Reviewer s guide. PureMessage for Windows/Exchange Product tour

Size: px
Start display at page:

Download "Reviewer s guide. PureMessage for Windows/Exchange Product tour"

Transcription

1 Reviewer s guide PureMessage for Windows/Exchange Product tour

2 reviewer s guide: sophos nac advanced 2

3 welcome WELCOME Welcome to the reviewer s guide for NAC Advanced. The guide provides a review of the core functionalities of this vendor-neutral, network access control software. The document is structured to provide organizations with information about the NAC architecture and potential implementation scenarios, including details of the major software components and system interactions. After reading the guide, you will have a deeper understanding of how NAC Advanced delivers the most reliable and intelligent network access control available. NAC Advanced is part of s award-winning security and control solutions and is purpose-built for enterprises. It is backed up by 20 years experience and expertise delivered by Labs our global network of threat analysis centers defending organizations against known and unknown malware, spyware, intrusions, unwanted applications, spam, and policy abuse. Early detection and protection from ever more complex and fast-spreading security threats is one of the reasons that is acclaimed for delivering the highest level of customer satisfaction and protection in the industry. As with all our products, NAC Advanced includes comprehensive 24-hour support from our worldwide network of support engineers, available at no additional cost, every day of the year. For information on pricing and availability of NAC Advanced, contact your local representative. To find out who serves your area, please visit: If you would like to request a secure, private assessment of computers that pose a threat to your organization, please visit: 3

4 reviewer s guide: sophos nac advanced 4

5 contents Contents introduction 6 The need for network access control 6 The security enforcement solution 6 2 functionality and features 7 Fundamental processes 7 Core features and benefits 9 3 software architecture 0 Client-side components 0 Server-side components 3 4 user interface 6 Manage 7 Enforce 8 Report 8 Configure system 9 5 typical configuration 20 Policy building blocks 20 Alert building blocks 2 Process flow 22 6 enforcement mechanisms 23 Enforcement scenarios 24 Complete enterprise protection 25 agent enforcement Web agent enforcement 802.X enforcement dhcp enforcement ipsec VPN enforcement ssl VPN enforcement Cisco LAN-based enforcement 7 summary 34 Appendices I System and network requirements 35 II Integration with enterprise infrastructure 36 5

6 reviewer s guide: sophos nac advanced Introduction The need for network access control Organizations require network access control for two main reasons: To prevent unmanaged or unauthorized computers from accessing enterprise resources. To ensure that managed computers are compliant with a defined policy prior to accessing enterprise resources and periodically after connecting to them. Preventing all unmanaged computers from accessing the network is a cumbersome and often difficult process. Organizations must be certain that their networks are not open to security breaches, but many still rely on voluntary compliance from their employees when it comes to installing or updating applications and operating system patches on managed computers. When left in the hands of employees to comply voluntarily, the organization is left with vulnerabilities that cannot be accurately calculated. Security compliance must be enforced for all device types and access methods in order to protect network resources fully. The security enforcement solution Network security Organizations need to prevent unauthorized computers accessing the network, and ensure that managed computers are compliant with security policy. NAC Advanced offers the most comprehensive and easy-to-deploy network access control solution available, giving organizations the ability to control who and what is connecting to their networks. It is a vendor-neutral solution that does not stand in the data path, and that does not require network re-architecture or upgrades to existing network equipment. Most importantly, it can be configured to deny or quarantine network access to unmanaged and non-compliant managed computers, while permitting access to compliant managed computers and will continue to perform compliance checks during network connections. Additionally, NAC Advanced provides advanced real-time reporting data, the ability to archive data for regulatory compliance, and the ability to configure alerts based on specified criteria. 6

7 2: functionality and features 2: functionality and features Fundamental processes NAC Advanced incorporates five processes that enable organizations to: Define security policies for all LAN and mobile, managed and unmanaged computers centrally Assess compliance proactively prior to network access and also during the network session Report and alert on the state of compliance over time Remediate computers to bring them into compliance, and Enforce compliance systematically for operating systems, patches, and applications. s vendor-neutral, extensible framework provides predefined detections for over 350 security applications (see Appendix II) and 400 operating system patches. Also, NAC Advanced expands to manage additional security applications in response to new, unforeseen threats by providing custom application creation. NAC processes NAC uses these five processes for network access control define, assess, report and alert, remediate, and enforce. Define policy The user interface in NAC Advanced provides a central location for organizations to define policies that manage and control access to enterprise network resources by evaluating computers. These policies consist of profiles and access templates. Profiles allow administrators to define reusable components for computer evaluation such as operating systems, patches, and security applications. Profiles encapsulate conditions, actions, and compliance settings for a given component so that it can be implemented in multiple policies. Once profiles are added to a policy, administrators can control which actions are performed on the computer by defining how security applications of a specific type are grouped, and which policy behavior is assigned to those applications. Operating systems are explicitly defined in policy, allowing administrators to ensure that the correct operating system is installed prior to evaluating additional profiles. Policies enable administrators to select the access templates that are assigned to the computer based on its compliance assessment. Access templates define how computers are granted network access when associated with specific compliance states, and signal how the various enforcement types the agent, RADIUS, and will treat a specific compliance state. 7

8 reviewer s guide: sophos nac advanced Assess compliance Computers attempting to connect to the network are assessed for compliance with a defined policy. Evaluation includes compliance monitoring at an interval specified by the administrator. Compliance assessment is provided by the: Compliance Agent (installed on the client) Compliance Dissolvable Agent (downloadable Java applet application) The Compliance Agent provides comprehensive compliance assessment and enforcement of managed computers, both prior to and during a network session. The Compliance Dissolvable Agent provides the same assessment prior to network access for remote or LANbased unmanaged computers. recommends using the Dissolvable Agent in cases where a client-based agent is not installed or cannot be installed on a computer. NAC agents Distributed, low-profile client applications perform rules-based assessment of operating systems, patches, and applications and report the results back to the NAC policy. Report and alert on results NAC Advanced includes a rich set of tools that report on the compliance status and network access of all enterprise computers. Organizations must know the state of security compliance of their computers and users. The user interface reports provide data and intelligence relating to user sessions, policy compliance, exemptions, network access, and application inventory. This data is a comprehensive view of computers that are compliant or non-compliant with the defined policies. Additionally, NAC Advanced has defined 8 SQL Views that provide network access, compliance, and agent reporting data. SQL Views enable organizations to manipulate report data outside the confines of NAC, thus providing improved report flexibility and interoperability with third-party report generation products. In addition to reports, NAC Advanced provides alerts that give organizations proactive notifications of events, using or the event log as notification methods. Alerts are based on administrator-defined criteria and provide the means to integrate with current monitoring software. With alerting, administrators can react quickly to significant compliance and enforcement issues as they occur, without having to poll report data first in order to discover issues. Remediate NAC Advanced supports automated remediation actions for predefined security applications. Remediation actions allow an administrator to bring a computer back into compliance with no interaction required from the user. Remediation actions that are supported include initiating an update of signature files; scanning a computer; and enabling real-time protection, a firewall, or Windows Automatic Updates. Additionally, for applications that do not support automated remediation actions, administrators can provide messages and links for user-initiated remediation, such as a link to a remediation to retrieve and update application patches. 8

9 2: functionality and features Enforce compliance Organizations need to enforce compliance with their defined policies to protect their networks from threats arising from non-compliant computers. Through authentication and enforcement, NAC Advanced determines what network resources are accessible to computers attempting to connect, based on each computer s compliance with policy and the associated access template. NAC Advanced supports a range of network- and agent-based enforcement. Remote IPSec and SSL VPN users are supported through RADIUS, and LAN-attached (both wired and wireless) users are supported through 802.X,, and/or Cisco NAC enforcement. The Compliance Agent can also act as an enforcement point with its built-in quarantine capabilities, which can be used either for remote or LANattached computers. Additionally, unmanaged computers can be detected and enforced with, and guest computers can be assessed for compliance using the Compliance Dissolvable Agent. All types of enforcement can be used simultaneously in any combination in the organization s network. Additionally, administrators can exempt devices such as printers and IP phones from enforcement when using the RADIUS Enforcer or the Enforcer. Core features and benefits Feature Centralized policy management Extensive reporting Security application support Intelligent operating system patch detection Custom application support Access control templates Remediation actions Exemption management Agent localization capabilities Endpoint Security and Control optimization Benefit User interface offers centralized policy-building, enforcement control, reporting and alerting, and a customizable dashboard page with immediate NAC compliance statistics. Helps troubleshooting compliance and network access, as well as analyzing application and policy deployment trends. Predefined SQL Views enable administrators to manipulate report data outside the user interface. Includes detection for over 350 predefined security applications. Includes defined detection for over 400 patches, using contextaware technology to limit detection to those patches applicable to the installed operating system. Allows administrators to create custom applications to determine whether enterprise-specific applications are installed or running, the version that is running, and whether the application is configured with a specific value. Provides granular control of network access and determines when and how computers are quarantined, how remediation resources are made available, and what level of access computers receive. Automatically brings users into compliance, e.g. by initiating an update of a security application, running a scan, and enabling realtime protection, a firewall, or Windows Automatic Updates. Exempts devices that do not require compliance assessment, such as printers, routers, or IP phones. Provides the capability to distribute a localized agent. Contains predefined profiles for Endpoint Security and Control applications, and delivers extended assessment capabilities for Anti-Virus. 9

