Like it or not, we’re living in an interconnected world. Wireless Internet is available in coffee houses, hotels and living rooms everywhere. Laptops that have logged on to these sometimes unsecured networks, and then log on to the company’s network pose a real security risk. Many companies have invested a significant amount of time and money to secure their corporate-owned desktops and laptops with antivirus, firewall, intrusion prevention, etc. However, companies can’t ensure that those security investments are always running on these desktops and laptops, and if they are, whether they are configured properly and are up-to-date. Sometimes end users may simply disable these security products, as well. Companies not only need to concern themselves with employees connecting to the network, but also with non-employees such as guests and visitors connecting to their networks using their own computers. How do you ensure that their computers meet your security requirements and do not pose a risk to the rest of your network? Symantec Network Access Control addresses each of these problems. Network Access Control checks endpoints such as laptops and desktops for up-to-date virus definitions and patches, and also allows for quarantining and remediating those with out-of-date security before granting them access.
Getting off to the right start What’s the best approach to deploy Network Access Control? Because moving to a network access control environment can be complex and may cause changes that could potentially affect end user productivity, it’s a good idea to deploy in phases, rather than all at once. The best place to begin is with company-owned laptops and desktops–your ‘managed’ computers. Once Network Access Control is running smoothly on managed assets, the next phase might be to control guest computers connecting to your network. Start with these three steps:
Monitor managed endpoints. This is a discovery/assessment phase where you simply monitor your managed endpoints to determine which are and are not compliant with your endpoint security policies (such as up-to-date virus definitions and patches). This will give you an idea of how many end users may be affected once you turn on Network Access Control. This step is especially easy for Symantec Endpoint Protection 11.0 customers (our next-generation antivirus product) since Symantec Endpoint Protection 11.0 is Network Access Control ready. There is no need to install an additional agent or management console to achieve this type of monitoring.
Fix non-compliant endpoints. Once you determine how many managed endpoints might be affected by turning on Network Access Control, you should then set it up to begin enforcing compliance and providing automated remediation. Automatic remediation will do things like turn on antivirus protection if it has been turned off, or automatically update to the most current virus definition files if the existing ones are out-of-date. Symantec offers host-based automatic remediation (self-enforcement) and automatic remediation can be configured so it is completely transparent to the end user. Symantec Endpoint Protection 11.0 customers can perform this step easily since Symantec Endpoint Protection is Network Access Control ready, so there is no need to install additional agents or a management console to achieve automated remediation.
Control guest access. Now that you’ve taken control of your assets, the next step is to control guests and visitors connecting to your network. However, making sure patches and antivirus software are up-to-date is tricky when it comes to laptops that don’t belong to your organization. The best way to manage guests and visitors is to control their connections via wireless and/or within your conference rooms.
Making sure endpoints are free of threats while connected to your system is an important step toward network security, but it’s only the first step. Protecting the network from malware when new or returning endpoints log on helps ensure that your system stays secure.