What all can you do with Symantec Network Access Control?

Created: 01 Sep 2009 • Updated: 02 Sep 2009
Vikram Kumar-SAV to SEP's picture
Login to vote
+23 23 Votes

What all can you do with Symantec Network Access Control?

With Symantec Network Access Control you can verify system configuration and status. Symantec Network Access Control provides Real-time policy compliance on host systems. Access to the Network can be blocked or restricted to Quarantine/Remediation network if checks fail. There are Built-in remediation actions specified for every requirement.-

Symantec Network Access Control Reduces the administrative effort and cost as User and administrator intervention not required to fix issues which have a remediation action. Each group and location may have different HI policies and all the policies are Rules based.

 

What are the requirements you can enforce so that your Users are Compliant to your organizations Security policy.

Default Templates- There are default templates present in the Host Integrity Policy

Altiris Management – You can check on the client if Altiris 6 update client is installed, running, updated. Altiris 6 Software Delivery Solution and Inventory Agent Package is installed or not. You can also check the pcAnywhere's security option, encryption and authentication type. If they are not installed or working you can either run a script or re-direct it to a location from where these files can be installed.

Patch Management –You can check if Patch Management software’s Like WSUS, SMS and PatchLink Solutions are installed and running. If they are not installed or working you can either run a script or re-direct it to a location from where these files can be installed.

Secure Workstation – With this template you can enforce requirement of Password age, complexity, Length and history. You can also check for requirement of Account Lockout, Disable Add/Remove Programs, disable Registry editor, Guest Account, IP address change, CD/DVD Burning, Disable Autoplay. If these options are not present it you can run a pre-defined script to enforce them.

Backup Solution Management – You can set to requirement to check if Symantec Netbackup or Backup Exec DLO is installed and running. If not running or installed it will be directed to a location from where they can be installed and if service is not running a pre-defined script will run to enable them.

HI Sample Toolkit - You can terminate an application with specific File Fingerprints. You can map Network Drives and also can reboot the client.

 

Predefined simple to use requirements

Antivirus Requirement – You can set Antivirus Requirement in your organization that means your clients should be running the Antivirus you have specified or it will be rejected from network or sent to Quarantined network. Antivirus Products that SNAC supports are AnhLab V3 Internet Security, AVG Internet Security/Antivirus, Bit Defender Internet Security/Total Security, CA eTrust Antivirus/InoculateIT, Kaspersky Antivirus/Internet Security, McAfee VirusScan, Microsoft ForeFront Client Security, Microsoft Live OnceCare Antivirus, Norton Antivirus, Panda Antivirus, Sophos Antivirus, Symantec Endpoint Protection, Trend Micro OfficeScan Corporate Edition and Trend Micro Pc-Cillin. With these Antivirus Products you can check if they are installed, Running and having latest definitions. If not then you can redirect them to a location where the Antivirus will be automatically installed or the users can download and install the AV software or the latest virus definitions. If the Antivirus is turned off you can also enable the antivirus.

You can also select Any Antivirus, in this option you can check the definitions and direct them to download the definitions but the options for installing or starting a specific application are not available.

Anti-Spyware Requirement - You can set Anti-Spyware Requirement in your organization i.e.: Your Clients should be running the Anti-Spyware you have specified or it will be rejected from network or sent to Quarantined network.The Anti-Spyware products supported are AnhLab V3 Internet Security, Kaspersky Internet Security, Lavasoft Ad-Aware, McAfee Internet Security, Microsoft ForeFront Client Security, Norton Internet Security/Norton 360, Symantec Endpoint Protection, Webroot Spy Sweeper and Windows Defender. With these Anti-Spyware Products you can check if they are installed, running and are having latest definitions. If not then you can redirect them to a location where the Anti-Spyware will be automatically installed or the users can download and install the Anti-Spyware software or the latest virus definitions. If the Anti-Spyware protection is turned off you can also enable the antivirus.

You can also select Any Anti-Spyware, in this option you can check the definitions and direct them to download the definitions but the options for installing or starting a specific application are not available

Firewall Requirement - AVG Internet Security, Bit Defender Internet Security/Total Security, CA Personal Firewall, Cisco Security Agent, ISS Proventia Desktop/BlackICE, Kaspersky Internet Security, McAfee Personal Firewall, Microsoft Live OnceCare Firewall, Microsoft Windows Firewall, Norton Personal Firewall, Panda Firewall, Symantec Endpoint Protection, Trend Micro Personal Firewall, ZoneAlarm. With these selected Firewall Products if the firewall is not installed or running you can specify a link from where the users can download this application. If the firewall is not turned ON you can also run command to turn it ON.

There is also an option for Any Firewall but the options for installing or starting a specific application is not available.

Patch Requirement- With this requirement you can search if a specific patch is installed on a Windows System or Not. IF it is not installed you can direct the user from where they can install this patch. It checks for each patch my Microsoft KB number (e.g.: KB958644 for MS08-067), must create a single HI requirement for each patch to check. Most customers use a custom check for a build number or patch mgmt flag to check for overall patch level. The Windows Operating Systems supported are Windows 2000 family, Windows XP Family, Windows Vista Family, Windows 2003 Family and Windows 2008 Family.

Service Pack Requirement- Is used to create a Host Integrity rule to check that a particular operating system service pack is installed on client computers. If not, options are provided to download and install the service pack to remediate the system. The Windows Operating System supported are Windows 2000 family, Windows XP Family, Windows Vista Family, Windows 2003 Family and Windows 2008 Family.

