SYMANTEC NAC

Executive Summary
Network Access Control (NAC) is a classic example of industry hyperbole at work. In its genesis phase, NAC was really a concept and no more. Soon it was embraced as an end-to-end architecture flush with competing industry standards and grand visions. When this model proved too cumbersome, NAC became synonymous with network-based appliances that promised turnkey deployments. Finally, as NAC appliance vendors ran out of money, some industry pundits now question whether NAC was ever real or necessary.
ESG believes that NAC identity questions miss the real point. Of course large organizations want to inspect endpoints before they gain access to the network. Companies also want to be able to enforce network access rules based on user identity and endpoint profile, and they want these capabilities across the network regardless of the type of endpoint, the network ingress point, and the network architecture. If the industry wants to label these capabilities as “NAC,” so be it.
ESG believes that the NAC requirement is alive and well but is clearly entering a new phase. This white paper concludes:
 NAC must be a marriage of IT and the business. NAC policies, enforcement, and user roles can’t be determined willy-nilly by IT alone, rather this must be a cooperative effort between IT and business managers. NAC can become a business enabler if this team effort takes place. Without it, NAC stands a good chance of interrupting business processes or antagonizing end users.
 NAC deployments don’t need to end in failure. ESG has seen common problems with NAC deployment around policy definition, enforcement strategies, organizational miscues, and non-scalable NAC appliances. This paper provides examples and best practices for avoiding pitfalls.
 NAC should be deployed in phases. NAC is now deemed a strategic enterprise init iative but NAC projects should st ill follow a classic, “crawl, walk, run” model. NAC deployment should start as a learning and fact finding process and gradually become more hardened, secure, and automated over time. ESG has found that staging NAC implementations over formal project phases leads to progressively improving benefits and the best overall results.
NAC success is also highly dependent on a technology infrastructure offering central management and flexibility around endpoint assessment, policy creation, changes, and enforcement. Symantec Network Access Control (SNAC) is one of few offerings able to address these challenges.

The Case for NAC
Network Access Control (NAC) may be one of the most overused acronyms in the technology industry today so it is important to start with a concrete definition of the term. The technology glossary whatis.com defines NAC as follows:

To simplify this definition, NAC can be construed as the enforcement of endpoint security policies for a variety of network (i.e. physical and virtual networks such as LANs, WANs, and Internet-based VPNs) and device types. In most cases, NAC security policies include some combination including:
1. Endpoint health status. Before gaining network access, NAC examines endpoint devices to check for things like system vulnerabilities, security software configuration parameters, and malicious code
2. Authentication. Users and/or endpoint devices must authenticate (i.e. establish their identity) before being granted access to the network. Identity can be extended to other policy decisions. For example, the network can enforce NAC policies based parameters like device type (i.e. company-issued laptop or home PC), location, source network, time-of-day, etc.
3. Authorization. NAC can be configured to limit a device to specific network assets or tasks and also be tuned for specific types of networks. For example, an IP phone may be restricted to a particular network VLAN, IP telephony gateway, and only allowed to communicate using SIP protocols.

From an architectural standpoint, NAC consists of 3 elements:
 NAC clients. In a typical NAC deployment, agent code is installed on the client itself (although some technologies do support a clientless implementation). The client code tracks endpoint health and communicates with the rest of the NAC infrastructure.
 NAC policy servers. NAC clients report their identity and health status to a NAC policy server. The NAC policy server provides rich configuration options, integration with Windows Active Directory group- and location-based policies, logging, and reporting. NAC policy servers should also have the
capabilities to manage other endpoint security attributes such as patch and security signature status when possible.
 NAC enforcement points. Based upon communication with the policy server, the NAC policy enforcement point acts as a traffic cop imposing NAC policies on endpoint devices.
Aligning NAC with Business Requirements
While NAC technologies are deployed on networks and endpoint devices, NAC is really a business – not an IT – initiative. NAC technologies can keep unauthorized users and unhealthy devices off the network to improve security and network availability. At the same time, NAC helps enable business processes by:
 Opening the network to both employees and non-employees. According to ESG Research, nearly half of all large organizations open their networks to outside constituencies in order to streamline communications, drive revenue, and lower costs (see Figure 1). This type of “openness” will only
continue to grow in the future. NAC can help companies achieve this business benefits without compromising security.
