Video Screencast Help

Denying USB WLAN device with SNAC ? which enforcer to use ?

Created: 07 Aug 2012 • Updated: 15 Oct 2012 | 9 comments
This issue has been solved. See solution.

Hi guys,

Is this the correct implementation for me to adopt suppose that I'd like to denay any Wireless LAN USB device to operate in my environment ?

http://www.symantec.com/business/support/index?page=content&id=TECH102536

 

Comments 9 CommentsJump to latest comment

Chuck Edson's picture

Check out Chapter 20 of the SEP Implementation Guide (pg. 433) "Managing Application and Device Control"  I have attached the doc to this post.

This method would prevent a user from plugging in a USB device that matches the device's class ID (like the class of USB devices that pertain to networking).  The one hangup with this is there are some manufacturers that don't follow the standard protocol for naming their device ID's and class ID's, so you have to take a "block all, allow some" approach, which can be cumbersome if you don't have a standardized equipment program (where all the machines given to users are the same), because device and class ID's can vary between makes and even models of machines.  

However, if configured correctly with network switches that are capable of authenticating multiple hosts on one switchport (which not all switches can, you will have to check with your switch manufacturer), then the LAN Enforcer can be effective here.  

Let's say you have a user whose machine is plugged into your network via ethernet with a LAN Enforcer in place.  The LAN Enforcer, upon the user's connection to the 802.1x enabled network, will act as a proxy RADIUS server to the switch.  The switch sees that there is activity on the port, and sends a EAP challenge packet to the client computer, requesting the user's credentials.  The SNAC enabled Symantec Endpoint Protection will see this challenge packet, and along with the username and password, will shim into the response the endpoint's "Host Integrity" result along with the SEP Policy number that is currently applied to the machine.  Once that information is received by the switch, the switch forwards the EAP challenge information to the Enforcer (along with the additional info that SNAC threw in).  The Enforcer then reads the HI result, compares the policy on the Endpoint to the one that is applied to it in the SEPM, and forwards the username/password to the actual RADIUS server (or domain controller).  If the RADIUS server replies with a "Yes, I know that user/password", and the Enforcer says "Host Integrity is good, and the policy is current" then the Enforcer tells the switch to either open the port, or open the port and move it to a particular VLAN.  If any of these fail, the LAN enforcer will tell the switch to close the port or move the port to a particular VLAN (like a remediation VLAN).  This is all configurable in the SEP Manager.

If your switch supports authenticating multiple hosts one one switchport, when a user adds a wireless device to their machine, and a second machine connects to it and tried to use the WLAN card as a bridge to the network, the switch will challenge the 2nd machine separately from the 1st machine, going through the process above.  If the 2nd machine is non-complaint, then it will be either denied access or moved to a particular vlan, while the 1st machine will remain connected.

As an added benefit, you can also create a Host Integrity policy that will fire off a script looking for any non-standard networking devices (i.e. a wireless card that you did not authorize) on your endpoint, and if one is found, it can be set to fail the Host Integrity test and the LAN Enforcer will send the non-compliant computer to a remediation VLAN with limited resources, or just shut down the port.  Note that the Host Integrity check is run by default every 30 seconds, so a user could self-remediate the situation by removing the wireless LAN card, and they will eventually be allowed on. 

 

 

AttachmentSize
Implementation_Guide_SEP12.1.pdf 6.21 MB

If a post helps you, please mark it as the solution to your issue.

SOLUTION
John Santana's picture

Hello people, I'm also looking for similar goal to the original poster, thanks for the knowledge sharing but that sounds complicated to me, how about if the hardware switch is not supported ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Chuck Edson's picture

I just realized, I did not directly answer your question . . . 

Yes, a LAN Enforcer would be the best for a scenario where the Endpoint with the rogue USB WLAN device is INSIDE your network, and you are trying to prevent others from using that rogue USB WLAN device as a bridge to your network.

If a post helps you, please mark it as the solution to your issue.

Dushan Gomez's picture

Yes that is what I want to know ;-) so based in your explanation it is possible to do that web implementing SNAC LAN enforcer.
Correct me if I'm wrong.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

Chuck Edson's picture

Yes, if your switch supports multi-hosts on one port, then you should be able to use the LAN enforcer in this scenario.  

If you are going to use the Host Integrity/SNAC portion of the SEP client to search for unapproved network adaptors using a script, then the LAN Enforcer would be benificial to Enforce the policy at the network layer.

 

If a post helps you, please mark it as the solution to your issue.

John Santana's picture

Cool, "switch supports multi-hosts on one port" --> so that is the terms to ask to the networking team :-)

"going to use the Host Integrity/SNAC portion of the SEP client to search for unapproved network adaptors using a script" --> what script is this Chuck ? 

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Chuck Edson's picture

John,

Method 1 would be a custom script, one that is currently not included in the product.  I would take a look at how to enumerate the different devices that are attached to the machine that come up as networking devices, and fail Host Integrity if the device class or ID does not match a company approved device.

As far as the other method of possibly doing this:  In Cisco, the command is called Multi-Domain.  Check out http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtmlfor an example to see if this would work for you.  This article talks about endpoints and VOIP phones sharing the same Ethernet port, but the logic is the same.

Multi-Domain may, or may not, work for you depending on how the endpoint passes the information (ie. if the endpoint acts as a proxy, this would not be your solution, as the switch would only see the one MAC address from the Endpoint machine, not the MAC address of the secondary device you are trying to block).

If a post helps you, please mark it as the solution to your issue.

John Santana's picture

Ah ok, many thanks for the reply and explanation Chuck, I reapply appreciate your efforts in doing this.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Dushan Gomez's picture

Thanks Chuck for the suggestion, sorry for the delay in replying the thread back.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP