Symantec NAC upgraded

Integrates on-demand client into Symantec Network Access Control

Enterprises can expect more consumer devices to enter their networks, says analyst Zeus Kerravala. The key is controlling how much access they get

BANGALORE, INDIA: Symantec has upgraded Symantec Network Access Control, providing enforcement for managed endpoints, guest users and unmanaged devices. Symantec is helping customers reduce overall cost and simplify network access control deployment by integrating the on-demand client into Symantec Network Access Control.

Symantec is releasing an upgrade to Symantec Network Access Control (NAC), which will allow IT administrators to exert control over unmanaged devices and set customized levels of access for guest users entering their corporate networks.

The upgrade is available at no additional cost to customers under warranty or maintenance. The software image will be available for download from Symantec’s Web site on Aug. 15.

In addition, consolidated network access control policy configuration and management for managed and guest users can all be done through the Symantec Endpoint Protection Manager. The Symantec Network Access Control upgrade is scheduled to be available in August 2008.

An integrated, dissolvable on-demand client for guest user access can now be delivered directly from the Symantec Network Access Control Enforcer appliance in Gateway or DHCP modes to simplify deployment.

This helps ensure that unmanaged endpoints attempting to connect to corporate networks have the appropriate protection and security software installed. The on-demand client performs predefined checks to ensure that antivirus, antispyware, firewall and service pack software is installed and up-to-date.

"This critical expansion of our network access control capabilities allows customers to centrally enforce endpoint compliance policies for both managed and unmanaged endpoints, through integration with Symantec Endpoint Protection, and guest users," said Brad Kingsbury, senior vice president, Endpoint Security and Management Group, Symantec Corp. "With Symantec Network Access Control, we have taken a flexible approach that goes beyond host-based enforcement and offers customers an array of options for enforcing network access control on the network."

Symantec Network Access Control also supports authentication and identity-based access control for guest users by offering a new Web login that can be enabled as part of the on-demand client download process. Users can be authenticated against logins centrally stored in ActiveDirectory, LDAP, RADIUS or logins stored locally on the Enforcer. When used with LAN Enforcement, RADIUS attributes can control which resources guest users can access on the network once they have authenticated.

Furthermore, enhanced MAC address authentication functionality enforces network access for unmanaged devices in 802.1x-enabled environments. In LAN Enforcement mode, the Enforcer can check the MAC address of a device connecting to an 802.1x-enabled switch port, validate it against a store of known/authorized MAC addresses, and allow or block the device depending on whether it finds a match.

“We’ve actually brought all of the power of Symantec’s NAC agent for managed systems and put up that for the unmanaged world,” said senior manager of product management Rich Langston, who runs the NAC product line.

The on-demand product is a brand new, ground-up rewrite for unmanaged devices that gives administrators the exact same capabilities they currently have with the managed agent for guests and contractors, he explained.

It works by having users access the network through a Web browser, which takes them to a portal that requires a login. After presenting valid credentials, users download the on-demand agent, which runs in resident memory and dissolves when the user exits the system.

The agent ensures unmanaged devices meet predefined criteria for endpoint compliance before connecting to the network. This includes appropriate levels of security and protection, including up-to-date antivirus, antispyware, firewall and service pack software.

If a device fails to meet the criteria, automated remediation capabilities can work to resolve the issue. “Some of the competing solutions will take the user to a Web page and say, ‘You’re not on the network because your antivirus isn’t up-to-date so click on this URL,’” said Langston. “We automate everything.”

Non-compliant devices can be blocked or quarantined from the network. “The idea is to keep the network safe by keeping impurely configured systems off the network,” he said.



Symantec Network Access Control securely controls access to corporate networks, enforces endpoint security policy and easily integrates with existing network infrastructures. Regardless of how endpoints connect to the network, Symantec Network Access Control discovers and evaluates endpoint compliance status, provisions the appropriate network access, provides automated remediation capabilities, and continually monitors endpoints for changes in compliance status. The result is a network environment where corporations realize significant reductions in security incidents, increased levels of compliance to corporate IT security policy and confidence that endpoint security mechanisms are properly enabled.


Page 1 of 2


Symantec NAC upgrade aims at manageability
By: Jennifer Kavur - Network World Canada (01 Aug 2008)

Enterprises can expect more consumer devices to enter their networks, says analyst Zeus Kerravala. The key is controlling how much access they get

Symantec is releasing an upgrade to Symantec Network Access Control (NAC), which will allow IT administrators to exert control over unmanaged devices and set customized levels of access for guest users entering their corporate networks.

The upgrade is available at no additional cost to customers under warranty or maintenance. The software image will be available for download from Symantec’s Web site on Aug. 15.

“We’ve actually brought all of the power of Symantec’s NAC agent for managed systems and put up that for the unmanaged world,” said senior manager of product management Rich Langston, who runs the NAC product line.

The on-demand product is a brand new, ground-up rewrite for unmanaged devices that gives administrators the exact same capabilities they currently have with the managed agent for guests and contractors, he explained.

It works by having users access the network through a Web browser, which takes them to a portal that requires a login. After presenting valid credentials, users download the on-demand agent, which runs in resident memory and dissolves when the user exits the system.

The agent ensures unmanaged devices meet predefined criteria for endpoint compliance before connecting to the network. This includes appropriate levels of security and protection, including up-to-date antivirus, antispyware, firewall and service pack software.

If a device fails to meet the criteria, automated remediation capabilities can work to resolve the issue. “Some of the competing solutions will take the user to a Web page and say, ‘You’re not on the network because your antivirus isn’t up-to-date so click on this URL,’” said Langston. “We automate everything.”

Non-compliant devices can be blocked or quarantined from the network. “The idea is to keep the network safe by keeping impurely configured systems off the network,” he said.

Another key feature of the upgrade is a new Web login for guest users. “We now have the capability of giving them different levels of access,” said Langston. “This is important because most enterprises are interested in giving as little access to the network as necessary. For example, they might want to offer Internet access as a courtesy to casual guests, vendors, or the board of directors…If anything changes, they will get kicked off the network,” said Langston.

“We really have one the most powerful agents for client-side NAC that is available, which means that we are fully on board with the client,” said Langston. This includes performing very deep inspections of endpoints to make sure they are compliant with “all the policies the administrator wants…whatever his policies may be.”

CISCO Network Admission Control

The Cisco® NAC Guest Server adds a new Secure Guest service to existing Cisco Network Admission Control (NAC) services such as authentication, posture, and profiling. The new Cisco NAC Guest Server enables simple, efficient, and secure management of guest network access. Cisco NAC Guest Server works with either Cisco NAC Appliance or Cisco wireless LAN controllers to manage the entire lifecycle of guest access, including:
• Provisioning: Allows any internal sponsor to create guest accounts

• Notification: Provides access details to the guest by print, e-mail, or text message

• Management: Makes it easy to modify and suspend accounts

• Reporting: Provides full reporting on guest accounts and guest activity

Cisco NAC Guest Server helps IT staff deal with administrative challenges commonly associated with supporting corporate visitors. The Secure Guest service enhances IT's ability to protect its own organization's assets, employees, and information from guests and their devices while providing secure and flexible network access to meet visitors' business needs. Cisco NAC Guest Server with its Secure Guest service delivers the following business benefits:
• Decreases deployment and management costs. Cisco NAC Guest Server allows trusted employees to create guest accounts quickly and securely. This removes the burden from IT and helpdesk personnel.

• Improves productivity. Streamlined account provisioning and notification processes help increase both guest usage and the productivity benefits for internal users and their guests.

• Improves customer and partner satisfaction. Providing guest access for visitors enables greater collaboration. Customers and partners alike appreciate this capability.