 Improve corporate governance. NAC can supplement existing access controls and provide detailed audit information for compliance and corporate governance reporting.
 Automate IT processes. NAC can streamline desktop support operations by automating endpoint security remediation and patch management.
 Help enhance data privacy and security. NAC can enable fine-grained network authorization, keeping bad guys away from valuable network assets and private data.
NAC security and business enablement capabilities should not be underestimated. To gain the most out of NAC projects, CIOs should align technology planning with business requirements and view NAC as a strategic initiative.
NAC Implementation Challenges
Business and IT executives understand the intrinsic security and operational value of NAC solutions but achieving these results can still be difficult. Why? When it comes to NAC implementation, ESG has found a number of common problems. NAC solutions often fail to live up to expectations because:
 Tactical solutions can’t scale. Tactical NAC solutions can address isolated problems but they can’t be glued together into an enterprise NAC infrastructure addressing a multitude of needs. For example, out-of-band LAN-based NAC appliance can enforce a few rules for wired desktops but
ignore users connected via wireless Access Points (APs) or logging on to the network remotely.
Frustrated CIOs soon realize that a strategic NAC implementation demands an end-to-end solution, not a patchwork of point tools.
 NAC policies and enforcement techniques aren’t black and white. What constitutes a “healthy” endpoint? When an endpoint is out of compliance, what actions should NAC undertake? These relatively simple questions often turn into complex implementation decisions. A “healthy” endpoint
definition may depend upon a user’s role, location, and time considerations. Enforcement techniques may vary depending upon whether an endpoint is connecting over a LAN, WAN, wireless network, or through a remote access gateway. NAC deployments that don’t take endpoint policy and enforcement diversity into account can lead to draconian security measures, frustrated users, and ultimately, NAC project failure.
 NAC success depends upon organizational cooperation. In spite of its focus on endpoint, network, and security technologies, NAC is not solely an IT initiative. Smart CIOs will educate business leaders about NAC capabilities and objectives and then agree on a mutually beneficial deployment plan that improves security without interrupting user productivity. Without this organizational planning upfront, NAC projects won’t have a business context around network access control policies and enforcement. As such, NAC won’t add much value beyond basic endpoint security inspection.
 NAC can demand incremental investment. With some products, NAC goes beyond the addition of endpoint software and policy servers demanding new switches, wireless Access Points (APs), and custom integration between switches and RADIUS servers. In these scenarios, well-intentioned
security managers may ruffle a few feathers in the networking group when NAC initiatives lead to unplanned budget outlays, project management, and upgrade activities.
In reviewing these three issues, ESG sees a common pattern. NAC failure is related to a combination of poor planning, a tactical mindset, and an IT-centric myopic viewpoint. In each case, NAC is solutions assume a firewall-like role in order to restrict or deny access to a particular set of users or endpoints. This narrow-minded approach ultimately limits the ability for end-to-end network protection or mapping network access to business process requirements. NAC deployments may start with altruistic goals but these limitations often lead projects to end in a sea of disappointment and collapse.
The Secret to NAC Success
Based on the issues described above, it is easy to see a pattern of underachievement related to NAC deployment but it doesn’t have to be this way. ESG believes that large organizations can maximize the opportunity for NAC success by taking a pragmatic long-term approach to implementation. Projects should be based upon:
1. A phased approach. The appliance vendors have one thing right – NAC deployments should begin with a focus on tactical pain points like guest or remote access. These implementations should not occur in a vacuum however; rather they should be viewed as the first stage of a multi-phased
enterprise implementation. Each phase addresses an incremental network access requirement and carries its own policies, enforcement methods, and metrics.
2. Organizational buy-in. Line-of-business managers must understand the objectives and functions that NAC can offer and willingly participate in the rollout process. This means that the two teams will collaborate on role-based access policies, enforcement actions, and user training. CIOs also
have to make sure that networking, security, helpdesk, and IT operations embrace the NAC and keep lines of communications open throughout the project.