10 reviewer s guide: sophos nac advanced 3: software architecture This section provides a deeper technical understanding of how NAC Advanced provides enforcement in an enterprise environment. NAC consists of two main components: A client-side component that either resides on each computer, or resides on a web and is accessible by guest computers or computers that cannot install the client component. A set of -side components (with optional redundancy). An example of NAC Advanced architecture is shown in Figure. Client-side components NAC Advanced client-side components are: Compliance Agent (preinstalled Compliance Agent) Compliance Dissolvable Agent (on-demand Compliance Agent) These agents determine whether each computer is in compliance with the defined policy. Compliance Agent Remotee employee Internet Compliance Dissolvable Agent Business partner Firewall and remote access infrastructure (VPN) IPSec VPN SSL VPN User interface Alerting service Enforcer administrator Agent interfaces RADIUS Enforcer Patch loader Current definitions loader NAC data stores Compliance Application Server s authentication s S h Compliance C Databases LAN switch LAN router LAN access interface Wireless access point Compliance Agent Compliance Dissolvable Agent Contractor Figure : An example of NAC Advanced architecture 0

11 3: software architecture Compliance Agent The Compliance Agent is a software component that resides on a computer and provides assessment, messaging, quarantining, reporting, and remediation. It retrieves the most recent policy from the application and assesses the computer s compliance based on the defined policy. The agent displays in one of eight languages, determined by user locale. The agent can be branded in additional languages by changing text and other design elements as necessary. The agent can also be instigated by third-party network access applications, such as VPN clients, via the Compliance Checker command-line tool, which initiates a full compliance assessment by the agent. This feature allows an administrator to control computer compliance checks as part of an integrated network access process. The agent provides assessment and enforcement prior to network connection, and periodically during the session, with the option for the agent to provide quarantine functionality. If using the agent, you can enforce access using the Agent Enforcer, RADIUS Enforcer and/or Enforcer. recommends that you use the Agent Enforcer (agent quarantine capabilities) for enforcement. The agent enforces access and functions as follows: The agent uses a network filter driver to provide network quarantine by filtering outbound network traffic. When a computer attempts to connect to the network, it is quarantined using a default network access template until assessment is performed. Once assessment is performed, the computer is permitted or restricted access to network resources based on its state of compliance. Agent enforcement quarantines computers to those remediation points that are defined in the Agent Enforcer access templates associated with policy. Once a computer passes compliance assessment, removal from quarantine happens during the next scheduled compliance assessment or when the user initiates a compliance check. The Compliance Agent has logging capabilities for troubleshooting purposes. The user can enable or disable logging through a check box option and run a user-initiated compliance check to generate log files. The agent supports multiple log files that, if used, are saved to the computer s hard disk for troubleshooting. Log files exclude usersensitive data and contain customizable levels of information.

12 reviewer s guide: sophos nac advanced The agent results dialog box in Figure 2 displays a sample message to the user based on an assessment of a computer. Figure 2: Sample Compliance Agent Results dialog box Compliance Dissolvable Agent The Compliance Dissolvable Agent is a downloadable agent that provides computer assessment, messaging, reporting, and remediation through the use of a Java applet application. It retrieves the most recent policy from the application and assesses the computer s compliance based on the defined policy. The Dissolvable Agent is designed to provide compliance assessment capabilities for a known user on an unknown computer. The Dissolvable Agent effectively provides compliance assessment for guest users who require access to network resources. These guests may be consultants, auditors, or other non-employees who are authorized to access enterprise information. Throughout an organization, the Dissolvable Agent can be used alone or in combination with the Compliance Agent. The Dissolvable Agent provides pre-connect assessment with the option for enforcement using the RADIUS Enforcer and/or Enforcer. The Dissolvable Agent functions as follows: The Dissolvable Agent assesses and reports compliance. All messages and errors are reported to the user. The Dissolvable Agent supports multiple log files that, if used, are saved to the computer s hard disk for troubleshooting. Log files exclude usersensitive data and contain customizable levels of information. The Dissolvable Agent results dialog box in Figure 3 displays a sample message to the user based on an assessment of a computer. 2

13 3: software architecture Server-side components NAC Advanced -side components are: Compliance Application Server Compliance Databases Enforcer Server-side components associated with NAC Advanced include the interfaces, database components, and enforcers. In some cases, side components can be deployed separately to support global deployments and various network infrastructures. The two principal elements are the application and SQL database components. Each of these contains additional sub-components. Compliance Application Server The application contains the user interface, Agent interfaces (Registration, Policy, and Reporting), RADIUS Enforcer, alert service, Patch loader, and Current definitions loader. During user authentication, which is optional, the RADIUS Enforcer validates user credentials against an enterprise s user store. NAC Advanced supports Active Directory or any user store accessible using RADIUS or LDAP. User interface Figure 3: Sample Compliance Dissolvable Agents Results dialog box The user interface offers policy-building capabilities; enforcement configuration; reporting and alerting capabilities; a customizable dashboard page with NAC compliance statistics; tiered web interface security accounts; and auditing capabilities. The user interface is explained in detail in Section 4. 3

14 reviewer s guide: sophos nac advanced Agent interfaces Registration interface: Provides registration services to the agent. The Registration interface performs user authentication when the agent registers first-time users and when re-registration is required. This process is done to validate the user s username and password and also to update the user s group association. A user record is added to the registration table and this record includes the user s group association and an assigned registration key. The registration key is used to validate all future communications with the agent. Policy interface: Optimizes policy retrieval between the Policy store and the agent. The Policy interface verifies the user s registration and the authenticity of the agent request by validating the registration key in the registration table. Additionally, the Policy interface retrieves the user s group association from the registration table. The group association is used to retrieve policy, which is not retrieved if the agent already has the current policy. Reporting interface: Accepts reporting data from the agent and stores it in the Report store. The Reporting interface verifies the user s registration and the authenticity of the agent request by validating the registration key in the registration table. This process is done before the data is stored. RADIUS Enforcer The RADIUS Enforcer, which provides RADIUS enforcement, interacts with the enterprise user store and the enterprise VPN remote access concentrator as a proxy to perform authentication, and retrieves compliance status when computers attempt to connect to the enterprise network. The compliance status and the network access template determine whether the computer is permitted or denied access, or quarantined. The RADIUS Enforcer installs as part of the application installation. Optionally, the RADIUS Enforcer can be installed separately on other s. Alerting service The service processes alertable events (i.e. new compliance data reported or enforcement actions taken) and, based on the alert definitions, generates alert actions (event log or ) if the defined criteria and thresholds have been met. Patch loader This loader is responsible for adding and updating patches. The task is scheduled to run daily. When the task runs, it retrieves the patch update file, from where it uses up-to-date patch information. The administrator can also initiate the loader to run by manually running the scheduled task via the task scheduler. 4

15 3: software architecture Current definitions loader This loader is responsible for retrieving the latest dates for the current signature for every anti-virus and anti-spyware application. The task is scheduled to run every hour. When the task runs, it retrieves a file, from where it uses the latest dates for the current signature for every antivirus and anti-spyware application. The administrator can also initiate the loader to run by manually running the scheduled task via the task scheduler. Compliance Databases SQL database components contain all databases used by NAC Advanced, including the Policy store, Report store, Report warehouse, and the Warehouse load. Policy store: Database that holds the policy data required by the agent. Report store: Database that holds the current data reported by the agent that is displayed in the user interface Reports area. Report warehouse: Database that contains archived report information that is displayed in the user interface Reports area. Warehouse load: Responsible for moving report data to the Report NAC user Warehouse. The tool is scheduled to run once every 24 hours. When interface it runs, the tool pulls the report data from the current reports and archives NAC it in the Report warehouse. The administrator can also initiate the agent loader to run by manually running the scheduled task via the SQL interfaces task scheduler. Enforcer administrator NAC RADIUS enforcer NAC agent Alerting service Patch loader Current definitions loader The Enforcer, which provides enforcement, interacts with NAC the RADIUS Enforcer and enterprise s; retrieves compliance policy status when computers attempt to connect to the enterprise network; LAN switch and, based on defined enterprise policy, returns the appropriate user class for IP address lease assignment and options through the normal process. The Enforcer is installed on a and is NAC not installed on the Compliance Application Server. agent NACN data d stores NAC IPSec VPN NAC Enforcer Remotee employee s Internet N web ag Firewall and remote access infrastructure (VPN LAN router LAN access interface SSL VPN authentication serve W NA web agent 5