To learn more about Cisco NAC Guest Server and its Secure Guest service, visit the following resources:
• Product bulletin (including ordering information): http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd806f3235.html
• Data sheet: http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806e98c9.html
• Q&A: http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd806f525a.shtml

Volume I: NAC Framework Architecture and Design (Networking Technology) (Paperback)
Volume II: NAC Deployment and Troubleshooting (Networking Technology) (Paperback)

Product Description

Cisco Network Admission Control

Volume I: NAC Framework Architecture and Design



A guide to endpoint compliance enforcement



Today, a variety of security challenges affect all businesses regardless of size and location. Companies face ongoing challenges with the fight against malware such as worms, viruses, and spyware. Today’s mobile workforce attach numerous devices to the corporate network that are harder to control from a security policy perspective. These host devices are often lacking antivirus updates and operating system patches, thus exposing the entire network to infection. As a result, worms and viruses continue to disrupt business, causing downtime and continual patching. Noncompliant servers and desktops are far too common and are difficult to detect and contain. Locating and isolating infected computers is time consuming and resource intensive.



Network Admission Control (NAC) uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. NAC allows network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of and even remediate noncompliant devices.



Cisco Network Admission Control, Volume I, describes the NAC architecture and provides an in-depth technical description for each of the solution components. This book also provides design guidelines for enforcing network admission policies and describes how to handle NAC agentless hosts. As a technical primer, this book introduces you to the NAC Framework solution components and addresses the architecture behind NAC and the protocols that it follows so you can gain a complete understanding of its operation. Sample worksheets help you gather and organize requirements for designing a NAC solution.



Denise Helfrich is a technical program sales engineer that develops and supports global online labs for the World Wide Sales Force Development at Cisco®.



Lou Ronnau, CCIE® No. 1536, is a technical leader in the Applied Intelligence group of the Customer Assurance Security Practice at Cisco.



Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco.



Paul Forbes is a technical marketing engineer in the Office of the CTO, within the Security Technology Group at Cisco.



Understand how the various NAC components work together to defend your network
Learn how NAC operates and identifies the types of information the NAC solution uses to make its admission decisions
Examine how Cisco Trust Agent and NAC-enabled applications interoperate
Evaluate the process by which a policy server determines and enforces a policy
Understand how NAC works when implemented using NAC-L2-802.1X, NAC-L3-IP, and NAC-L2-IP
Prepare, plan, design, implement, operate, and optimize a network admission control solution


This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.



Category: Cisco Press–Security

Covers: Network Admission Control



1587052415120506





About the Author

Denise Helfrich

is currently a technical program sales engineer developing and supporting global

online labs for the Worldwide Sales Force Delivery. For the previous six years, she was a technical marketing

engineer in the Access Router group, focusing on security for Cisco Systems. She is the author of

many Cisco training courses, including Network Admission Control. She has been active in the voice/

networking industry for over 20 years.

Lou Ronnau,

CCIE No. 1536, is currently a technical leader in the Applied Intelligence group of the

Customer Assurance Security Practice at Cisco Systems. He is the author of many Cisco solution guides

along with

Implementing Network Admission Control: Phase One Configuration and Deployment.

He

has been active in the networking industry for over 20 years, the last 12 years with Cisco Systems.

Jason Frazier

is a technical leader in the Technology Systems Engineering group for Cisco Systems.

He is a systems architect and one of the founders of Cisco’s Identity-Based Networking Services

(IBNS) strategy. Jason has authored many Cisco solution guides and often participates in industry

forums such as Cisco Networkers. He has been involved with network design and security for seven

years.

Paul Forbes

is a technical marketing engineer in the Office of the CTO, within the Security Technology

Group. His primary focus is on the NAC Partner Program, optimizing the integration between vendor

applications and Cisco networking infrastructure. He is also active in other security architecture initiatives

within the Office of the CTO. He has been active in the networking industry for ten years, as both a

customer and working for Cisco.

Product Description

Cisco Network Admission Control

Volume II: NAC Framework Deployment and Troubleshooting



The self-defending network in action



Jazib Frahim, CCIE® No. 5459

Omar Santos

David White, Jr., CCIE No. 12,021



When most information security professionals think about threats to their networks, they think about the threat of attackers from the outside. However, in recent years the number of computer security incidents occurring from trusted users within a company has equaled those occurring from external threats. The difference is, external threats are fairly well understood and almost all companies utilize tools and technology to protect against those threats. In contrast, the threats from internal trusted employees or partners are often overlooked and much more difficult to protect against.



