Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

[Question] - How to configure the SNAC policy for some environment.

Created: 24 Jun 2012 | 2 comments

Dear all, 

I have a question to make some policy for the network access control using SNAC.

If you have a solution for this, pleae share it to us. 

[Environment]

1. There are three domains, like this. A, B and C domains. 

2. There are some IPs for the exception. For example, VIPs in the corporate. 

3. There is no Enforcers with regard to Gateway, LAN, DHCP enforcer. 

[Requirements]

1. Only the users who logon to A domain should access to the network and internet. 

2. SNAC is able to check if who is the logon user and domain that the user logs on.

3.  If possible, sometimes SNAC can except for some users using IP. 

[My Idea]

I think that we can implement the above situation by using the some registry keys or values check, such kind of USERDNSDOMAIN in Windows 7.

(Probably, the value, USERDNSDOMAIN, has the data like this, XXX.A.COM)

SNAC policy can check the registry key for allowing the users who just logs on A domain to access to their network. 

What can I do for implementing this?

If you have some more idea, please let me know. 

Thanks in advance. 

Comments 2 CommentsJump to latest comment

Chuck Edson's picture

Use the custom requirements in the Host Integrity policy section to look for certain values, like the domain name or user name.  You could then, depending on the result of the domain lookup, either deny them access by failing host integrity or SNAC can write a registry key that the Location Based Firewall rules will pick up, and then switch the firewall rules to a more restricted ruleset that denies them access to portions of your network.

IF registry key = x, THEN fail ELSE pass.

or

IF registry key = x, THEN create registry key (for open firewall location) ELSE create registry key (for restricted firewall location). 

You could build into the host integrity rules to allow certain IP addresses to pass automatically (you will need to locate where in the registry the machine's IP address is located), or you could use the location based firewall settings to specify that when the machine has a particular IP address, allow or deny access to those subnets/domains by switching to a different firewall location ruleset.

If a post helps you, please mark it as the solution to your issue.

SMLatCST's picture

Is if you need to use NAC at all for this...

What Chuck has decribed above ("Thumb's Up" btw) can be done within SEP's native "Location Awareness"  capabilities (I'm assuming you have SEP otherwise how are you going to perform self-enforcement?!).

What you may also consider, is using SEP in User Mode to control access.  This allows you to set your polcies by user, rather than machine.  So if a VIP user wanders across to another machine, they are still assigned with the Firewall policies allowing them internet access, whereas if a normal user logged in, they would be assigned with a firewall policy to block web access.

More info on SEP's user mode can be found at http://www.symantec.com/docs/HOWTO27008