16 reviewer s guide: sophos nac advanced 4: User interface The NAC Advanced user interface is the gateway to policy management and control. The user interface provides policy building, reporting, alerting, access control, and system configuration. The user interface also provides a customizable dashboard page with graphical representation of report data, computer distribution information, and system updates. After logging in, administrators are provided with an immediate view of their organization s overall NAC compliance and most significant high-level deployment statistics. The user interface is divided into four main functional navigation areas: Manage, Enforce, Report, and Configure System. Manage This area provides comprehensive components for building and managing policies and managing computers. Policies Policies enable administrators to control access to enterprise network resources for specific groups based on profile-based evaluations on the computer. Policies determine the compliance state of the computer, messages that are displayed, remediation actions that are performed, and enforcement actions that are taken. Policies include agent settings, profiles, and access template assignments. Once created, a policy must be assigned to a group. A specific group can be assigned only one policy; however, a single policy can be assigned to an unlimited number of groups. 6 Figure 4: Compliance Manager

17 4: user interface Additionally, administrators can specify the policy mode, which allows for a phased enforcement approach rather than an all-or-nothing network access control approach. This feature, which is available on a policy-by-policy basis, enables administrators to define production policy and then distribute it to users in phases, by reporting on compliance first, then performing remediation steps to gain compliance, and finally enforcing network access. Profiles Figure 5: Sample Policy Profiles allow administrators to define components, such as operating systems, patches, and applications, for the evaluation of computers. A profile defines application capabilities, compliance settings, and optional messaging and remediation actions for a given component so that the profile can be implemented in multiple policies. Compliance settings include multiple states, such as compliant, partially compliant, and non-compliant. Profiles ensure that policies are simple to configure and update, since making a change to a profile propagates that change to all policies containing that profile. The user interface provides predefined profiles that can be used for testing, configuration guidance, or as a template for production-ready profiles. Enforce This navigation area offers granular control of network access using access templates and exemptions. Access templates NAC Advanced provides control of network access for agent, RADIUS, and enforcement, using access templates to control how computers Easy-to-use templates Controlling how computers are quarantined, the availability of remediation resources, and levels of network access is simple with NAC s access templates. 7

18 reviewer s guide: sophos nac advanced are quarantined, what remediation resources are available, and what level of access computers are granted, based on their state of compliance. Additionally, access templates signal how the Agent Enforcer, RADIUS Enforcer, and/or Enforcer will treat a specific compliance state. Agent Enforcer access templates identify the network resources that computers can or cannot access when performing agent enforcement. With the support of an application-based quarantine, which filters traffic according to the application, the administrator can define quarantine enforcement in terms of applications rather than by defining a list of IP addresses. Additionally, administrators can define network resources using ports and protocols as well as IP addresses. Once defined, network resources are added to Agent Enforcer access templates. The network resources determine what users can and cannot access while in quarantine. The RADIUS Enforcer and Enforcer access templates are controlled on a per-policy basis and complement the established enterprise network architecture by adding enforcement. The RADIUS Enforcer is used with VPN, 802.X, and other RADIUS implementations. The Enforcer is used with implementations and serves as an extension to Microsoft s. can be used with the Dissolvable Agent to assess and enforce guest user access. Exemptions The user interface provides administrators with a way to exempt devices from enforcement. Exemptions include devices that are either not able to run the agent or do not require compliance assessment, such as s, routers, and printers. Only devices receiving dynamically assigned IP addresses need to be exempted. Additionally, when exemptions are used, the administrator receives exemption reporting through the and RADIUS exemption reports. Exemptions are available when the RADIUS Enforcer or the Enforcer is used for enforcement. Exemptions simplify the rollout of NAC to subsets of network and enforcement devices by segregating those that do not require enforcement or that administrators are not yet ready to enforce policy on. Administrators can create policy as usual and target specific computers or subsets of devices for exemption when needed. Report This area offers a suite of reports for troubleshooting compliance and network access. Reports display enforcement actions and all compliance information from the agents. Using a SQL-based database, the pre-configured reports enable administrators to assess compliance, troubleshoot, and review user interface audits. Additionally, predefined SQL Views can be used to manipulate report data outside the user interface. Administrators can also analyze application and policy deployment trends. 8

19 4: user interface Extensive report data Pre-configured reports provide compliance, access, quarantine, and exemption information. Additionally, 8 SQL Views are available. Configure system Figure 6: Sample Report This area provides control over components required for system management and configuration, such as agent deployment, settings, and system accounts and in particular, alerts. Alerts Alerts enable administrators to define alert criteria, frequency, and delivery actions, providing timely notification of compliance and enforcement issues. Administrators can receive and view alert information in an , in the application event log, or in a third-party application using event log or integration. Alerts are based on the same detailed data displayed in the NAC reports, so when used in conjunction with the reports, they are useful for proactively tracking down potential problems prior to support calls. Figure 7: Sample Alert creation 9

20 reviewer s guide: sophos nac advanced 5: typical configuration This section describes a typical scenario, illustrating NAC Advanced using agent enforcement, whereby unauthorized users are quarantined by the remote access concentrator or the. This scenario therefore requires the use of the Enforcer. The administrator defines policy and alerting in the user interface. Policy building blocks. Agent settings: Specify that the agent will re-assess the computer for compliance every hour. Leave the other agent settings unchanged. 2. Profiles: The policy contains the following profiles and the policy mode is Enforce: Windows XP operating system profile: Requires that Windows XP and the appropriate service packs are installed. Internet Explorer 8.x patch profile: Requires that all Internet Explorer 8.x security patches are installed. Note: When these patches are not installed, users receive a message and the software automatically enables Windows Automatic Updates. Anti-Virus version 9.x profile: Requires that Anti-Virus is installed, real-time protection is enabled, the signature is updated within five days, and the software version is greater than or equal to 9. Note: When Anti-Virus real-time protection is not enabled, users receive a message and the software automatically enables the real-time protection. When the signature is out of date, users receive a message and the software automatically updates the signature. Client Firewall 2.x profile: Requires that the Client Firewall is installed, enabled, and the software version is greater than or equal to 2. Note: When Client Firewall is not enabled, users receive a message and the software automatically enables their firewall. 3. Access templates: The table on the next page provides information about various compliance states (compliant, partially compliant, and noncompliant) and the access template behavior associated with each of them. 20

21 5: typical configuration Compliance state Compliant Windows XP and service packs are installed. Internet Explorer 8.x security patches are installed. Anti-Virus 9.x is installed, real-time protection is enabled, and the signature is up to date. Client Firewall 2.x is installed and enabled. Partially compliant Windows XP and service packs are installed. Internet Explorer 8.x security patches are installed. Anti-Virus 9.x is installed, real-time protection is enabled, but the signature is out of date. Client Firewall 2.x is installed and enabled. Non-compliant* Windows XP and service packs are installed Some of the Internet Explorer 8.x security patches are installed and some are not installed. Anti-Virus 9.x is installed, but real-time protection is not enabled, and the signature is out of date. Client Firewall 2.x is installed, but is not enabled. Unknown Compliance is unknown because the agent is not installed and no assessment has been completed Access template behavior Remote users with Compliance Agent The Agent Enforcer access template permits network access. The RADIUS Enforcer access template permits network access. The Agent Enforcer access template permits network access. The RADIUS Enforcer access template permits network access. The Agent Enforcer access template quarantines users and only permits access to the internet and to the enterprise remediation. The RADIUS Enforcer access template permits network access The RADIUS Enforcer access template specifies that the remote access concentrator deny network access. LAN users with Compliance Agent The Agent Enforcer access template permits network access. The Enforcer access template permits network access. The Agent Enforcer access template permits network access. The Enforcer access template permits network access. The Agent Enforcer access template quarantines users and only permits access to the internet and to the enterprise remediation. The Enforcer access template permits network access. The Enforcer access template specifies that the deny network access. * internet access allows the anti-virus signature to be updated by the software. Remediation access allows the Internet Explorer patches to be downloaded by the user. Alert building blocks. Alert type: Specify Compliance so that the alert is defined by the compliance state with policy. 2. Alert restrictor: Specify Every time so that an alert occurs every time the criteria are met. 3. Alert criteria: Specify Non-compliant so that every time a non-compliant computer is assessed, an alert is sent to the administrator. 4. Alert action: Specify and complete the required notification fields. Every time a user is non-compliant, an alert is sent to the administrator. 2

22 reviewer s guide: sophos nac advanced Process flow. Policy assignment: The administrator selects which group to assign to this policy. The group assignment is based on the groups defined in the enterprise s own authentication store. 2. Connection and policy retrieval: The agent securely retrieves the latest policy from the application via HTTPS. Each user registration is optionally authenticated against the enterprise user store, and the appropriate policy is retrieved. 3. Policy assessment: On retrieval, the agent assesses the computer according to the profiles in the policy. In this scenario, the agent assesses the operating system and service packs, Anti-Virus, Client Firewall, and the Internet Explorer security patches. 4. Reporting and alerts: Reporting: The agent reports its assessment results compliance status, user and computer details back to the application, where the session and compliance information is recorded in the SQL database. In this scenario, the information includes results of the assessment of Anti-Virus status, version, and signature; Client Firewall status and version; the operating system and its Internet Explorer security patch level. Alerts: When a user is non-compliant, an alert is sent to the administrator. 5. Messaging: If users are partially compliant or non-compliant, all applicable messages and assisted remediation links are displayed to the users. 6. Remediation: If the user is partially compliant or non-compliant, the remediation capabilities specified in the policy are completed. In this scenario, the software automatically enables Windows Automatic Updates, updates the Anti-Virus signature file, enables real-time protection on Anti-Virus, and enables the Client Firewall. 7. Enforcement: When computers attempt to gain access to the enterprise network, the appropriate enforcement mechanism checks the compliance state that has been reported by the agent for each user. Once the compliance state is checked, the access template associated with the compliance state determines network access. The network resources that the user can and cannot access are determined by the access template. 8. Continuous policy assessment: Every hour (configurable in policy), the computer is re-assessed for compliance. 22