Network Admission Control (NAC) is designed to prohibit or restrict access to the secured internal network from devices with a diminished security posture until they are patched or updated to meet the minimum corporate security requirements. A fundamental component of the Cisco® Self-Defending Network Initiative, NAC enables you to enforce host patch policies and to regulate network access permissions for noncompliant, vulnerable systems.



Cisco Network Admission Control, Volume II, helps you understand how to deploy the NAC Framework solution and ultimately build a self-defending network. The book focuses on the key components that make up the NAC Framework, showing how you can successfully deploy and troubleshoot each component and the overall solution. Emphasis is placed on real-world deployment scenarios, and the book walks you step by step through individual component configurations. Along the way, the authors call out best practices and tell you which mistakes to avoid. Component-level and solution-level troubleshooting techniques are also presented. Three full-deployment scenarios walk you through application of NAC in a small business, medium-sized organization, and large enterprise.



“To successfully deploy and troubleshoot the Cisco NAC solution requires thoughtful builds and design of NAC in branch, campus, and enterprise topologies. It requires a practical and methodical view towards building layered security and management with troubleshooting, auditing, and monitoring capabilities.”

—Jayshree V. Ullal, Senior Vice President, Datacenter, Switching and Security Technology Group, Cisco Systems®



Jazib Frahim, CCIE® No. 5459, is a senior network security engineer in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security team. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security.



Omar Santos is a senior network security engineer in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security team. He has more than 12 years of experience in secure data communications.



David White, Jr., CCIE No. 12,021, has more than 10 years of networking experience with a focus on network security. He is currently an escalation engineer in the Cisco TAC, where he has been for more than six years.



Effectively deploy the Cisco Trust Agent
Configure Layer 2 IP and Layer 2 802.1x NAC on network access devices
Examine packet flow in a Cisco IOS NAD when NAC is enabled, and configure Layer 3 NAC on the NAD
Monitor remote access VPN tunnels
Configure and troubleshoot NAC on the Cisco ASA and PIX security appliances
Install and configure Cisco Secure Access Control Server (ACS) for NAC
Install the Cisco Security Agent Manage-ment Center and create agent kits
Add antivirus policy servers to ACS for external antivirus posture validation
Understand and apply audit servers to your NAC solution
Use remediation servers to automatically patch end hosts to bring them in compliance with your network policies
Monitor the NAC solution using the Cisco Security Monitoring, Analysis, and Response System (MARS)


This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.



Category: Cisco Press—Security

Covers: Network Admission Control



$60.00 USA / $75.00 CAN





About the Author

Jazib Frahim, CCIE No. 5459, has been with Cisco Systems for more than seven years. With a Bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer with the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers as a team leader in resolving complicated security and VPN technologies. Jazib is currently working as a Senior Network Security Engineer in the Worldwide Security Services Practice of Cisco’s Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus in network security. He holds two CCIEs, one in Routing and Switching and the other in Security. He also authored the Cisco Press book Cisco ASA: All-in-one Firewall, IPS, and VPN Adaptive Security Appliance(ISBN: 1-58705-209-1). Additionally, Jazib has written numerous Cisco online technical documents and has been an active member on Cisco’s online forum, NetPro. He has presented at Networkers on multiple occasions and has taught many onsite and online courses to Cisco customers, partners, and employees.

Jazib is currently pursuing a Master of Business Administration (MBA) degree from North Carolina State University.



Omar Santos is a Senior Network Security Consulting Engineer in the Worldwide Security Services Practice of Cisco’s Advanced Services for Network Security. He has more than 12 years of experience in secure data communications. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and Department of Defense (DoD). He is also the author of the Cisco Press book Cisco ASA: All-in-one Firewall, IPS, and VPN Adaptive Security Appliance(ISBN: 1-58705-209-1) and many Cisco online technical documents and configuration guidelines. Prior to his current role, he was a technical leader of Cisco’s Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within the organization. He is an active member of the InfraGard organization, a cooperative undertaking between the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law-enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructures of the United States of America. Omar has also delivered numerous technical presentations to Cisco customers, partners, and other organizations.



