Upload
israel-marcus
View
102
Download
1
Embed Size (px)
Citation preview
What is NAC?
Why Do We Need NAC ? NAC protects the network from
non-compliant or infected systems Provides enforcement methods to
protect the network Can perform pre- and post-admission
controls Pre-admission: scanning for “health” Post-admission: monitoring the network
and the traffic continuously for threats
Three Generations of NAC
In 2004, Cisco launched Network Admission Control focused on Authentication and health
Too complex and expensive, required upgrading of switches and routers.
1
In 2005, Vendors approached from their strengths:Cisco/Juniper introduced appliances to simplify deploymentSophos/Symantec/McAfee focused on EndpointMicrosoft announced NAP infrastructure
Third Generation (2008):
Unification of Compliance, Security and Access Control
Unification of Network and Endpoint Elements
2 3
Cisco is appliance oriented; Microsoft: server oriented; McAfee: endpoint & appliance oriented
What is NAC ?
Network Access Control (NAC) is an extension to ePO 4.0
Provides network security by controlling system access to network resources
Access is granted according to the system’s “health” status
System’s “health” is assessed against a set of defined compliance rules
NAC And Other Products
NAC works together with Microsoft NAP (Network Access Protection) as well as
with McAfee NSP (Network Security Platform), formerly IntruShield
In this case, NAC provides the “health” statement, while enforcement is done together with the other product
Managed vs. Un-managed Hosts
Managed Hosts (those having a running McAfee agent) can be handled by NAC (enforcing a policy through ePO)
Un-managed Hosts are detected but they must be managed either by MS-NAP or NSP (Network Security
Platform, IntruShield 5.1)
NAC & IntruShield MNAC 3.1 combined with IntruShield
5.1 provides complete monitoring of managed and un-managed system
McAfee will offer an appliance based solution (NAC Appliance)
NAC appliance provides pre-admission control for un-managed systems
IntruShield appliance provides additional post-admission monitoring
05/03/23
ToPS Advanced Total Protection for Endpoint
Single Integrated Management Console - ePO
Anti-Spyware
Host Intrusion Prevention Desktop Firewall
Anti-Virus
Web Security
Policy Auditing
Network Access Control
Anti-Spam (Email server)
McAfee Network Access Control 3.1 Software
• Tightly integrated with Microsoft Network Access Protection (NAP) for control of unmanaged systems
• Support for ePolicy Orchestrator 4.0
• Standards-based system health checks– XCCDF and OVAL®
• The industry’s most advanced check library
• Creation of custom checks for system health policies
Key Features
Combined NetworkIPS + NAC Solutions
McAfee Unified Secure Access Strategy: Integrated Across Your Infrastructure
EndpointSecurity Solutions
NAC-only ApplianceSolutions
• Network Enforcement• Full IPS Functionality• Post and Pre-admission
Control
Network Security Platform
• Cost Effective In-Line NAC• Access Protection for
Unmanaged Endpoints• Network-Class Platform
NAC Appliance
• Endpoint Health Assessment
• NAP Integrated• Managed Endpoint Control
ToPS Advanced
11
05/03/23
McAfee Network Security Platform with NAC Add-on (formerly McAfee IntruShield)
• Combined IPS and NAC on same platform• NAC software add-on deploys with simple upgrade• Access Protection for Unmanaged Endpoints• Built-in Host Quarantine• Network-Class reliability and availability• Identity-based access control
– Access based on organizational roles/users– Integrates with Microsoft Active Directory
• Comprehensive post-admission control through:– Application protocol– Source/destination addresses– Obtains endpoint health from MNAC– IPS-detected malicious behavior
• NAC monitoring and reporting– Reports on access logs (who, when, where) and
action taken• Software Available on all I-Series Platforms
Security AND Performance. No Compromise.
12
05/03/23
McAfee Network Security Platform – NAC Appliance*
• NAC functionality on Network-Class Appliance platform• Access Protection for Unmanaged Endpoints• Flexible deployment
– Deploying in DHCP-mode– Inline behind a VPN or LAN
• Identity-based access control– Access based on organizational roles/users– Integrates with Microsoft Active Directory
• Comprehensive post-admission control through:– Application protocol– Source/destination addresses– Obtains endpoint health from MNAC
• NAC monitoring and reporting– Reports on access logs (who, when, where) and
action taken
Security AND Performance. No Compromise.
*Available end 2008
Unified Secure Access Process
Scan for rogue devices, alert and report
Step 2: Discover
Pre or Post Admission health against policy is checked. Malicious behavior monitored
Step 3: Enforce
Take action based on outcome of policy check or behavior
Step 4: Remediate
Monitor endpoint to ensure ongoing compliance
Step 5: Monitor
Define health, machine/user identity, application policy
Step 1: Policy