23 6: enforcement mechanisms 6: Enforcement mechanisms Overview NAC Advanced provides complete coverage for an organization s enforcement needs by supporting the following enforcement mechanisms: Agent: Protects the network, with the agent providing self-quarantine for non-compliant computers. 802.X wired and wireless: Protects the network from LAN-connected computers by using an enterprise s 802.X-compliant infrastructure. NAC fully supports dynamic VLAN assignment and guest access on both wired and wireless networks. With supported 802.X solutions, NAC can be used to provide quarantine for non-compliant computers. : Protects the network from LAN-connected computers by using an enterprise s existing infrastructure. With supported solutions, NAC can be used to quarantine non-compliant and unauthorized computers. Remote access/vpn concentrator: Protects the network from remote computers and enables fully authenticated and assessed VPN access, whether via IPSec or SSL. NAC can be used to quarantine noncompliant computers using access control lists (ACLs), groups, or filters. Cisco Network Admission Control (NAC): Protects the network by providing integration with Cisco NAC Framework on Cisco NACcompatible networks. NAC Advanced provides network access for computers by using access templates to define network access, and then signaling the appropriate enforcer to impose network access. The agent, RADIUS Enforcer, and Enforcer are the software components that direct the enforcement mechanisms to permit, deny, or quarantine access to defined enterprise network resources in response to the reported compliance state. These components retrieve the computer s compliance state as each user attempts to connect to the enterprise network and periodically verify the computer s compliance. Then, based on the compliance state and assigned access templates, these components permit, deny, or quarantine access to defined enterprise network resources. Total enforcement NAC agent, RADIUS, and Enforcers ensure that computers are permitted or denied access to defined network resources in response to their compliance state. The NAC RADIUS Enforcer interacts with an enterprise authentication store (such as Active Directory, or any user store accessible using RADIUS or LDAP) and the enterprise VPN remote access concentrator, 802.X switch, wireless access point, or other RADIUS-capable device. The Enforcer extends the capability of Microsoft s to obtain the appropriate user class and, with the agent, to release and renew IP addresses. 23

24 reviewer s guide: sophos nac advanced Enforcement scenarios The following provides information on typical network components, network enforcement, and sample enforcement scenarios. Typical enterprise network components For the purposes of illustrating NAC Advanced enforcement scenarios, Figure 8 is an example of a typical enterprise network, showing key network infrastructure and software components.. and non-enterprise computers: LAN and remote 2. Network infrastructure: LAN switching and routing infrastructure 3. Protected enterprise resources 4. authentication systems 5. systems 6. Remediation s 7. Internet access 8. Remote access infrastructure: VPN and SSL concentrators 7 Internet Compliance Agent Business partner DMZ Firewall and remote access infrastructure (VPN) 8 6 Enforcer authentification (AD/LDAP/RADIUS) resources Remediation Compliance Application Server LAN access infrastructure 2 Compliance Dissolvable Agent Contractor Compliance Agent Figure 8: Typical enterprise network 24

25 6: enforcement mechanisms Complete enterprise protection NAC provides complete enterprise protection through multiple overlapping types of enforcement. Coverage 802.X wired and wireless LAN Protection with preinstalled Compliance Agent (e.g. employee or contractor) Quarantine VLAN or ACL assignment, and/or agent-based quarantine Protection without preinstalled Compliance Agent (e.g. guest using Dissolvable Agent) Quarantine VLAN or ACL assignment LAN IPSec VPN concentrator SSL VPN concentrator Cisco NACcapable LAN IP address deny, options or address pool assignment, and/or agent-based quarantine Access deny or permit limited access (RADIUS), and/or agent-based quarantine Access deny or permit limited access (RADIUS), and/or agentbased quarantine Quarantine VLAN or ACL assignment, and/or agent-based quarantine IP address deny, options or address pool assignment Access deny or permit limited access (RADIUS) Access deny or permit limited access (RADIUS) Quarantine VLAN or ACL assignment Static LAN IP (no 802.X) Agent-based quarantine Identified with the Dissolvable Agent. Note: Dissolvable Agent enforcement must be performed by the RADIUS Enforcer or the Enforcer. Agent enforcement (using preinstalled Compliance Agent) NAC Advanced provides powerful agent-based LAN enforcement enabling administrators to define quarantine configurations based on policy without any network infrastructure changes, as shown in Figure 9. This enforcement scenario requires the endpoint to have the Compliance Agent preinstalled.. A computer with the Compliance Agent starts up into quarantine mode. 2. The Compliance Agent securely retrieves latest policy and assesses the computer s compliance according to policy. 3. If the computer is non-compliant, the Agent Enforcer allows access only to remediation s. 4. Once the computer is compliant, it is permitted appropriate access to protected enterprise resources. The Compliance Agent periodically re-assesses and reports compliance status to the application during a network session. If the computer falls out of compliance for any reason, the Compliance Agent will provide enforcement according to the Agent Enforcer access template. 25

26 reviewer s guide: sophos nac advanced Internet DMZ Firewall and remote access infrastructure (VPN) 3 Enforcer authentification (AD/LDAP/RADIUS) 4 resources Remediation Compliance Application Server LAN access infrastructure 2 Compliance Agent Figure 9: Agent enforcement (using preinstalled Compliance Agent) Dissolvable Agent enforcement (using on-demand Compliance Agent) NAC Advanced provides powerful remote or LAN enforcement capabilities where there is no Compliance Agent preinstalled on the endpoint.. A computer accesses the Dissolvable Agent from a web browser. 2. The Dissolvable Agent securely receives latest policy and assesses the computer s compliance according to policy. 3. If the computer is non-compliant (or a compliance record is not found), it is quarantined to remediation s or denied access. Note: Dissolvable Agent enforcement must be performed by the RADIUS Enforcer or the Enforcer. 4. If the computer is compliant, it is permitted appropriate access to protected enterprise resources. Internet Compliance Dissolvable Agent Business partner DMZ Firewall and remote access infrastructure (VPN) 3 Enforcer authentification (AD/LDAP/RADIUS) 4 resources Remediation Compliance Application Server LAN access infrastructure 2 Compliance Dissolvable Agent Contractor Figure 0: Dissolvable Agent enforcement (using on-demand Compliance Agent) 26

27 6: enforcement mechanisms 802.X LAN enforcement (using preinstalled Compliance Agent) This enforcement scenario requires the endpoint to have the Compliance Agent preinstalled.. A computer with the Compliance Agent connects to a LAN port. 2. The 802.X network switch challenges the computer for authentication. 3. authentication proxy is performed through the Compliance Application Server. 4. If the computer is non-compliant or a compliance record is not found, it is quarantined to the remediation s VLAN. 5. If the computer is compliant, it is permitted access to the protected enterprise resource s VLAN. Internet DMZ Firewall and remote access infrastructure (VPN) 4 5 Enforcer authentification (AD/LDAP/RADIUS) resources Remediation Compliance Application Server 3 LAN access infrastructure (802.X) Figure : 802.X LAN enforcement (using preinstalled Compliance Agent) 802.X LAN enforcement (using no agent) This enforcement scenario provides enforcement for endpoints without using an agent.. A device without an agent requests a LAN port. 2. One of the following occurs: X Compliance Agent If the device is not capable of 802.X (e.g. printers or IP phones), it is quarantined to the Guest or Voice VLAN (stop). If the device is capable of 802.X, the 802.X network switch challenges it for authentication. 3. authentication proxy is performed through the Compliance Application Server. 4. If the compliance record is not found, the device is quarantined to the remediation s VLAN. 27

28 reviewer s guide: sophos nac advanced Internet DMZ Firewall and remote access infrastructure (VPN) 4 Enforcer authentification (AD/LDAP/RADIUS) resources Remediation Compliance Application Server 3 LAN access infrastructure (802.X) X Figure 2: 802.X LAN enforcement (using no agent) LAN enforcement with the Enforcer (using preinstalled Compliance Agent) NAC Advanced has technology that allows an enterprise s existing Microsoft s to easily identify and isolate unauthorized computers, defined as those not running the agent. The Enforcer extends the capability of Microsoft s to provide quarantine settings using access templates. This functionality sets user classes that are determined by compliance and an associated agent action so that computers obtain appropriate IP addresses and options from the. This enforcement scenario requires the endpoint to have the Compliance Agent preinstalled:. A computer with the Compliance Agent attaches to the LAN and requests an IP address. 2. The enterprise receives the IP address request and consults the Enforcer. 3. If the computer is known but non-compliant, the Enforcer instructs the to apply quarantine, and the quarantine is used to limit access only to remediation s. 4. If the computer is known and compliant, the Enforcer instructs the to apply normal settings, and the computer is permitted access to protected enterprise resources. Internet DMZ Firewall and remote access infrastructure (VPN) 3 2 Enforcer authentification (AD/LDAP/RADIUS) 4 resources Remediation Compliance Application Server LAN access infrastructure Compliance Agent Figure 3: LAN enforcement with the Enforcer (using preinstalled Compliance Agent) 28

