Symantec Network Access Control 11.0 Gateway Enforcement Overview

Article:TECH102537  |  Created: 2007-01-26  |  Updated: 2011-06-03  |  Article URL http://www.symantec.com/docs/TECH102537
Article Type
Technical Solution

Product(s)

Environment

Issue



You would like an overview on how Gateway Enforcement works.


Solution



Symantec Network Access Control - Gateway Enforcer

Overview

Gateway Enforcer is deployed inline at network ingress points to enforce policy compliance for endpoints connecting to the network from an external source.

In-line appliance segments networks into secure and insecure zones

    • Transparent deployment
    • Integrates easily with existing network infrastructure


If a machine is non-compliant (HI fail or no Client present), Enforcer can

    • Block the client or simply log their compliance status
    • Restrict access to certain network resources (e.g., patch and update server)


Typically used to enforce endpoint security for nodes connecting through

    • IPSec VPN
    • WAN
    • Wireless LAN
    • Dial-Up RAS


Guest access for local unmanaged users (conference rooms, guest offices, etc.)


How it Works
SNAC_GW.JPG


How the Client talks to the Enforcer
GW_Client_Comms.JPG

    • The communication between an Enforcer and Client begins when the machine on which the Client is running attempts to connect to the network
    • The Enforcer detects whether a Client is running, and if it is, begins the authentication process with the Client
    • The Client responds by running a Host Integrity check and sending the results, along with its profile information, to the Enforcer. The Client also sends its unique identifier (UID), which the Enforcer passes on to the Policy Manager for authentication.
    • The Enforcer uses the profile information to verify that the Client is up to date with the latest security policies; if not, the Enforcer notifies the Client to update its profile.
    • Once the DHCP or Gateway Enforcer allows the client to connect to the network, the Enforcer continues to communicate with the Client at a regular predefined interval. This communication enables the Enforcer to continue authenticating the client. For the LAN Enforcer, this periodic re-authentication is handled by the 802.1x switch.
    • If an Client changes its status, for example, changing its profile or its Host Integrity status, it will begin a new authentication session.
    • The Enforcer needs to be running at all times. Otherwise, Clients attempting to access the corporate network may be blocked.



The Gateway Enforcer's 2 NICs

SNAC_GW_Interfaces.JPG



Legacy ID



2007092618043248


Article URL http://www.symantec.com/docs/TECH102537


Terms of use for this information are found in Legal Notices