Symantec NAC upgrade aims at manageability

Symantec is releasing an upgrade to Symantec Network Access Control (NAC), which will allow IT administrators to exert control over unmanaged devices and set customized levels of access for guest users entering their corporate networks.

The upgrade is available at no additional cost to customers under warranty or maintenance. The software image will be available for download from Symantec’s Web site on Aug. 15.

“We’ve actually brought all of the power of Symantec’s NAC agent for managed systems and put up that for the unmanaged world,” said senior manager of product management Rich Langston, who runs the NAC product line.

The on-demand product is a brand new, ground-up rewrite for unmanaged devices that gives administrators the exact same capabilities they currently have with the managed agent for guests and contractors, he explained.

It works by having users access the network through a Web browser, which takes them to a portal that requires a login. After presenting valid credentials, users download the on-demand agent, which runs in resident memory and dissolves when the user exits the system.

The agent ensures unmanaged devices meet predefined criteria for endpoint compliance before connecting to the network. This includes appropriate levels of security and protection, including up-to-date antivirus, antispyware, firewall and service pack software.

If a device fails to meet the criteria, automated remediation capabilities can work to resolve the issue. “Some of the competing solutions will take the user to a Web page and say, ‘You’re not on the network because your antivirus isn’t up-to-date so click on this URL,’” said Langston. “We automate everything.”

Non-compliant devices can be blocked or quarantined from the network. “The idea is to keep the network safe by keeping impurely configured systems off the network,” he said.

Another key feature of the upgrade is a new Web login for guest users. “We now have the capability of giving them different levels of access,” said Langston. “This is important because most enterprises are interested in giving as little access to the network as necessary. For example, they might want to offer Internet access as a courtesy to casual guests, vendors, or the board of directors…If anything changes, they will get kicked off the network,” said Langston.

“We really have one the most powerful agents for client-side NAC that is available, which means that we are fully on board with the client,” said Langston. This includes performing very deep inspections of endpoints to make sure they are compliant with “all the policies the administrator wants…whatever his policies may be.”

Symantec decided to add these new features based on feedback from customers. “Our product is doing a great job on managing the managed endpoints, but [customers] wanted to have the same capabilities for their unmanaged endpoints because so many guests enter the network on a regular basis,” said Langston.

With more consumer devices entering the corporate space, the ability to screen unmanaged devices and provide appropriate levels of network access is becoming increasingly important, said Yankee Group senior vice-president of enterprise research Zeus Kerravala.

“I think it’s becoming a bigger and bigger problem,” he said. “The influx of consumer devices in the enterprise, especially ones that are Wi-Fi enabled such as an iPhone or a Blackberry, a tablet PC, even personal laptops, are becoming more and more common. Understanding that the trend is just going to continue, [enterprises] do need a feature like this to not disallow access, but give unmanaged devices access that’s appropriate.”

While the upgraded Symantec NAC solution currently supports only Macintosh and Windows systems, Langston pointed out that any device with Wi-Fi can be admitted to a network if the administrator wants to put in the extra work and create an exception. “iPhones can be admitted…if the network administrator makes an exception for them.”

Lack of IT department control over unmanaged devices can be dangerous. “While it may be cool for a person to bring their own personal iPhone in and browse the Web on it, the IT department really has no idea what’s on that device,” said Kerravala. “It could have a virus on it. It could have detrimental effects on the network.”

Without a NAC in place, enterprises face two dangers, said Langston. The first is allowing guests unlimited access to the network, which is the way most Windows enterprises are today, he said. “The risk of that obviously is if the system has a virus or the system is grossly out of date or you’ve got a malicious user who’s gotten into the building or the wireless network. They’re going to have unfettered access to steal data or start a virus.” The second is deploying an NAC solution that gives guests the regular full package, which isn’t practical if they only need to use it for one week.

According to Kerravala, enterprises historically expect harm from visitors, consultants and outside users. “But more and more, it’s actually the internal employee that’s the problem,” he said.

“At Yankee Group, we see consumerization of the enterprise being really one of the big forces of innovation today,” said Kerravala. “I think consumer technology in many ways outpaces corporate technology…people prefer to use a consumer device.

“It’s this big trend of consumerization and the enterprise that’s really caused the problem,” he continued. “I think consumer technologies far outpace enterprise innovation and that’s just going to continue. People line up outside The Apple Store to get the new iPhone. They don’t really line up outside their enterprise to get their new laptop.”

Related Download
Can we save the open web? Sponsor: Acquia
Can we save the open web?
Join the creator of Drupal, Dries Buytaert, in a discussion about the web’s evolution, how we can put the power of the internet back into the hands of the people, and how you can prepare your organization.
Register Now