29 6: enforcement mechanisms LAN enforcement with the Enforcer (using on-demand Compliance Agent) This enforcement scenario requires the endpoint to use the Dissolvable Agent.. A computer without an agent attaches to the LAN and requests an IP address. 2. The enterprise receives the IP address request and consults the Enforcer. The computer is unknown and presumed non-compliant. The Enforcer instructs the to apply quarantine. 3. The assigns the computer limited quarantine access options, which are a combination of IP address/mask, no default route, static routes, and DNS. 4. The computer can access remediation s and the on-demand Dissolvable Agent Internet Compliance Dissolvable Agent DMZ Firewall and remote access infrastructure (VPN) Remediation 4 Compliance Application Server Enforcer 2 3 LAN access infrastructure authentification (AD/LDAP/RADIUS) resources Figure 4: LAN enforcement with the Enforcer (using on-demand Compliance Agent) LAN enforcement without the Enforcer (using preinstalled Compliance Agent) NAC Advanced also provides a solution to identify and isolate unauthorized computers easily without the use of the Enforcer. Although the NAC native enforcement functionality is limited, this option can be implemented when using a environment from vendors other than Microsoft. This enforcement scenario requires the endpoint to have the Compliance Agent preinstalled.. A computer with the Compliance Agent attaches to the LAN and requests an IP address. 2. The enterprise examines the IP address request for a known/compliant computer. 3. If the computer is known but non-compliant, the agent quarantine is used to limit access to remediation s. 4. If the computer is known and compliant, the agent quarantine is removed and the computer is permitted appropriate access to protected enterprise resources. 29

30 reviewer s guide: sophos nac advanced Internet DMZ Firewall and remote access infrastructure (VPN) 3 2 authentification (AD/LDAP/RADIUS) 4 resources Remediation Compliance Application Server LAN access infrastructure Compliance Agent Figure 5: LAN enforcement without the Enforcer (using preinstalled Compliance Agent) LAN enforcement without the Enforcer (using no agent) This enforcement scenario provides enforcement for endpoints without using an agent.. A computer without an agent attaches to the LAN and requests an IP address. 2. The enterprise examines the IP address request for a known/compliant computer. The computer is unknown and presumed non-compliant. 3. The assigns the computer limited quarantine access options, which are a combination of IP address/mask, no default route, static routes, and DNS. 4. The computer is permitted limited access to remediation s only. Internet DMZ Firewall and remote access infrastructure (VPN) Remediation 4 Compliance Application Server 2 3 LAN access infrastructure authentification (AD/LDAP/RADIUS) resources Figure 6: LAN enforcement without the Enforcer (using no agent) 30

31 6: enforcement mechanisms IPSec VPN enforcement (using preinstalled Compliance Agent) This enforcement scenario requires the endpoint to have the Compliance Agent preinstalled.. The Compliance Agent assesses the compliance of a computer. 2. The computer initiates a VPN connection to the remote access gateway. 3. The remote access gateway requests authentication. 4. authentication RADIUS proxy is performed through the Compliance Application Server. 5. If the computer is non-compliant or a compliance record is not found, the computer is quarantined to remediation s or denied access. 6. If the computer is compliant, it is permitted appropriate access to protected enterprise resources. Internet Compliance Agent 2 5 DMZ Firewall and remote access infrastructure (VPN) 3 authentification (AD/LDAP/RADIUS) 6 resources Remediation Compliance Application Server 4 LAN access infrastructure Contractor Figure 7: IPSec VPN enforcement (using preinstalled Compliance Agent) IPSec VPN enforcement (using no agent) This enforcement scenario provides enforcement for endpoints without using an agent.. A computer initiates a VPN connection to the remote access gateway. 2. The remote access gateway requests authentication. 3. authentication RADIUS proxy is performed through the Compliance Application Server. 4. A compliance record is not found. The computer is quarantined to remediation s or denied access. 3

32 reviewer s guide: sophos nac advanced Internet 4 DMZ Firewall and remote access infrastructure (VPN) 2 authentification (AD/LDAP/RADIUS) resources Remediation Compliance Application Server 3 LAN access infrastructure Figure 8: IPSec VPN enforcement (using no agent) SSL VPN enforcement (using preinstalled Compliance Agent) This enforcement scenario requires the endpoint to have the Compliance Agent preinstalled.. The Compliance Agent assesses the compliance of a computer. 2. The computer initiates an SSL VPN browser connection to the SSL VPN gateway. 3. The SSL VPN gateway requests authentication. 4. authentication RADIUS proxy is performed through the Compliance Application Server. 5. If the computer is non-compliant or a compliance record not found, the computer is quarantined to remediation s or denied access. 6. If the computer is compliant, it is permitted appropriate access to protected enterprise resources. Internet Compliance Agent 2 DMZ Firewall and remote access infrastructure (VPN) 3 5 authentification (AD/LDAP/RADIUS) 6 resources Remediation Compliance Application Server 4 LAN access infrastructure Figure 9: SSL VPN enforcement (using preinstalled Compliance Agent) 32

33 6: enforcement mechanisms SSL VPN enforcement (using on-demand Compliance Agent) This enforcement scenario optionally requires the endpoint to use the Dissolvable Agent or install the Compliance Agent.. A computer without an agent initiates an SSL VPN browser connection to the SSL VPN gateway. 2. The SSL VPN gateway requests authentication. 3. authentication RADIUS proxy is performed through the Compliance Application Server. 4. A compliance record is not found. The computer is quarantined to remediation s or denied access. Note: The SSL VPN gateway can also optionally isolate the computer to provide access to the on-demand Dissolvable Agent or deliver and install the Compliance Agent. Internet Compliance Dissolvable Agent / Compliance Agent Business partner 4 DMZ Firewall and remote access infrastructure (VPN) 2 Enforcer authentification (AD/LDAP/RADIUS) resources Remediation Compliance Application Server 3 LAN access infrastructure Figure 20: SSL VPN enforcement (using on-demand Compliance Agent) 33

34 reviewer s guide: sophos nac advanced Cisco NAC-based LAN enforcement (using preinstalled Compliance Agent) This enforcement scenario requires the endpoint to have the Compliance Agent preinstalled.. A computer with Cisco Trust Agent (CTA) and the Compliance Agent requests access to the NAC-based LAN. 2. The Cisco NAC network device and Cisco Secure Access Control Server (ACS) challenge the computer for NAC posture. 3. Optionally, ACS authentication proxy is performed through the Compliance Application Server. 4. If the computer is non-compliant, a compliance record is not found, or CTA is not present, the computer is quarantined to remediation s. 5. If the computer is compliant, it is permitted appropriate access to the protected enterprise resources. Internet Compliance Agent Cisco Trust Agent DMZ Cisco ASA VPN 4 3 Enforcer 2 authentification (Cisco ACS) 5 resources Remediation Compliance Application Server Cisco NAC switch/router Cisco Trust Agent Figure 2: Cisco NAC-based LAN enforcement (using preinstalled Compliance Agent) 34

35 appendices Cisco NAC-based LAN enforcement (using no agent) This enforcement scenario provides enforcement for endpoints without using an agent.. A device without an agent requests access to the NAC-based LAN. 2. One of the following occurs: If the device has no CTA or is not capable of NAC (e.g. printers or IP phones), the device is quarantined by Cisco NAC. If the device is capable of NAC and has CTA installed, the network switch and Cisco ACS challenges the device for authentication. 3. Since no agent is installed, posture information is not returned to Cisco ACS and the device is quarantined by Cisco NAC. Internet Cisco Trust Agent DMZ Cisco ASA VPN 3 2 Enforcer authentification (Cisco ACS) resources Remediation Compliance Application Server Cisco NAC switch/router Cisco Trust Agent 7: summary Figure 22: Cisco NAC-based LAN enforcement (using no agent) NAC Advanced controls access to an organization s network by guests and unauthorized users. It also assesses employees managed computers for compliance with security policies set by the organization, both prior to connection and periodically during a network session. NAC Advanced enables enterprise security administrators to define and enforce security policies for all users on the network, including business partners, contractors, telecommuters, remote users, and office-based workers. As a vendor-neutral software overlay, NAC Advanced requires no changes to existing infrastructure. It combines in-depth off the shelf assessment of leading security applications and operating systems with flexible customerdefined assessments, and uses network- and agent-based quarantine and enforcement methods and automated remediation to ensure compliance with security policy is maintained. 35