3. A flexible technology solution. To accommodate a multitude of user profiles and networking technologies, large organizations need NAC solutions offering multiple simultaneous methods of policy enforcement that will likely change over time. NAC solutions should also feature central
command-and-control for policy management, configuration management, and reporting. To fit into the overall security architecture, NAC should provide native integration with endpoint antivirus, anti-spyware, and firewalls through a single set of security agent policies and offer consolidated
reporting and auditing.
These three requirements all but eliminate tactical NAC appliances as viable solutions for large organizations. Rather, CIOs must shop for flexible strategic solutions as the basis for NAC deployments that evolve over time. One solution that fits this model is Symantec Network Access Control (SNAC), a Symantec offering based on technology it acquired from Sygate, an early NAC innovator. Recently, Symantec extended its SNAC universe by embedding a SNAC agent as part of its Symantec Endpoint Protection 11.0.
With this release, ESG believes that large organizations can use the full complement of SNAC options to phase in NAC protection over time, helping companies ease into NAC, gain experience, and increase incremental benefits on a phase-by-phase basis. SNAC flexibility is a function of its central management and deployment options including:
1. PHASE 1: Discrete policy enforcement at the endpoint through the SEP firewall (i.e. policy
enforcement using the firewall included in SEP 11.0, Symantec’s next-generation antivirus solution).
2. PHASE 2: Policy enforcement at the network perimeter by using a SNAC appliance
3. PHASE 3: Policy enforcement across the LAN using DHCP or the 802.1X protocol.
Each of these enforcement methods can be used discretely or in combination with the others. In this way, SNAC can deliver incrementally improving coverage and protection through a phased NAC implementation

With the release of Symantec Endpoint Protection 11.0, Symantec provides NAC functionality for managed endpoints by aggregating a number of disparate technologies into a common endpoint agent. For Symantec, this process was the culmination of new antivirus, anti-spyware, and firewall functionality combined with the assets of multiple acquisitions including Whole Security (, behavior-based heuristics) and NAC pioneer Sygate.
As a leader in client security, Symantec’s installed base exceeds 100 million endpoints. As users upgrade their endpoint security suites to SEP 11.0 they can take advantage of baked-in SNAC capabilities for immediate benefit. Symantec’s SEP management console can be used to set basic SNAC policies with policy enforcement carried out on the endpoint itself through the use of dynamic firewall rules.
With this type of implementation, Symantec customers can take advantage of their SEP infrastructure to gain NAC benefits such as:
 Endpoint profiling. Even highly secure organizations often have no idea what is actually running on their endpoints. SNAC can provide a direct payback by providing a report detailing endpoint configuration information. This type of situation is illustrated in Figure 1. A large global organization
was experiencing frequent problems with infected endpoints propagating viruses and worms to other nodes around the network. Security managers suspected problems with configuration managers and antivirus configurations but these were really just educated guesses -- in reality, IT was “flying blind.” After implementing SNAC, security managers were able to pinpoint problem areas with solid metrics (see Figure 5). This information was used to prioritize remediation activities effectively and efficiently.
 Policy creation. Based on the configuration information, IT and business managers can then begin to define what a “standard” endpoint should look like and how to enforce policy compliance. To ease into NAC, ESG believes it is best to monitor policy compliance initially without any type of
automated enforcement. Once IT sees a pattern of compliance, it can ease in appropriate levels of enforcement rules without disrupting users.
 Get IT on board. SNAC monitoring provides useful information across IT organizations including security, compliance, helpdesk and IT operations groups. Smart companies will distribute this data across functional groups, test SNAC enforcement scenarios, and share experiences across all of IT.
This knowledge sharing will accelerate SNAC onto the next phase.
SNAC Appliance Enforcement
With a baseline of endpoint enforcement, large organizations can gain SNAC experience and move on to more difficult NAC use cases such as securing unmanaged endpoints (i.e. those endpoints that are not running SEP 11.0) or those accessing the network from wireless Access Points, through SSP and IPSec VPNs, and across WAN links.