Custom Requirement– With this requirement you can Create a custom Host Integrity rule to check a client computer for software, processes, services, registry values, or files (including age, data, size, version, or fingerprint). You can specify a sequence of conditions and actions for the custom requirement

It Uses IF-THEN logic to check conditions. Many file and registry attributes can be checked with this requirement. With IF...Statement you can select a Condition from pre-defined set of Conditions then in the ELSE...statement you can select the Action you want to take from the predefined set of FUNCTION then you can select if the above statement is correct then you want to set this statement as Pass or Fail.

 For More information on working with Custom HOST INTEGRITY policy using CUSTOM REQUIREMENT LOGIC read this article
https://www-secure.symantec.com/connect/articles/working-custom-host-integrity-hi-policy-using-custom-requirement-logic

Notification –

Show verbose Host Integrity Logging – If you check the box for show verbose Host Integrity Logging it displays the detailed information about the Host Integrity requirement in the Security Log. Once you highlight that the requirement on the Lower right hand pane of the security logs shows the detailed information which includes the conditions that the requirement checks for, such as a particular registry key. You can still view the information in the Compliance log on the Monitors page in the management server. If you uncheck this option the results of the Host Integrity check still appear in the lower left-hand pane. By default this option is Enabled/ Checked.

Display a notification message when a Host Integrity check fails- You can choose to display a notification message for the users to know that the client computer did not pass the Host Integrity check.

Display a notification message when a Host Integrity check passes after previously failing- If the Host Integrity check fails and users are send to remediate, the users will not know that the Host Integrity check ran again and it passed this time. So you can display a notification message that informs the users if the check passes after a failure.

User must log on before applications and Host Integrity notifications appear- This option is Checked/Enabled by default. Host Integrity remediation runs even if the user is not logged on. The client can remediate the client computer with operating system updates or necessary security software at any time. You can work around this issue when you write a custom requirement that uses the Run a program function. You can use this function to launch a program that uses the logged-in user context.

  

Filed Under

Tags:

Comments

03
Sep
2009

Nice article Vikram on access

Nice article Vikram on access control...
thanks...

Nel Ramos

Kali Elysees
Symantec Employee
04
Sep
2009

I agree.

I agree.

Brandon Boyd Rocks!

shp
07
Sep
2009

Good info... Thanks man......

Good info...

Thanks man......

Regards,
Srinivas H.P.
HCL Infosystems Ltd

zubair_chowgale
Partner
08
Sep
2009

SNAC more info

Hi Guys,

can anyone guide me on SNAC implementation?Tthe .pdf with the CD are mostly on SEP.

i have deployed SNAC on audit mode. i dont want to buy the LAN or Gateway Enforcer device. i want to use DHCP enforcer. how will the enforcer check for a system with no AV installed and quaratine it?

can anyone send me a complete implementation guide on SNAC that also features info on all other enforcers?

thanks in advance.

regards
Zubair

Vikram Kumar-SAV to SEP
Symantec Employee
Accredited
08
Sep
2009

Manuals on SNAC

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

13
Sep
2009

Very nice and informative

Very nice and informative article .

Sandeep

17
Sep
2009

Good one.

Good one.

@ayaba
Partner
01
Oct
2009

yeah in did - this is very

yeah in did - this is very informative

mdjainam
Partner
Accredited
02
Oct
2009

Symantec NAC which was

Symantec NAC which was previously Sygate has being the contributor to "trusted network connect" and has being co-chairing the TNC standards since last 6-7 years. Hence any standards implementation using IF-THEN should not be a problem.

http://www.trustedcomputinggroup.org/developers/

TNC standards committee lead by Paul Sangster from Symantec and S Hanna from Juniper has made excellent progress in the last one year and new standards adoption and its integration with SNAC is something to watch out.
IF-MAP is something which would enable all enterprise and business to adopt to standards architecture irrespective of which products they have.
However to start with SNAC is a excellent initiative.

MD

gilbert08
Partner
13
Dec
2009

could you provide a copy of

could you provide a copy of patch deployment procedure for snac?thanks

05
May
2010

good article

good article

16
Sep
2010

SNAC to turn On AV Engine

Hi,

Appreciates if you guys can help on how to turn on Client AV Engine thru HI/SNAC policy.

INfo: All SEPM Server and GUP's Server installed with SEP RU6 MP1 version.

TQVM ^_^

^_^ Emails Solsis Support ^_*

Mohit Gupta
Partner
09
Oct
2010

hi, Its a good article. Even

hi,

Its a good article.

Even we can do more things with SNAC. It comes under custome requirement.

Once I wanted to replace sylink for all clients but it was too difficult for me to run sylink replacer tool again n again as client' s up time was not fix.

So I replaced sylink in all comp using SNAC.

Really we can do a lot with SNAC custome requirement.

15
Dec
2011

Nice Article

Nice Article

Thanks.

15
Dec
2011

Good to help everyone 

Good to help everyone 

17
Jan
2012

Nice Article!

Nice Article!

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

madhan.k-123
Partner
10
May
2012

to understand the NAC components & policy templates

This posted information is very useful to understand the NAC components & policy templates available with that.

02
Dec
2012

Yes it is very detailed

Yes it is very detailed explanation !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Ambesh_444
Partner
Accredited
04
Aug
2013

Nice and good article.

Nice and good article.

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

04
Aug
2013

Good post Vicky sir thanks

Good post Vicky sir thanks alottttttttttttt