McAfee is making it possible for customers to enforce network access policies on unmanaged devices such as laptops owned by visitors or consultants.
The company is announcing that customers now have the option to enforce NAC policies via McAfee’s intrusion-prevention system (IPS) appliance known as Network Security Platform (formerly called IntruShield).
So if an unmanaged device is discovered on the network, the IPS can restrict its network access in accordance with preset policies such as allowing the device to gain Internet access but nothing else. Until now, McAfee NAC policies could be enforced only via software on each endpoint, which meant that devices not managed by businesses could not be held to NAC rules.
In the first quarter of 2009, McAfee will introduce a separate appliance that is dedicated to NAC, so if customers don’t want an IPS, they can still enforce NAC policies on unmanaged devices.
That is the biggest benefit of device-based NAC enforcement, says Vinit Duggal, CISO of Intelsat, the $2.5 billion satellite communications company that was already a customer of McAfee security software. He says that software gives him good visibility into endpoint compliance with NAC rules and also finds rogue devices – unmanaged endpoints – that need to be contained.
These devices could include laptops brought onto the network by consultants and vendors or devices owned and installed by employees, he says. Once discovered by the software, an IPS can enforce NAC policies on these rogue devices.
Duggal likes NAC enforcement on the Network Security Appliance because it can take action directly without requiring intervention from staff. At the same time, McAfee’s endpoint NAC agent is also useful for managed devices because it can make sure they pass corporate policy health checks, Duggal says.
The ability to enforce NAC via software and hardware will become a common requirement that businesses will have when buying NAC equipment, says Rob Whiteley, an analyst with Forrester Research. “Unless you have a very narrow need for NAC, then ultimately you’re going to need a solution from one vendor or multiple that gives you the flexibility to do either,” he says.
A business that just wants to keep guests and visitors off the corporate network but grant them Internet access can get by with a NAC appliance, he says, but appliances don’t scale well for deployment in large organizations, Whiteley says.
Before this hardware announcement, McAfee’s NAC options were limited to its Policy Enforcer Agent running on endpoints managed by McAfee’s overriding ePolicy Orchestrator (ePO), which also manages McAfee antivirus, antispam and host IPS. If the agent finds a problem, it restricts network connectivity without relying on network infrastructure for enforcement.
McAfee’s NAC software can also work in conjunction with other vendors’ NAC gear, including Juniper and Check Point, using their products as enforcement points. This gives McAfee parity with other vendors that came at NAC from the hardware side, says Whiteley. McAfee NAC is also compatible with Microsoft’s version of the technology called network access protection, or NAP, so NAP’s policy decision and enforcement mechanisms could be used with McAfee’s agent, for example.
The addition of network-based enforcement gives McAfee more options but not necessarily more options than its competitors, Whiteley says. He notes that Juniper can enforce NAC policies at its IPS or firewalls or other switches. But Juniper’s endpoint NAC client software doesn’t do as much as McAfee’s. “It’s not a full protection agent like McAfee’s, where you’re going to get more comprehensive risk coverage at the endpoint,” Whiteley says.
Because McAfee’s NAC is blended in with its ePO, managing NAC falls under an existing management platform, reducing the training needed to keep track of it, says Intelsat’s Duggal, and that is important. If he judges that security products by different vendors afford the same degree of protection, he next checks which is simpler to manage in order to decide between them.
Support for NAC on McAfee’s IPS is available now.