David White, Jr., CCIE No. 12021, has more than ten years of networking experience with a focus on network security. He is currently an Escalation Engineer in the Cisco TAC, where he has been for more than six years. In his role at Cisco, he is involved in new product design and implementation and is an active participant in Cisco documentation, both online and in print. David holds a CCIE in Security and is also NSA IAM certified. Before joining Cisco, David worked for the U.S. government, where he helped secure its worldwide communications network. He was born and raised in St. Petersburg, Florida, and received his Bachelor’s degree in computer engineering from the Georgia Institute of Technology.


Enforce Security Policy Compliance
Enforce your organization's security policies on all devices seeking network access. Cisco Network Admission Control (NAC) allows only compliant and trusted endpoint devices, such as PCs, servers, and PDAs, onto the network, restricting the access of noncompliant devices, and thereby limiting the potential damage from emerging security threats and risks. Cisco NAC gives organizations a powerful, roles-based method of preventing unauthorized access and improving network resiliency.

Business Benefits
Security policy compliance: Ensures that endpoints conform to security policy; protects infrastructure and employee productivity; secures managed and unmanaged assets; supports internal environments and guest access; tailors policies to your risk level
Protects existing investments: Is compatible with third-party management applications; flexible deployment options minimize need for infrastructure upgrades
Mitigates risks from viruses, worms, and unauthorized access: Controls and reduces large-scale infrastructure disruptions; reduces OpEx and helps enable higher IT efficiency; integrates with other Cisco Self-Defending Network components to deliver comprehensive security protection
NAC Deployment Scenarios
Cisco NAC can be deployed in all infrastructure scenarios, including corporate LAN, WAN, wireless, and remote access (VPN). Cisco NAC deployments include the following options:

Cisco NAC Appliance is the recommended deployment solution for most customers. It is an appliance-based product that provides

Rapid deployment
Self-contained endpoint security posture assessment
Policy management
Integration with identity, remediation, and other services


Cisco NAC Appliance In-Band Option
This is the ideal option for wireless, remote access, and branch office applications, and works in heterogeneous network environments.

Cisco NAC Appliance Out-of-Band Option
This option is ideal for larger campus LAN deployments in which enforcement is controlled at the switch. Cisco NAC Out-of-Band can be combined with the Cisco NAC In-Band deployment option.

Cisco NAC Framework, through the Cisco Network Admission Control Partner Program, provides the option of integrating an intelligent network infrastructure with solutions from more than 75 manufacturers of leading antivirus and other security and management software.

NAC Deployment Services (PDF)
Cisco Security NAC Services provide rigorous requirements analysis, planning, design, and implementation consulting—essential to deploying an effective NAC solution.


Brochure
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Cisco Expands Its NAC Leadership with the Cisco NAC Network Module and Cisco NAC Profiler
The new Cisco NAC Network Module for Cisco 2800 and 3800 Series Integrated Services Routers is the industry’s first full Network Admission Control (NAC) module. The Cisco NAC Network Module provides exceptional security for branch and remote offices, adds more NAC deployment options, and assists customers by simplifying deployment, troubleshooting, and management.
Cisco is also introducing the Cisco NAC Profiler, which adds new capabilities for endpoint device handling (including “dumb” devices such as IP phones, printers or scanners). The Cisco NAC Profiler provides visibility, intelligence, and automation to simplify initial NAC deployments and to reduce the ongoing NAC maintenance cost.
Read the complete Cisco NAC Network Module and Cisco NAC Profiler announcement.
For more technical information, read the Cisco NAC Network Module data sheet and the Cisco NAC Profiler data sheet.

