Symantec Endpoint Protection 11.0 / Symantec Network Access Control 11.0 Host Integrity Overview

Article:TECH102534  |  Created: 2007-01-26  |  Updated: 2008-01-20  |  Article URL http://www.symantec.com/docs/TECH102534
Article Type
Technical Solution


Environment

Issue



You would like to have a general overview of the Host Integrity functionality


Solution



Host Integrity
What is it?

Host Integrity enables enterprises to enforce security policies at all entry points to the enterprise network including VPN, Wireless, and RAS dial-up servers. Host Integrity includes the ability to check for the presence and update status of firewalls, intrusion prevention, anti-virus and other third-party applications before granting access to an enterprise network.

Host Integrity consists of two components.

1. SEPM defined Policy - the administrator defines

    • when host integrity is run
    • which requirements must be met by each Client
2. the Client component, which runs the host integrity requirements and (optionally) interacts with the end user. (SNAC.exe)

Which "flavors" are there?

The legacy Sygate protection technology can roughly be divided into two categories, hardware based and so-called "Self Enforcement".

Hardware based Symantec Network Access Control Enforcement

This would include:

  • DHCP Enforcer
  • LAN Enforcer
  • Gateway Enforcer



Software Self Enforcement
    • Enforcement is done by the (SNAC) Client itself. No Enforcer hardware is required.

Self Enforcement

With Self Enforcement, the client can quarantine its system if it falls out of compliance. Quarantine policies have to be defined on SEPM. The client can quarantine itself by switching to a quarantine firewall policy, a Firewall that restricts access to specific IP addresses or segments.
This allows for rapid deployment of basic endpoint security. No network-level systems or configuration needed

Self_Enforcement.JPG

The Host Integrity check runs every 2 minutes by default. It is actually run by a .JS javascript file that will be included in the policies downloaded form the Manager. This script will be deleted once HI is done.

What can HI check for? - Which Requirements can be selected?

  • HI Can check for the following Predefined Requirements:

HI_Requirements.jpg


  • In addition, the admin can also configure Custom Requirements:

Custom_HI_Requirements.jpg


  • The admin is flexible when configuring these requirement scripts. In the below example, Notepad should be running on the client:

Custom_HI_Req_Notepad.jpg


  • And if it is not running, run some program. (Note by default, this is configured to run as System!)

Custom_HI_Req_Notepad_Else.jpg





Legacy ID



2007092617440948


Article URL http://www.symantec.com/docs/TECH102534


Terms of use for this information are found in Legal Notices