With the Symantec Network Access Control (SNAC) product, how does Enforcement manage computers without the SEP or SNAC client installed?
Symantec Network Access Control can enforce security policies only for the systems that have Symantec clients installed. The security stance of other vendors cannot be enforced. Any enforcement by other vendors can disrupt the network.
The following enforcement methods are available:
- Self Enforcement
- Self enforcement by the client firewall has no effect on the systems without clients in the network.
- Gateway Enforcement
- In the networks that use gateway enforcement, the systems without clients cannot pass through the gateway. Where you place the Gateway Enforcer in the network is critical; it can block access to critical network resources to which other systems require access.
You can make exceptions for trusted IP addresses so that they can pass through the gateway inbound or outbound without a client. Similarly, the gateway can also exempt non-Microsoft operating systems from enforcement. One network design could be to place non-critical servers on the same side of the gateway. This configuration simplifies the network design without seriously compromising security.
- DHCP Enforcement
- DHCP enforcement restricts the computers that are out of compliance or the systems without clients. It restricts these systems to a separate address space or provides them with a subset of routes on the network. This restriction reduces the network services for these devices. Similar to gateway enforcement, you can make exceptions for trusted MAC addresses and non-Microsoft operating systems.
With the Symantec Integrated DHCP Enforcer (Microsoft DHCP Server Enforcer Plug-in) in SNAC 11.0 or 12.1 you can also enable the DHCP Trusted Vendors Configuration feature to allow certain types of machines (for example printers) to bypass the Enforcement.
Using the DHCP Trusted Vendors Configuration feature with the Symantec Integrated DHCP Enforcer
- LAN Enforcement
- LAN enforcement uses the 802.1x protocol to authenticate between the switch and the client systems that connect to the network. To use this method of enforcement, the switch software must support the 802.1x protocol and its configuration must be correct. 802.1x supplicant software is also required if the administrator wants to verify user identity as well has host NAC status. The switch configuration must handle the exceptions for systems without clients, rather than any Symantec configuration.
- You have several ways to set up this switch configuration. Methods vary depending on the type of switch and software version it runs. A typical method implements the concept of a guest VLAN. Systems without clients are assigned to a network that has a lower level of network connectivity. Another method involves basing the exceptions on MAC addresses.
You can disable 802.1x on selected ports. However, to disable by selected ports allows anyone to connect by using the port, so it is not recommended. Many vendors have special provisions for the VoIP phones that can automatically move these devices to special voice VLANs.
Using MAB (MAC Authentication Bypass) with the Symantec LAN Enforcer appliance
- Universal Enforcement API
When you use the Universal Enforcement API, the third-party vendor’s implementation of the API handles the exceptions.
- Enforcement by using Cisco NAC
When you use the Symantec solution to interface with Cisco NAC, the Cisco NAC architecture handles any exclusions.