Printed in USA C02-434732-00 9/07 All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

McAfee Network Access Control

McAfee System Protection
Protect your network from noncompliant or infected systems
Noncompliant, infected, or misconfigured systems pose security risks and incur costs due to system downtime and restoration. Even one infected host already on the network can cause disruptions to network bandwidth or can infect other compliant systems. Boost NAC with McAfee IntruShield® IPS to protect high-risk areas on the network by identifying, quarantining, and remediating infected devices.

About the Author
Jamey Heary, CCIE No. 7680, is currently a security consulting systems engineer at Cisco Systems, Inc., and works with its largest customers in the Northwest United States. Jamey joined Cisco in 2000. He currently leads its Western Security Asset team and is a field advisor for the U.S. Security Virtual team. Prior to working at Cisco, he worked for the Immigration and Naturalization Service as a network consultant and project leader. Before that he was the lead network and security engineer for a financial firm whose network carries approximately 12 percent of the global equities trading volume worldwide. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. He has been working in the IT field for 13 years and in IT security for 9 years. He has a BS from St. Lawrence University.


About the Contributing Authors

Jerry Lin, CCIE No. 6469, is a consulting systems engineer for Cisco and is based in southern California. He specializes in security best practices. Jerry has worked with a variety of Cisco enterprise customers in areas such as software development, local government agencies, K—12 and universities, high tech manufacturing, retail, and health care, as well as managed web-hosting service provider customers. He holds his CCIE in routing and switching as well as in CCDP and CISSP. Jerry has been working in the IT industry for the past 12 years. During the late 1990s, he worked as a technical instructor. Jerry earned both a bachelor’s degree and a master’s degree in mechanical engineering from the University of California, Irvine.


Chad Sullivan, CCIE No. 6493 (Security, Routing and Switching, SNA/IP), CISSP, CHSP, is a senior security engineer and owner of Priveon, Inc., which provides leading security solutions to customers globally. Prior to starting Priveon, Chad worked as a security consulting systems engineer at Cisco. Chad is recognized within the industry as one of the leading implementers of the Cisco Security Agent product and is the author of both Cisco Press books dedicated to the Cisco Security Agent.


Alok Agrawal is the technical marketing manager for the Cisco NAC Appliance (Clean Access) product. He leads the technical marketing team developing technical concepts and solutions and driving future product architecture and features. He works with the Cisco sales and partner community to scale the adoption of the NAC Appliance product line globally. Prior to joining the Cisco Security Technology Group, he worked in the switching team of the Cisco Technical Assistance Center. He has a strong background in routing and switching and host security design and implementation. Alok holds a master’s degree in electrical engineering from the University of Southern California and a bachelor’s degree in electronics engineering from the University of Mumbai.

Mobile Workers and Guest Users May
Breed Security Threats and Pose Risk to Regulatory Compliance Juggling compliance audits with timely remediation of non-compliant, infected, and misconfigured systems can leave you vulnerable. Do you want to deploy a network access control (NAC) solution but feel frustrated with products that are unmanageable, very complex to deploy, and too expensive? Give yourself some breathing room with McAfee® Total Protection for Endpoint—Advanced, which includes McAfee Network Access Control solution. McAfee Network Access Control keeps you updated with new threat information while enforcing compliance, ensuring healthy networks, and addressing concerns about the cost, manageability, and complexity of most other NAC solutions.

NAC Benefits:
1. Minimize risk of outbreaks while allowing for policy flexibility
2. Protect your network from zero-day threats and infected guest devices; monitor the network continuously for threat assessment and attack behavior originating from all types of devices Minimize exposure from noncompliant, infected, or misconfigured systems
3. Allow only authorized devices to have network access: enforce compliance by scanning devices to test their overall security posture as they attempt to log onto a network Reduce downtime and risk
4. Guard against infections and vulnerabilities from mobile devices; identify and quarantine misconfigured systems and company laptops that fall out of compliance; enforce network access decision at the system level; remediate noncompliant devices automatically Make intelligent decisions based on real knowledge
5. Gain visibility of system and network threats with efficient security collaboration; breakthrough McAfee ePolicy Orchestrator® (ePO™) integration provides real-time visibility of actionable system host details, as well as the most relevant host IPS, anti-virus, and spyware events Leverage your existing network infrastructure
6. Deploy to all ePO managed systems in your network infrastructure without hardware replacements; get continuous, broad protection that keeps up with the latest threats with McAfee Total Protection for Enterprise—Advanced with NAC included; manage it all from a single, centralized console.