As more endpoints come on line, IT managers can use the SNAC infrastructure to harden access policies, strengthen enforcement rules, and implement the automated SNAC remediation capabilities. Employee PCs can be outfitted with a SNAC agent in combination with SEP or on its own. For non-employee machines, SNAC provides “dissolvable agents.” These Java-based agents are delivered on-demand to appraise endpoint compliance status and remove themselves after a network session is completed. SNAC benefits speak for themselves. One SNAC user had numerous issues related to employee and contractor endpoint configuration problems including patch management, security, asset management, antivirus, and file encryption (see Figure 5). After implementing SNAC, the company was able to attain 99% policy compliance for employee PCs. This helped improve security while reducing help desk costs.
When implementing SNAC appliances, large organizations should plan to:
 Establish and implement a quarantine policy. During the first phase, most organizations should stick with passive monitoring to establish a database of endpoint assets and configurations. As more endpoints access the network through SNAC appliances, its time to establish endpoint health policies and enforcement techniques. ESG recommends a modest start where “out of compliance” endpoints receive status information and remediation instructions. Over time, enforcement should become more stringent. Ultimately, questionable endpoints can be quarantined to safe VLANs or guided to remediation services.
 Automate remediation. Industry estimates vary, but it is safe to assume that helpdesk calls carry a cost of $35-$50 while hands-on desktop support costs about $200 to $300 per instance. One of unique features of SNAC is its ability to automate remediation services rather than simply quarantine non-compliant endpoints or redirect them to a remediation VLAN. To eliminate this operational overhead, smart CIOs will take advantage of SNAC’s unique capabilities and automate the remediation process. This alone should reduce help desk calls, streamline desktop support, and
pay for the cost of the SNAC technology.

As users deploy SNAC appliances, they can move SNAC management from SEP to the more comprehensive SNAC management console. This migration will enable them to take advantage of SNAC centralized policy management and reporting capabilities.
SNAC Enforcement across the LAN In the final phase, the goal should extend to SNAC coverage for all endpoints accessing the network.
Rather than continue to rely on the endpoint-based enforcement, SNAC takes advantage of the networking infrastructure itself, using DHCP and/or 802.1X in order to grant, deny, or restrict network access. With DHCP, SNAC provides a temporary IP address to each endpoint during the inspection process. If the endpoint is deemed “healthy,” SNAC simply gets out of the way and allows the endpoint to lease an IP address from the DHCP server through the normal process. If an endpoint is out of compliance however, SNAC can deny an IP address lease, or provide a temporary address that restricts network access and activities. With 802.1X, SNAC can extend network access controls to incorporate endpoint identity into
enforcement decisions.
Using DHCP and/or 802.1X, large organizations open up a number of new NAC options and capabilities.
Objectives in this phase should include:
 Network authorization. The 802.1X protocol can work seamlessly with RADIUS for authentication and switch-based enforcement through IEEE standards and vendor-specific functionality. Large organizations should take advantage of these options by crafting policies, designating VLANs, and
creating switch-based ACLs for network authorization -- not just access control. For example, endpoints used by employees in HR may be provided access to IP address 155.168.1.1 using the HTTP protocol but all other employees shouldn’t be able to see this asset on the network. Beyond
802.1X alone, SNAC can also be used as a RADIUS proxy and then directly tie into edge Ethernet switches to customize enforcement rules.
The Bottom Line
Too often NAC is viewed as a destination but this is a mistake. Rather than an end in itself, ESG believes that NAC is more of a journey that changes along the way. Symantec Network Access Control mirrors this metaphor by providing configuration options for isolated NAC protection or enterprise coverage. With SNAC, large organizations can achieve a “good, better, best” implementation strategy by phasing SNAC into the enterprise, expanding its reach through each project stage, creating progressively more stringent policies, and tailoring enforcement to business and IT considerations.
By the end of this final phase, the SNAC project should be fairly complete (though CIOs recognize that nothing is ever truly completed in IT). All endpoints accessing the network will be stopped for health inspections with non-compliant endpoints either quarantined or updated in real time. Remediation itself will evolve from a labor-intensive costly IT task to an automated process. Finally, SNAC will extend its functionality beyond network access controls alone and begin to enforce network authorization rules.
Ultimately, SNAC may lead to a rare set of circumstances for IT— SNAC can actually enhance security while lowering costs.