36 reviewer s guide: sophos nac advanced Appendix I: system and network requirements Compliance Agent Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows 7 Any form of standard IP connectivity, including 802.X, 802. wireless, cable, dial, xdsl, Ethernet, and other broadband access Microsoft Internet Explorer 5.0 or greater Microsoft XMLDOM 3 or greater Compliance Dissolvable Agent Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows 7 Any form of standard IP connectivity, including 802.X, 802. wireless, cable, dial, xdsl, Ethernet, and other broadband access Microsoft Internet Explorer 6 (Windows 2000 only), 7 or 8 or FireFox 3 or 3.5, including support for Java applet download Microsoft XMLDOM 3 or greater Sun Java Runtime Environment (JRE) version 6 update 0 or higher Compliance Application Server Windows Server 2003 or Windows Server 2008 Compliance Databases Windows Server 2000 (only if installing on a separate ), Windows Server 2003, or Windows Server 2008 SQL Server 2000, SQL Server 2005 or Express, or SQL Server 2008 or Express Network requirements The agent communicates with the Compliance Application Server using SOAP/XML encapsulated in standard SSL. The enterprise network must be configured to allow SSL traffic between endpoints and the Compliance Application Server. The RADIUS Enforcer communicates with the enterprise VPN concentrator, 802.X switch, wireless access point, or other RADIUScapable device via the RADIUS protocol. The user interface uses HTTPS to be accessed from a browser. If the Compliance Application Server and the SQL (s) are not co-located, the application must be able to access the enterprise SQL (s). A, if enforcement is implemented. Copyright All rights reserved. All trademarks are the property of their respective owners. 36

37 Appendix II: integration with enterprise infrastructure NAC Advanced easily integrates with existing enterprise infrastructure and applications. Network infrastructure NAC Advanced supports multi-vendor networks using nonproprietary enforcement capabilities, while providing superior policy definition and compliance reporting. Supported infrastructures include any standard IPSec, PPTP, or SSL VPN infrastructure, as well as any standard 802.X, 802. wireless, or Cisco NAC infrastructure. NAC also supports -based enforcement infrastructures, including s running Microsoft Dynamic Host Configuration Protocol () software, as well as other standards-compliant s, such as Lucent, Infoblox, Nortel NetID, and Cisco Network Registrar (CNR). Authentication stores NAC Advanced can be integrated with a wide range of enterprise networks. NAC provides support for Microsoft Active Directory 2000, 2003, and 2008 domains and forests, as well as any other authentication store that supports the RADIUS protocol including, but not limited to, RSA ACE Server and Cisco ACS. NAC also supports LDAP authentication stores. Security applications NAC Advanced provides a policy management and enforcement framework for best-of-breed endpoint security applications using a datadriven approach. NAC has predefined support for most marketleading operating systems, service packs, patches, and applications. Support includes over 350 security applications from the vendors shown alongside. (Note: this list is subject to change as NAC Advanced adds support for additional applications.) The compliance and assessment rules in NAC Advanced are datadriven through two data feeds. On a daily basis, by default, the application checks for and retrieves any updated patch information. Also, every hour the application checks for and retrieves the latest dates for the current signature for every anti-virus and anti-spyware application. Once these data feeds are retrieved, the new patches and signature dates are available to the administrator for profile and assessment purposes. Applications supported AhnLab America Online Anonymizer Avira BellSouth BitDefender Black Ice Software BullGuard Cisco ClamWin Computer Associates Defender Pro EarthLink Eset Software etrust F-Secure GData Software Ikarus Software Javacool Software Jiangmin Kaspersky Labs Kerio Technologies Kingsoft Lavasoft McAfee Microsoft Norman Panda Software PC Tools Software Prevx Radialpoint Sereniti Sunbelt Software Sygate Symantec Tiny Software Trend Micro Verizon Webroot Software Yahoo! Zone Labs 37

38 Boston, usa Oxford, UK Copyright All rights reserved. All trademarks are the property of their respective owners security and control

Cisco Network Admission Control (NAC) Solution

Cisco Network Admission Control (NAC) Solution Data Sheet Cisco Network Admission Control (NAC) Solution New: Updated to include the Cisco Secure Network Server (SNS) Cisco Network Admission Control (NAC) solutions allow you to authenticate wired,

More information

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access Klaudia Bakšová System Engineer Cisco Systems Cisco Clean Access Agenda 1. Securing Complexity 2. NAC Appliance Product Overview and In-Depth 3. NAC Appliance Technical Benefits The Challenge of Securing

More information

Networks with Cisco NAC Appliance primarily benefit from:

Networks with Cisco NAC Appliance primarily benefit from: Cisco NAC Appliance Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate,

More information

Windows Server Network Access Protection. Richard Chiu

Windows Server Network Access Protection. Richard Chiu Windows Server 2008 Network Access Protection Richard Chiu Network Access Protection Solution Overview Policy Validation Determines whether the computers are compliant with the company s security policy.

More information

ForeScout Extended Module for Symantec Endpoint Protection

ForeScout Extended Module for Symantec Endpoint Protection ForeScout Extended Module for Symantec Endpoint Protection Version 1.0.0 Table of Contents About the Symantec Endpoint Protection Integration... 4 Use Cases... 4 Additional Symantec Endpoint Protection

More information

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Securing the Empowered Branch with Cisco Network Admission Control. September 2007 Securing the Empowered Branch with Cisco Network Admission Control September 2007 Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. 1 Contents 1 The Cisco Empowered Branch 2 Security Considerations

More information

Cisco NAC Network Module for Integrated Services Routers

Cisco NAC Network Module for Integrated Services Routers Cisco NAC Network Module for Integrated Services Routers The Cisco NAC Network Module for Integrated Services Routers (NME-NAC-K9) brings the feature-rich Cisco NAC Appliance Server capabilities to Cisco

More information

Enterprise Guest Access

Enterprise Guest Access Data Sheet Published Date July 2015 Service Overview Whether large or small, companies have guests. Guests can be virtually anyone who conducts business with the company but is not an employee. Many of

More information

Symantec Network Access Control Starter Edition

Symantec Network Access Control Starter Edition Simplified endpoint compliance Overview makes it easy to begin implementing a network access control solution. It offers a subset of Symantec Network Access Control functionality that can be completely

More information

Enterasys. Design Guide. Network Access Control P/N

Enterasys. Design Guide. Network Access Control P/N Enterasys Network Access Control Design Guide P/N 9034385 Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site

More information

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance. Real-time Visibility Network Access Control Endpoint Compliance Mobile Security ForeScout CounterACT Continuous Monitoring and Mitigation Rapid Threat Response Benefits Rethink IT Security Security Do

More information

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications GLOBALPROTECT Prevent Breaches and Secure the Mobile Workforce GlobalProtect extends the protection of Palo Alto Networks Next-Generation Security Platform to the members of your mobile workforce, no matter

More information

Symantec Network Access Control Starter Edition

Symantec Network Access Control Starter Edition Simplified endpoint compliance Overview makes it easy to begin implementing a network access control solution. It offers a subset of Symantec Network Access Control functionality that can be completely

More information

White Paper February McAfee Policy Enforcer. Securing your endpoints for network access with McAfee Policy Enforcer.

White Paper February McAfee Policy Enforcer. Securing your endpoints for network access with McAfee Policy Enforcer. White Paper February 2006 McAfee Policy Enforcer Securing your endpoints for network access with McAfee Policy Enforcer White Paper February 2006 Page 2 Table of Contents Executive Summary 3 Enforcing

More information

Understanding Network Access Control: What it means for your enterprise

Understanding Network Access Control: What it means for your enterprise Understanding Network Access Control: What it means for your enterprise Network access control is a term that is highly used, but not clearly defined. By understanding the reasons for pursuing a network

More information

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement Simplified endpoint enforcement Overview makes it easy to begin implementing a network access control solution. It offers a subset of Symantec Network Access Control functionality that can be completely

More information

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client

More information

Symantec Network Access Control Starter Edition

Symantec Network Access Control Starter Edition Symantec Network Access Control Starter Edition Simplified endpoint compliance Overview makes it easy to begin implementing a network access control solution. It offers a subset of Symantec Network Access

More information

Key Features. DATA SHEET

Key Features.  DATA SHEET DATA SHEET Total Defense THREAT MANAGER r12 Overview: Total Defense Threat Manager r12 integrates anti-malware, groupware protection and network access control in one easy-touse solution, providing comprehensive

More information

ForeScout Extended Module for MaaS360

ForeScout Extended Module for MaaS360 Version 1.8 Table of Contents About MaaS360 Integration... 4 Additional ForeScout MDM Documentation... 4 About this Module... 4 How it Works... 5 Continuous Query Refresh... 5 Offsite Device Management...