McAfee Makes NAC Accessible
You are not alone among enterprises that are reluctant to deploy an NAC solution. Prior options are unmanageable, too complex to deploy, and expensive—especially when you include product, deployment, and ongoing maintenance costs. McAfee addresses all of these concerns and more with:
McAfee addresses all of these concerns and more with a global partner ecosystem of distributors, value-added distributors (VADs), value-added resellers (VARs), and systems integrators, all offering product order fulfillment, professional services for deployment, and solution training for NAC administrators.

Yahoo Partners With McAfee To Make Search More Secure
Following Google (NSDQ: GOOG)'s lead, Yahoo (NSDQ: YHOO) is moving to make its search engine safer.
Yahoo and McAfee on Tuesday announced a partnership to integrate McAfee's SiteAdvisor technology with Yahoo Search. SiteAdvisor tracks Web site security issues, identifying sites associated with adware, malware, spyware, phishing, and spam.


More Security Insights White Papers CISSP Exam Tips Security vs. Flexibility: Must IT Management Choose? WebcastsWeb 2.0: Business Opportunity or Security Threat? Managing Risk and Bringing Rigor to Information Security ReportsWeb 2.0 Gets Down To Business Rolling Review: Microsoft NAP The new SearchScan feature in Yahoo Search is a manifestation of the partnership. It provides red warning messages about the risks posed by Web sites that appear in Yahoo Search results lists.
Google began flagging risky search results in February 2007.

"Searching on the Web can present a minefield of spyware, malware, and other malicious sites that can cause serious harm to your PC and cost you valuable time and money," said Vish Makhijani, senior VP and general manager of Yahoo Search, in a blog post. "We are taking steps to make you feel safe when searching the Web -- warning you about dangerous sites before you click on them."

According to Makhijani, "No other search engine today offers you this level of warning before visiting sites. Period."

Citing a March 2008 survey conducted by marketing research services provider Decipher, Yahoo and McAfee claim that 65% of Americans online are more worried about clicking unsecured search listings than the threat of neighborhood crime, getting one's wallet stolen, or e-mail scams. Unfortunately, Decipher hasn't posted this survey online, making it harder to divine why so many people supposedly prefer being pistol-whipped and robbed to a malware infection.

Tim Dowling, VP of McAfee's Web security group, said that SearchScan tests for browser exploits, so it will detect sites where malware is delivered through online ads.

According to a Google security report published in February, 2% of malicious Web sites were delivering malware via advertising. Because ads tend to be placed on popular sites, searchers encounter them more often than their general prevalence suggests. "On average, 12% of the overall search results that returned landing pages were associated with malicious content due to unsafe ads," the report said.

Flagging such sites, however, is not without problems. Web sites penalized by McAfee's scarlet letter may see a drop in visitors despite the possibility that the fault may lie with the security of the site's ad syndication network rather than with the hosting site itself. Still, fear of such stigma may make site owners demand better security at ad networks, which would improve Internet safety for everyone.

It's something of a surprise to find Yahoo striking a deal with McAfee given that McAfee in May 2007 fingered Yahoo as the search engine with the greatest percentage of risky search results (5.4%). But perhaps having partnered with McAfee, Yahoo will fare better in McAfee's forthcoming 2008 State of Search Engine Safety survey.

Asked whether Yahoo's new relationship with McAfee represents a conflict of interest that might affect the search engine's ranking in McAfee's upcoming survey, Dowling replied, "It's hard to say whether there's a real conflict of interest. It's a pretty quantitative study." He added that due to Yahoo's commitment to cleaner search results, "I would expect Yahoo to be the safest search engine, or one of them."

