Symantec Network Access Control (SNAC) evolved from endpoint-security technology the company picked up from its 2005 acquisition of Sygate. In our evaluation, there was no silver bullet that put Symantec on the top of the heap. Rather it edged out the competition for its breadth of coverage in the areas of deployment options, endpoint assessments and flexible policy creation.
SNAC comprises two primary components - Policy Manager and Enforcers. The Policy Manager is the central management server that executes all policy settings. The Enforcers are the distributed devices that perform the endpoint assessments and enforcements. Enforcers can be deployed in three ways: LAN (802.1X), Gateway (in-line) and DHCP integration (delivered as either an appliance or as a Microsoft DHCP plug-in). An appliance can function as any enforcer type, but it cannot function as multiple enforcer types at the same time. Multiple enforcers can be deployed to provide high availability and redundancy.
For testing, we deployed a Gateway Enforcer 1U appliance sitting between the access and distribution layer of the test be network.
A captive Web portal - dubbed OnDemand by Symantec - supports guest users and is where they pick up a browser-based disposable agent used for both authentication and assessment purposes. Remote access can be supported by either placing a gateway Enforcer in-line behind the remote access termination point, or Symantec provides API integration with some SSL and IPSec VPN products that provides the ability to assess the endpoint as a condition of the remote access system granting network access. Both of these scenarios require Symantec's agent software to be running on the remote machines.
For testing, we also deployed a gateway Enforcer in-line behind the Cisco VPN Concentrator and set up Symantec's On-Demand component to provide the captive portal, which is a scenario you would use for remote devices that do not have the NAC agent installed.
User authentication can occur through user accounts local to the SNAC Policy Manager or via integration with an Active Directory, Lightweight Directory Access Protocol or Radius backend. Likewise, user groups are defined internally to SNAC or are imported along with the user information pulled from the existing repository. For testing, we configured SNAC to tap into our Active Directory user and group information without issue, and for the Windows clients in our test bed, this integration allowed for single sign-on capability and NAC-protected network connections.
Devices that do not need to be assessed, such as printers and UPSes, can be excluded by taking their IP address range out of the assessments.
Endpoint assessment is performed by a persistent (as deployed by standard software-distribution tools) or on-demand agent (run as needed through the captive portal described above). Assessment timing can be set on a per-policy basis, ranging from occurring minutes to days apart. During these assessments, a little more than the standard information is gathered about the endpoint - user, IP address, MAC address, domain and some computer information, such as what applications are resident there.
Out-of-the-box coverage for antivirus and personal firewall products is strong, supporting the first- and second-tier vendors in each space. Symantec embeds its own patch checking software in the product, but users need to configure the Microsoft Knowledge Base number, which provides a good level of granularity. A checkbox for patches or something based on criticality, such as integration with Windows Server Update Service, would be a useful addition to this product.
Custom assessment checks are defined by an if/then tree. For example, you could define the check as if a certain non-compliance is process running. Then you instruct SNAC to get a system time stamp and run a script to kill the process in question. This provides a lot of flexibility, but has a bit of a learning curve. Vulnerability assessment is available through the use of Symantec's SCAN scanner, which can be a component of the endpoint's compliance assessment. SNAC does not provide the ability to identify actively infected devices, but this functionality is available when combined with the Symantec Sygate Enterprise Protection (SEP) personal firewall, which is licensed separately. Symantec does not include support for responding to external network intrusion-detection system and intrusion-prevention system events.
We tested to make sure Sophos AV was running and that critical Windows security patches were applied. All checks performed as expected. We also created complex custom check to look at a registry key and running process. Custom check also functioned as expected.
SNAC easily facilitates assigning policy based on a user's location. Different policies can be applied to a device if it is situated on the corporate network, connected over the corporate remote-access solution or living on the edge on a wireless network.
The desired parameters of the assessment checks are defined within the process of setting up the host (endpoint) integrity policies. These policies can then be applied based on a location as mentioned above, a defined group or a specific user. These options make SNAC adaptable to many environments and provide more flexibility in policy setting than other products we've tested.
Enforcement actions include blocking network access when the gateway functions, such as a firewall or changing a virtual-LAN assignment when an 802.1X-based Enforcer is in the mix, downloading a necessary file, launching a program and displaying a message pertinent to the failure of the check. All enforcement tests ran as expected with the in-line gateway Enforcer.
The logs generated by SNAC are informative, providing detailed event information on authorisation, assessment results, restoration (remediation) and enforcement activities. The challenge is converting the log data in the logs to useful reports. Log data can be queried and exported to syslog or cvs format. A small set of report templates is available, such as those outlining existing policy use and daily-summary statistics, such as health status of environment and memory use. A dashboard showing assessment status and other key metrics would be a great addition. Export options for reports other than HTML would also provide improvement.
Management is performed through a Web-based Java application. The GUI is intuitive and easy to use. However, advanced users may become frustrated with the multiple mouse clicks required to access some resources, such as policy configuration. Overall, Symantec provides some unique features with SNAC, such as the ability to apply different policies based on location, the ability to build very powerful custom assessment checks and the ability of any Enforcers to function in any of three NAC enforcement scenarios. These features, coupled with its solid performance across the four basic NAC arenas during our tests - authorisation and authentication, assessment, enforcement and management - make it a strong leader in this space.