies can be configured to include user identity (based on Active Directory status), systems health status from the NAC client, and much more. Unmanaged devices can be presented with temporary, network-segmented access or offered a dissolvable client that assesses its health posture against policy. Hosts can then be directed to a guest remediation portal or other network resources for self or automated remediation.»» McAfee Network Security Platform (NSP) with NAC Module Optionally, the NAC sensor can be added on to a McAfee Network Security Platform IPS system. This option adds post-admission network monitoring it checks on the health of machines that have already been admitted to a network, both managed and unmanaged clients. This in-line monitoring will catch systems that become infected with malware, such as bots or worms, for full post-admission threat mitigation and host quarantining. For customers with the Network Security Platform, in-line NAC can be added easily. The next concern would be exerting extra control over managed clients. For this capability, you would deploy NAC clients to your managed endpoints. McAfee NAC client software. This agent can be purchased as part of McAfee Endpoint Protection Advanced Suite or McAfee Total Protection for Endpoint Enterprise Edition, or as a standalone solution. Completely customizable, it ensures that endpoints have the correct security configurations, up-to-date operating system patches, and other required applications. The consolidated McAfee NAC policy library allows companies to use a single, common policy dictionary to define policy requirements across hosts. In addition to the 000 native checks in our policy library, you can directly import any XCCDF or OVAL content. These McAfee components are connected by the McAfee epolicy Orchestrator (McAfee epo ) management platform. Integration with McAfee epo reduces the number of management consoles and simplifies reporting for all network devices. Using this centralized management console, the administrator defines a system health policy that includes benchmarks with rules based on checks. New checks can be created here to supplement those provided in our policy library or imported from external sources. McAfee epo pushes the policy to managed clients. The clients (through the agent) perform a selfassessment against the policy and are provisioned with appropriate network access depending on system health. Health status can be monitored and reported through McAfee epo. To allow different privileges for different groups, policies can be created for different classes of users, leveraging existing user populations in your Active Directory or LDAP directory. This flexibility replaces binary yes/no access with truly granular, automated, policy-driven network access and better alignment with business goals instead of a one size fits all method. Smartphones and tablets including Apple iphones, Apple ipads, and Android devices require one addition to your deployment. Although the NAC network appliance (or NAC module on the McAfee Network Security Platform) will treat these devices as unmanageable clients, McAfee Enterprise Mobility Management allows you to exert policy-based control. McAfee Enterprise Mobility Management (McAfee EMM). McAfee EMM is a full featured mobile device management snap-in for McAfee epolicy Orchestrator that allows mobile devices to participate securely in the corporate infrastructure. McAfee EMM combines secure mobile application access, anti-malware, strong authentication, high availability, a scalable architecture, and compliance reporting in a seamless system. It configures mobile devices to match corporate security policies and enforces compliance prior to network access. To accommodate the different functionalities of different smartphones, device policies (such as the ability to install apps), are managed via EMM. Enforcing Endpoint Compliance 5

These are the basic elements of your NAC solution. They can be configured to handle some of the specific business requirements we have covered: Guest and Contractor Access. When an unmanaged guest device requests network access (over Wi-Fi, VPN, or LAN connection), the McAfee NAC Appliance or NAC add-on to the McAfee Network Security Platform will assess whether an endpoint is a managed client or an unidentified device and then place that user into a pre-admission network. Appropriate access can be granted and automatically provisioned based on system health or user credentials. That user will then be placed into the appropriate network segment based on policy. Rogues. McAfee can help you discover unapproved IP-enabled devices attaching to your network, from smartphones, printers, and gaming consoles to medical devices and cameras. The McAfee solution needed for this is the Rogue System Detection capability in McAfee epo. It will scan your network for any unmanaged or unmanageable IP-based device and alert IT staff for action. Impact of the Solution Deploying a full-spectrum McAfee NAC solution can help you: Enforce compliance. Enforce policy-driven compliance in real time as hosts join and leave the network, reducing the need for helpdesk calls Streamline operations. Slash or virtually eliminate the need for manual moves/adds/changes to improve the user experience, reduce help desk calls, and allow IT staff to focus on more critical areas Lower security spending. Unified management reduces the number of consoles needed to administer a perimeter-to-end node NAC deployment, drastically lowering TCO Leverage existing investments. Snap-in NAC agents, add-on network IPS modules, and McAfee epo integration allow organizations to leverage past investments in McAfee software and hardware and greatly reduce implementation time 6 Enforcing Endpoint Compliance

Q&A I ve heard NAC is confusing and difficult to deploy. Have you made it easier? Yes. NAC has matured over the years from science project technology to a mainstream solution. McAfee s multi-method deployment options (host and network) allow an organization to leverage an existing McAfee epo endpoint management deployment or McAfee Network IPS installation to deploy NAC rapidly, enterprise wide. The McAfee NAC consolidated policy library allows companies to use a single common policy dictionary to define policy requirements across both network and hosts. Cisco included a NAC solution with a recent networking purchase that we made. Why do I need anything else? Cisco is a networking company; they don t have the McAfee heritage of over 20 years of dedicated security focus. McAfee offers a proven security research team that allows us to provide much more than a top 20 approach to NAC. McAfee s policy library alone includes more than 000 native checks as well as the ability to directly import any XCCDF or OVAL content. I understand NAC is aimed at Microsoft operating systems, what about my Mac/Linux machines? McAfee Network Access Control (MNAC) supports installation on a range of enterprise operating systems, including Microsoft Windows, Mac OS X, and Red Hat. Additionally, McAfee Enterprise Mobility Manager adds full control of smartphone and tablet platforms such as iphones, ipads, and Android. Enforcing Endpoint Compliance 7

Additional Resources www.mcafee.com/endpoint-protection-advanced-suite www.mcafee.com/nac www.mcafee.com/nsp www.mcafee.com/emm McAfee Network Access Control how does it work? (Video) www.youtube.com/watch?v=yyla0r2jyji For more information about the Security Connected Reference Architecture, visit: www.mcafee.com/securityconnected About the Author Michael Ward has 5 years of security engineering experience including several in the Network Access Control and directory enabled networking fields. He holds a Bachelors of Arts in Economics from George Mason University and is both a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH). The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. 282 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee, McAfee Enterprise Mobility Management, McAfee EMM, McAfee epolicy Orchestrator, McAfee epo, McAfee Network Access Control, McAfee Network Security Platform, and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 20 McAfee, Inc. 705bp_endpt-compliance-L_0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information