Dowling said McAfee was running a bit behind in compiling the data for its 2008 search safety survey but did provide a preview: Sponsored search results are twice as likely to link to malicious sites as organic search results, he said. "The bad guys try to look good and Internet advertising is a way they can buy their way into a higher search result position," he said.

Dowling also said that search engines collectively serve 8 billion risky sites per month worldwide.


Testimonials 1
I want to start out by saying that this book completely exceeded my expectations for the first NAC Appliance book. I wish this was published 3 years ago. The author clearly articulates the business benefits of NAC, including how NAC provides return on investment (ROI), which gives any reader the know-how to wisely purchase Cisco NAC Appliance. He also shows his technical expertise by diving extremely deep into the inner workings of Cisco NAC Appliance, which gives engineers, consultants, and operations the information they need to successfully deploy or maintain the product.

This book shows great details into the process flows of In-Band & Out-of-Band users, Clean Access Agent (CAA) users and network scanning users. The information on the different deployment options and how to use them in diverse environments is great to start your NAC Design. This book makes the confusing topics seem easy and manageable.

Some of the highlights that caught my eye and I thought everyone would like were:

- Chapter on Host Security Policy - An amazing deal of information on how to design/create a Host Security Policy as it relates to NAC Appliance is invaluable to deployments

- Exploration of High Availability and Load Balancing - Information on how to load balance Clean Access Servers using the CSM, CSS, ACE and PBR cannot be found anywhere else. This includes saving money on Failover Bundles by using N+1 Failover

- Layer 3 OOB Deployment options - Walk through of the benefits of the different methods of deploying L3 OOB, e.g. PBR, ACLS, VPNs, etc.

- Deployment Best Practices - An entire chapter on how to plan, schedule, and keep all parties happy for your NAC Appliance deployment

- Monitoring & Troubleshooting information - detailed list of all logs located on the CAM and CAS, as well as the information on how to troubleshoot and monitor online users

All in all this is a great book and I would recommend it for all people interested in Buying, Deploying, Operating, or Troubleshooting Cisco NAC Appliance. This is definitely a great reference manual to have at your desk!


Testimonials 2
The Cisco Self Securing Network platform is currently structured around several cornerstone technologies of which the Cisco Clean Access technology is a leading component. The Cisco Clean Access technology is one of several industry wide Network Admission Control (NAC) technologies which rely on a combination of client-server components. The Cisco Clean Access suite includes a client component which could be host-installed applet or a browser based applet that can read basic configuration data from a host machine and communicate compliance to enterprise defined rules/policies which are pre-defined on a clean access server appliance and other coorperating systems. The book, Cisco NAC Appliance is a good guide for administrators deploying this complex set of solutions brought from Perfigo Inc. after Perfigo's acquisition by Cisco 2006.

The book's organization and tone is aimed at security architects, security managers and security administrators. While a security architect will better understand the various deployment options and thus the place of the Cisco NAC framework in an enterprise, security managers will get a comprehensive enough view of the Cisco NAC framework to make the judgment call on actual deployment of the infrastructure and of course make decisions on cost/facility and better grapple with the potential cost benefit requests from enterprise's executive and the security administrator will have a quick guide handbook to help wade through the myriads of documentations from Cisco on its evolving SAFE architecture in general and the NAC framework in particular.

The organization of this book is excellent for the intended audience; six parts covering the basics of host security landscape, design of Cisco NAC appliance, developing a host security policy, the Cisco NAC configuration, some deployment best practices, and of course NAC appliance maintenance and troubleshooting. The six parts are laid out in fifteen accessible chapters spanning more than 500 pages with generous amount of configuration examples and screenshots.

With Cisco now having more than 45% market share in the endpoint access control market, books like these can only increase in importance as a guide to organizations grappling with the decision on what and where to deploy these technologies.

And for this volume, the taste of the pudding remains in the eating. So if you don't have a copy yet, go grab one (so long as you are interested in some endpoint security solutions now or at some point in the future). As for rating, I'll give it my best rating so far, four star out of five.