Symantec NAC upgraded

Integrates on-demand client into Symantec Network Access Control

Enterprises can expect more consumer devices to enter their networks, says analyst Zeus Kerravala. The key is controlling how much access they get

BANGALORE, INDIA: Symantec has upgraded Symantec Network Access Control, providing enforcement for managed endpoints, guest users and unmanaged devices. Symantec is helping customers reduce overall cost and simplify network access control deployment by integrating the on-demand client into Symantec Network Access Control.

Symantec is releasing an upgrade to Symantec Network Access Control (NAC), which will allow IT administrators to exert control over unmanaged devices and set customized levels of access for guest users entering their corporate networks.

The upgrade is available at no additional cost to customers under warranty or maintenance. The software image will be available for download from Symantec’s Web site on Aug. 15.

In addition, consolidated network access control policy configuration and management for managed and guest users can all be done through the Symantec Endpoint Protection Manager. The Symantec Network Access Control upgrade is scheduled to be available in August 2008.

An integrated, dissolvable on-demand client for guest user access can now be delivered directly from the Symantec Network Access Control Enforcer appliance in Gateway or DHCP modes to simplify deployment.

This helps ensure that unmanaged endpoints attempting to connect to corporate networks have the appropriate protection and security software installed. The on-demand client performs predefined checks to ensure that antivirus, antispyware, firewall and service pack software is installed and up-to-date.

"This critical expansion of our network access control capabilities allows customers to centrally enforce endpoint compliance policies for both managed and unmanaged endpoints, through integration with Symantec Endpoint Protection, and guest users," said Brad Kingsbury, senior vice president, Endpoint Security and Management Group, Symantec Corp. "With Symantec Network Access Control, we have taken a flexible approach that goes beyond host-based enforcement and offers customers an array of options for enforcing network access control on the network."

Symantec Network Access Control also supports authentication and identity-based access control for guest users by offering a new Web login that can be enabled as part of the on-demand client download process. Users can be authenticated against logins centrally stored in ActiveDirectory, LDAP, RADIUS or logins stored locally on the Enforcer. When used with LAN Enforcement, RADIUS attributes can control which resources guest users can access on the network once they have authenticated.

Furthermore, enhanced MAC address authentication functionality enforces network access for unmanaged devices in 802.1x-enabled environments. In LAN Enforcement mode, the Enforcer can check the MAC address of a device connecting to an 802.1x-enabled switch port, validate it against a store of known/authorized MAC addresses, and allow or block the device depending on whether it finds a match.

“We’ve actually brought all of the power of Symantec’s NAC agent for managed systems and put up that for the unmanaged world,” said senior manager of product management Rich Langston, who runs the NAC product line.

The on-demand product is a brand new, ground-up rewrite for unmanaged devices that gives administrators the exact same capabilities they currently have with the managed agent for guests and contractors, he explained.

It works by having users access the network through a Web browser, which takes them to a portal that requires a login. After presenting valid credentials, users download the on-demand agent, which runs in resident memory and dissolves when the user exits the system.

The agent ensures unmanaged devices meet predefined criteria for endpoint compliance before connecting to the network. This includes appropriate levels of security and protection, including up-to-date antivirus, antispyware, firewall and service pack software.

If a device fails to meet the criteria, automated remediation capabilities can work to resolve the issue. “Some of the competing solutions will take the user to a Web page and say, ‘You’re not on the network because your antivirus isn’t up-to-date so click on this URL,’” said Langston. “We automate everything.”

Non-compliant devices can be blocked or quarantined from the network. “The idea is to keep the network safe by keeping impurely configured systems off the network,” he said.



Symantec Network Access Control securely controls access to corporate networks, enforces endpoint security policy and easily integrates with existing network infrastructures. Regardless of how endpoints connect to the network, Symantec Network Access Control discovers and evaluates endpoint compliance status, provisions the appropriate network access, provides automated remediation capabilities, and continually monitors endpoints for changes in compliance status. The result is a network environment where corporations realize significant reductions in security incidents, increased levels of compliance to corporate IT security policy and confidence that endpoint security mechanisms are properly enabled.


Page 1 of 2


Symantec NAC upgrade aims at manageability
By: Jennifer Kavur - Network World Canada (01 Aug 2008)

Enterprises can expect more consumer devices to enter their networks, says analyst Zeus Kerravala. The key is controlling how much access they get

Symantec is releasing an upgrade to Symantec Network Access Control (NAC), which will allow IT administrators to exert control over unmanaged devices and set customized levels of access for guest users entering their corporate networks.

The upgrade is available at no additional cost to customers under warranty or maintenance. The software image will be available for download from Symantec’s Web site on Aug. 15.

“We’ve actually brought all of the power of Symantec’s NAC agent for managed systems and put up that for the unmanaged world,” said senior manager of product management Rich Langston, who runs the NAC product line.

The on-demand product is a brand new, ground-up rewrite for unmanaged devices that gives administrators the exact same capabilities they currently have with the managed agent for guests and contractors, he explained.

It works by having users access the network through a Web browser, which takes them to a portal that requires a login. After presenting valid credentials, users download the on-demand agent, which runs in resident memory and dissolves when the user exits the system.

The agent ensures unmanaged devices meet predefined criteria for endpoint compliance before connecting to the network. This includes appropriate levels of security and protection, including up-to-date antivirus, antispyware, firewall and service pack software.

If a device fails to meet the criteria, automated remediation capabilities can work to resolve the issue. “Some of the competing solutions will take the user to a Web page and say, ‘You’re not on the network because your antivirus isn’t up-to-date so click on this URL,’” said Langston. “We automate everything.”

Non-compliant devices can be blocked or quarantined from the network. “The idea is to keep the network safe by keeping impurely configured systems off the network,” he said.

Another key feature of the upgrade is a new Web login for guest users. “We now have the capability of giving them different levels of access,” said Langston. “This is important because most enterprises are interested in giving as little access to the network as necessary. For example, they might want to offer Internet access as a courtesy to casual guests, vendors, or the board of directors…If anything changes, they will get kicked off the network,” said Langston.

“We really have one the most powerful agents for client-side NAC that is available, which means that we are fully on board with the client,” said Langston. This includes performing very deep inspections of endpoints to make sure they are compliant with “all the policies the administrator wants…whatever his policies may be.”