McAfee bolsters network access security

McAfee is making it possible for customers to enforce network access policies on unmanaged devices such as laptops owned by visitors or consultants.

The company is announcing that customers now have the option to enforce NAC policies via McAfee’s intrusion-prevention system (IPS) appliance known as Network Security Platform (formerly called IntruShield).

So if an unmanaged device is discovered on the network, the IPS can restrict its network access in accordance with preset policies such as allowing the device to gain Internet access but nothing else. Until now, McAfee NAC policies could be enforced only via software on each endpoint, which meant that devices not managed by businesses could not be held to NAC rules.

More in ComputerWorld Canada

Juniper has a NAC for security: Infonetics

In the first quarter of 2009, McAfee will introduce a separate appliance that is dedicated to NAC, so if customers don’t want an IPS, they can still enforce NAC policies on unmanaged devices.

That is the biggest benefit of device-based NAC enforcement, says Vinit Duggal, CISO of Intelsat, the $2.5 billion satellite communications company that was already a customer of McAfee security software. He says that software gives him good visibility into endpoint compliance with NAC rules and also finds rogue devices – unmanaged endpoints – that need to be contained.

These devices could include laptops brought onto the network by consultants and vendors or devices owned and installed by employees, he says. Once discovered by the software, an IPS can enforce NAC policies on these rogue devices.

Duggal likes NAC enforcement on the Network Security Appliance because it can take action directly without requiring intervention from staff. At the same time, McAfee’s endpoint NAC agent is also useful for managed devices because it can make sure they pass corporate policy health checks, Duggal says.

The ability to enforce NAC via software and hardware will become a common requirement that businesses will have when buying NAC equipment, says Rob Whiteley, an analyst with Forrester Research. “Unless you have a very narrow need for NAC, then ultimately you’re going to need a solution from one vendor or multiple that gives you the flexibility to do either,” he says.

A business that just wants to keep guests and visitors off the corporate network but grant them Internet access can get by with a NAC appliance, he says, but appliances don’t scale well for deployment in large organizations, Whiteley says.

Before this hardware announcement, McAfee’s NAC options were limited to its Policy Enforcer Agent running on endpoints managed by McAfee’s overriding ePolicy Orchestrator (ePO), which also manages McAfee antivirus, antispam and host IPS. If the agent finds a problem, it restricts network connectivity without relying on network infrastructure for enforcement.

McAfee’s NAC software can also work in conjunction with other vendors’ NAC gear, including Juniper and Check Point, using their products as enforcement points. This gives McAfee parity with other vendors that came at NAC from the hardware side, says Whiteley. McAfee NAC is also compatible with Microsoft’s version of the technology called network access protection, or NAP, so NAP’s policy decision and enforcement mechanisms could be used with McAfee’s agent, for example.

The addition of network-based enforcement gives McAfee more options but not necessarily more options than its competitors, Whiteley says. He notes that Juniper can enforce NAC policies at its IPS or firewalls or other switches. But Juniper’s endpoint NAC client software doesn’t do as much as McAfee’s. “It’s not a full protection agent like McAfee’s, where you’re going to get more comprehensive risk coverage at the endpoint,” Whiteley says.

Because McAfee’s NAC is blended in with its ePO, managing NAC falls under an existing management platform, reducing the training needed to keep track of it, says Intelsat’s Duggal, and that is important. If he judges that security products by different vendors afford the same degree of protection, he next checks which is simpler to manage in order to decide between them.

Support for NAC on McAfee’s IPS is available now.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now