More information

Cisco Identity Services Engine

Cisco Identity Services Engine Data Sheet Enterprise networks are more dynamic than ever before, servicing an increasing number of users, devices, and access methods. Along with increased access and device proliferation comes an increased

More information

ForeScout Extended Module for VMware AirWatch MDM

ForeScout Extended Module for VMware AirWatch MDM ForeScout Extended Module for VMware AirWatch MDM Version 1.7.2 Table of Contents About the AirWatch MDM Integration... 4 Additional AirWatch Documentation... 4 About this Module... 4 How it Works... 5

More information

Configure Client Posture Policies

Configure Client Posture Policies Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate

More information

NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL

NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL PORTNOX PLATFORM NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL Portnox s Network Access Control Platform traverses across all network layers, whether physical, virtual or in the cloud

More information

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

PrepAwayExam.   High-efficient Exam Materials are the best high pass-rate Exam Dumps PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : 250-530 Title : Administration of Symantec Network Access Control 12.1 Vendors : Symantec

More information

Client Computing Security Standard (CCSS)

Client Computing Security Standard (CCSS) Client Computing Security Standard (CCSS) 1. Background The purpose of the Client Computing Security Standard (CCSS) is to (a) help protect each user s device from harm, (b) to protect other users devices

More information

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security

More information

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018 How-to Guide: Tenable Nessus for Microsoft Azure Last Updated: April 03, 2018 Table of Contents How-to Guide: Tenable Nessus for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment

More information

Pulse Policy Secure. Getting Started Guide. Product Release 5.1. Document Revision 1.0 Published:

Pulse Policy Secure. Getting Started Guide. Product Release 5.1. Document Revision 1.0 Published: Pulse Policy Secure Getting Started Guide Product Release 5.1 Document Revision 1.0 Published: 2014-12-15 2014 by Pulse Secure, LLC. All rights reserved Pulse Secure, LLC 2700 Zanker Road, Suite 200 San

More information

Configure Client Posture Policies

Configure Client Posture Policies Posture Service Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance

More information

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1 Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,

More information

ForeScout Extended Module for IBM BigFix

ForeScout Extended Module for IBM BigFix ForeScout Extended Module for IBM BigFix Version 1.0.0 Table of Contents About this Integration... 4 Use Cases... 4 Additional BigFix Documentation... 4 About this Module... 4 Concepts, Components, Considerations...

More information

ForeScout Extended Module for MobileIron

ForeScout Extended Module for MobileIron Version 1.8 Table of Contents About MobileIron Integration... 4 Additional MobileIron Documentation... 4 About this Module... 4 How it Works... 5 Continuous Query Refresh... 5 Offsite Device Management...

More information

CounterACT VMware vsphere Plugin

CounterACT VMware vsphere Plugin Configuration Guide Version 2.0.1 Table of Contents About VMware vsphere Integration... 4 Use Cases... 4 Additional VMware Documentation... 4 About this Plugin... 5 What to Do... 5 Requirements... 5 CounterACT

More information

CounterACT VMware vsphere Plugin

CounterACT VMware vsphere Plugin CounterACT VMware vsphere Plugin Configuration Guide Version 2.0.0 Table of Contents About VMware vsphere Integration... 4 Use Cases... 4 Additional VMware Documentation... 4 About this Plugin... 5 What

More information

PCI DSS Compliance. White Paper Parallels Remote Application Server

PCI DSS Compliance. White Paper Parallels Remote Application Server PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3

More information

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS 1 Business drivers and their impact on IT AGILITY Move fast, be nimble and flexible 66% of business owners identify business agility as a priority EFFICIENCY

More information

Module 9. Configuring IPsec. Contents:

Module 9. Configuring IPsec. Contents: Configuring IPsec 9-1 Module 9 Configuring IPsec Contents: Lesson 1: Overview of IPsec 9-3 Lesson 2: Configuring Connection Security Rules 9-11 Lesson 3: Configuring IPsec NAP Enforcement 9-21 Lab: Configuring

More information

ForeScout Extended Module for HPE ArcSight

ForeScout Extended Module for HPE ArcSight ForeScout Extended Module for HPE ArcSight Version 2.7.1 Table of Contents About the HPE ArcSight Integration... 4 Use Cases... 4 Send Endpoint Status, Compliance, or Property Changes from CounterACT to

More information

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Exam : Title : Security Solutions for Systems Engineers. Version : Demo Exam : 642-566 Title : Security Solutions for Systems Engineers Version : Demo 1. Which one of the following elements is essential to perform events analysis and correlation? A. implementation of a centralized

More information

Securing BYOD With Network Access Control, a Case Study

Securing BYOD With Network Access Control, a Case Study Research G00226207 29 August 2012 Securing BYOD With Network Access Control, a Case Study Lawrence Orans This Case Study highlights how an organization utilized NAC and mobile device management solutions

More information

Forescout. Configuration Guide. Version 2.4

Forescout. Configuration Guide. Version 2.4 Forescout Version 2.4 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191

More information

Identity Based Network Access

Identity Based Network Access Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor

More information

ForeScout CounterACT. Configuration Guide. Version 1.1

ForeScout CounterACT. Configuration Guide. Version 1.1 ForeScout CounterACT Hybrid Cloud Module: VMware NSX Plugin Version 1.1 Table of Contents About VMware NSX Integration... 3 Use Cases... 3 Additional VMware Documentation... 3 About this Plugin... 3 Dependency

More information

HP ProCurve Network Access Controller 800

HP ProCurve Network Access Controller 800 Key features Managed security appliance Built-in RADIUS authentication server Endpoint integrity (EI) testing (req. licenses) Centralized management of NAC endpoint policies Scalable and flexible endpoint

More information

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features Enterprise-class endpoint protection, posture assessments and health checks Product overview ClearPass OnGuard agents perform advanced endpoint posture assessments on leading computer operating systems

More information

BYOD: BRING YOUR OWN DEVICE.

BYOD: BRING YOUR OWN DEVICE. white paper BYOD: BRING YOUR OWN DEVICE. On-BOaRDING and Securing DEVICES IN YOUR Corporate NetWORk PrepaRING YOUR NetWORk to MEEt DEVICE DEMaND The proliferation of smartphones and tablets brings increased

More information

Deployment Guide. Best Practices for CounterACT Deployment: Guest Management

Deployment Guide. Best Practices for CounterACT Deployment: Guest Management Best Practices for CounterACT Deployment: Guest Management Table of Contents Introduction... 1 Purpose...1 Audience...1 About Guest Management Deployment... 2 Advantages of this approach...2 Automation...2

More information

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1 ForeScout CounterACT Hybrid Cloud Module: VMware vsphere Plugin Version 2.1 Table of Contents About VMware vsphere Integration... 4 Use Cases... 4 Additional VMware Documentation... 4 About this Plugin...

More information

ForeScout Extended Module for Carbon Black

ForeScout Extended Module for Carbon Black ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent

More information

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018 How-to Guide: Tenable.io for Microsoft Azure Last Updated: November 16, 2018 Table of Contents How-to Guide: Tenable.io for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment

More information

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government

More information

ISE Version 1.3 Self Registered Guest Portal Configuration Example

ISE Version 1.3 Self Registered Guest Portal Configuration Example ISE Version 1.3 Self Registered Guest Portal Configuration Example Document ID: 118742 Contributed by Michal Garcarz and Nicolas Darchis, Cisco TAC Engineers. Feb 13, 2015 Contents Introduction Prerequisites

More information

Data Retrieval Firm Boosts Productivity while Protecting Customer Data

Data Retrieval Firm Boosts Productivity while Protecting Customer Data Data Retrieval Firm Boosts Productivity while Protecting Customer Data With HEIT Consulting, DriveSavers deployed a Cisco Self-Defending Network to better protect network assets, employee endpoints, and

More information

Cisco TrustSec How-To Guide: Central Web Authentication

Cisco TrustSec How-To Guide: Central Web Authentication Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1

More information

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7 Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update

More information

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table

More information

Component Assessment

Component Assessment 4 CHAPTER Component Assessment This chapter discusses the function of each component and how it helps to address PCI DSS 2.0 compliance requirements. Each component was assessed by Verizon Business. This

More information

MOBILE NETWORK ACCESS CONTROL

MOBILE NETWORK ACCESS CONTROL MOBILE NETWORK ACCESS CONTROL Extending Corporate Security Policies to Mobile Devices www.netmotionwireless.com Executive Summary Network Access Control (NAC) systems protect corporate assets from threats

More information

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7 Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information

More information

Security Assessment Checklist

Security Assessment Checklist Security Assessment Checklist Westcon Security Checklist - Instructions The first step to protecting your business includes a careful and complete assessment of your security posture. Our Security Assessment

More information

Cisco Self Defending Network

Cisco Self Defending Network Cisco Self Defending Network Integrated Network Security George Chopin Security Business Development Manager, CISSP 2003, Cisco Systems, Inc. All rights reserved. 1 The Network as a Strategic Asset Corporate

More information

Chapter 9. Firewalls

Chapter 9. Firewalls Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however

More information

Campus Manager. Out-of-Band Network Access Control for Wired, Wireless and VPN Networks. DataSheet

Campus Manager. Out-of-Band Network Access Control for Wired, Wireless and VPN Networks. DataSheet DataSheet Comprehensive NAC Solution Identity Management Endpoint Compliance Usage Policy Enforcement Historical Auditing and Reporting Out-of-Band Network Access Control for Wired, Wireless and VPN Networks

More information

ForeScout Extended Module for ArcSight

ForeScout Extended Module for ArcSight Version 2.8 Table of Contents About the ArcSight Integration... 4 Use Cases... 4 Send Endpoint Status, Compliance, or Property Changes from CounterACT to ArcSight... 5 SmartConnector Health and Compliance

More information

CISNTWK-440. Chapter 5 Network Defenses

CISNTWK-440. Chapter 5 Network Defenses CISNTWK-440 Intro to Network Security Chapter 5 Network Defenses 1 Objectives Explain how to enhance security through network design Define network address translation and network access control List the

More information

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall ForeScout Extended Module for Palo Alto Networks Next Generation Firewall Version 1.2 Table of Contents About the Palo Alto Networks Next-Generation Firewall Integration... 4 Use Cases... 4 Roll-out Dynamic

More information

Exam: : VPN/Security. Ver :

Exam: : VPN/Security. Ver : Exam: Title : VPN/Security Ver : 03.20.04 QUESTION 1 A customer needs to connect smaller branch office locations to its central site and desires a more which solution should you recommend? A. V3PN solution

More information

SaaS Flyer for Trend Micro

SaaS Flyer for Trend Micro SaaS Flyer for Trend Micro Prices Effective July 1, 2008 1 Internet Security 2008 Trend Micro Internet Security 2008 makes it easy to protect your home or small business network, personal identity, and

More information

Mobile Network Access Control Extending corporate security policies to mobile devices

Mobile Network Access Control Extending corporate security policies to mobile devices Mobile Network Access Control Extending corporate security policies to mobile devices WHITE PAPER NetMotion Wireless 701 N 34th Street, Suite 250 Seattle, WA 98103 206.691.5555 www.netmotionwireless.com

More information

ForeScout Extended Module for IBM BigFix

ForeScout Extended Module for IBM BigFix Version 1.1 Table of Contents About BigFix Integration... 4 Use Cases... 4 Additional BigFix Documentation... 4 About this Module... 4 About Support for Dual Stack Environments... 5 Concepts, Components,

More information

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version ACE Exam Question 1 of 50. Which of the following statements is NOT True regarding a Decryption Mirror interface? Supports SSL outbound

More information

Simplifying your 802.1X deployment

Simplifying your 802.1X deployment mancalanetworks making networks manageable Simplifying your 802.1X deployment The rapid growth in the number and variety of mobile devices connecting to corporate networks requires strengthening security

More information

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3 ForeScout CounterACT Hybrid Cloud Module: Amazon Web Services (AWS) Plugin Version 1.3 Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic

More information

: Administration of Symantec Endpoint Protection 14 Exam

: Administration of Symantec Endpoint Protection 14 Exam 250-428: of Symantec Endpoint Protection 14 Exam Study Guide v. 2.2 Copyright 2017 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and Altiris are trademarks or registered trademarks

More information

SSL VPNs or IPsec VPNs The Challenges of Remote Access. February 2 nd, 2007 Chris Witeck- Director of Product Marketing

SSL VPNs or IPsec VPNs The Challenges of Remote Access. February 2 nd, 2007 Chris Witeck- Director of Product Marketing SSL VPNs or IPsec VPNs The Challenges of Remote Access February 2 nd, 2007 Chris Witeck- Director of Product Marketing Agenda Remote access challenges Drivers for remote access New challenges for IT Remote

More information

Novell ZENworks 10 Patch Management SP3

Novell ZENworks 10 Patch Management SP3 Reference AUTHORIZED DOCUMENTATION Novell ZENworks 10 Patch Management SP3 10.3 August 26, 2010 www.novell.com ZENworks 10 Patch Management Reference Legal Notices Novell, Inc. makes no representations

More information

KASPERSKY LAB. Kaspersky Administration Kit version 6.0. Reference Book

KASPERSKY LAB. Kaspersky Administration Kit version 6.0. Reference Book KASPERSKY LAB Kaspersky Administration Kit version 6.0 Reference Book KASPERSKY ADMINISTRATION KIT VERSION 6.0 Reference Book Kaspersky Lab Ltd. Visit our website: http://www.kaspersky.com/ Revision date:

More information

Cisco s Appliance-based Content Security: IronPort and Web Security

Cisco s Appliance-based Content Security: IronPort  and Web Security Cisco s Appliance-based Content Security: IronPort E-mail and Web Security Hrvoje Dogan Consulting Systems Engineer, Security, Emerging Markets East 2010 Cisco and/or its affiliates. All rights reserved.

More information

Hazardous Endpoints Protecting Your Network From Its Own Devices

Hazardous Endpoints Protecting Your Network From Its Own Devices Hazardous Endpoints Protecting Your Network From Its Own Devices Abstract The increasing number and types of attacks launched from endpoint devices can no longer be ignored, and organizations must shift

More information

McAfee Cloud Workload Security Product Guide

McAfee Cloud Workload Security Product Guide Revision B McAfee Cloud Workload Security 5.1.0 Product Guide (McAfee epolicy Orchestrator) COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection,

More information

Network Access Control Whitepaper

Network Access Control Whitepaper Network Access Control Whitepaper There is nothing more important than our customers. Enterasys Network Access Control Executive Summary With the increasing importance Network Access Control (NAC) plays

More information

BCPro Installation Instructions Code No. LIT Software Release 3.0 Issued September 2017

BCPro Installation Instructions Code No. LIT Software Release 3.0 Issued September 2017 Code No. LIT-12011910 Software Release 3.0 Issued September 2017 Welcome...2 Summary of Changes...2 Related Documentation...2 Installation Overview...2 Prerequisite Software Checklist for Installation

More information

Network Configuration Example

Network Configuration Example Network Configuration Example Configuring Authentication and Enforcement Using SRX Series Services Gateways and Aruba ClearPass Policy Manager Modified: 2016-08-01 Juniper Networks, Inc. 1133 Innovation

More information

ForeScout Extended Module for ServiceNow

ForeScout Extended Module for ServiceNow ForeScout Extended Module for ServiceNow Version 1.2 Table of Contents About ServiceNow Integration... 4 Use Cases... 4 Asset Identification... 4 Asset Inventory True-up... 5 Additional ServiceNow Documentation...

More information

2013 InterWorks, Page 1

2013 InterWorks, Page 1 2013 InterWorks, Page 1 The BYOD Phenomenon 68% of devices used by information workers to access business applications are ones they own themselves, including laptops, smartphones, and tablets. IT organizations

More information

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0 Symantec Endpoint Protection Integration Component User's Guide Version 7.0 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms

More information

ForeScout Extended Module for ServiceNow

ForeScout Extended Module for ServiceNow ForeScout Extended Module for ServiceNow Version 1.1.0 Table of Contents About this Integration... 4 Use Cases... 4 Asset Identification... 4 Asset Inventory True-up... 5 Additional ServiceNow Documentation...

More information

Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage

Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage Module 6: Network Policies and Access Protection Module Overview Describe how Network Policies Access Protection (NAP) works Identify NAP enforcement options Identify scenarios for NAP usage Describe Routing

More information

CounterACT Afaria MDM Plugin

CounterACT Afaria MDM Plugin Version 1.7.0 and Above Table of Contents About Afaria MDM Service Integration... 4 About This Plugin... 4 How It Works... 5 Continuous Query Refresh... 5 Offsite Device Management... 6 Supported Devices...

More information

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

Cisco Identity Services Engine (ISE) Mentored Install - Pilot Cisco Identity Services Engine (ISE) Mentored Install - Pilot Skyline Advanced Technology Services (ATS) offers Professional Services for a variety of Cisco-centric solutions. From inception to realization,

More information

Support Device Access

Support Device Access Personal Devices on a Corporate Network (BYOD), on page 1 Personal Device Portals, on page 2 Support Device Registration Using Native Supplicants, on page 7 Device Portals Configuration Tasks, on page

More information

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 1 The PCI Data Security

More information

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1 Forescout Version 1.1 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191

More information

Configuring Network Admission Control

Configuring Network Admission Control 45 CHAPTER This chapter describes how to configure Network Admission Control (NAC) on Catalyst 6500 series switches. With a PFC3, Release 12.2(18)SXF2 and later releases support NAC. Note For complete

More information

NETWORK THREATS DEMAN

NETWORK THREATS DEMAN SELF-DEFENDING NETWORK NETWORK THREATS DEMAN NEW SECURITY: STRATEGIES TECHNOLOGIES Self-Propagating Threats A combination of: self propagating threats Collaborative applications Interconnected environments

More information

JURUMANI MERAKI CLOUD MANAGED SECURITY & SD-WAN

JURUMANI MERAKI CLOUD MANAGED SECURITY & SD-WAN JURUMANI CLOUD MANAGED SECURITY & SD-WAN SECURITY BY DESIGN OVERVIEW Cisco Meraki MX Security Appliances are ideal for organizations considering a Unified Threat Managment (UTM) solution, for distributed

More information

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis Security Automation Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis Network Admission Control See Managed Unmanaged Computing

More information

Identity Firewall. About the Identity Firewall

Identity Firewall. About the Identity Firewall This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History

More information

Fundamentals of Network Security v1.1 Scope and Sequence

Fundamentals of Network Security v1.1 Scope and Sequence Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document

More information