Novell ZENworks Network Access Control protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. Novell ZENworks Network Access Control systematically tests endpoints—with or without the use of a client or agent—for compliance with organizational security policies, quarantining non-compliant machines before they damage the network.
Novell ZENworks Network Access Control ensures that the applications and services running on endpoints (such as LAN, RAS, VPN, and WiFi endpoints) are up-to-date and free of worms, viruses, trojans, P2P and other potentially damaging software. It dramatically reduces the cost and effort of securing your network's weakest links—the endpoints your IT group might not adequately control.
There are advantages and disadvantages inherent with each of the test method technologies. Having a choice of testing solutions enables you to maximize the advantages and minimize the disadvantages.
HINT:Agentless testing uses an existing Windows service (RPC). ActiveX testing uses an ActiveX control. Novell agent testing installs an agent (NAC Agent) and runs as a new Windows service.
The trade-offs in the test methods are described in the following table:
Table 1-2 Test Methods
The following list highlights key features:
Enforcement options — Novell ZENworks Network Access Control provides multiple enforcement options for quarantining endpoints that do not comply with your security policy (Inline, DHCP, and 802.1X). This enables Novell ZENworks Network Access Control to enforce compliance across complex, heterogeneous networks.
High availability and load balancing — A multi-server Novell ZENworks Network Access Control deployment is mutually supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment.
Load balancing is achieved by an algorithm that spreads the endpoint testing load across all ESs in a cluster.
Multiple-user, role-based access — In enterprise deployments numerous individuals, each with varying responsibilities, typically require access to information within Novell ZENworks Network Access Control. Role-based access enables system administrators to control who has access to the data, the functions they are allowed to perform, and the information they can view and act on. Role-based access ensures the integrity of the enterprise-wide Novell ZENworks Network Access Control deployment and creates the separation of duties that conforms to security best-practices.
Extensible — Novell ZENworks Network Access Control’s easy-to-use open API allows administrators to create custom tests for meeting unique organizational requirements. The API is fully exposed and thoroughly documented. Custom tests are created using scripts and can be seamlessly added to existing policies.
Compatible with existing heterogeneous network infrastructure — No upgrades to your existing network infrastructure are required.
Variety of enforcement options — Permit, deny, or quarantine based on test results.
Self-remediation — Reduces IT administration by empowering users to bring their machines into compliance.
Subscription-based licensing — Includes all test updates and software upgrades.
Novell ZENworks Network Access Control administrators create NAC policies that define which applications and services are permitted, and specify the actions to be taken when endpoints do not comply. Novell ZENworks Network Access Control automatically applies the NAC policies to endpoints as they log into the network, and periodically as the endpoints remain logged into the network. Based on results, endpoints are either permitted or quarantined to a specific part of the network, thus enforcing the organizational security standards. Novell ZENworks Network Access Control tracks all testing and connection activity and produces a range of reports for auditors, managers, and IT staff.
Novell ZENworks Network Access Control performs pre-connect testing; when an endpoint passes the NAC policy tests (or is otherwise granted access), the endpoint is allowed access to the network. If you have external Intrusion Detection System/Intrusion Prevention System (IDS/IPS) systems that monitor your network for attacks, you can configure these external systems in Novell ZENworks Network Access Control so they can request that Novell ZENworks Network Access Control quarantine an endpoint after it has been connected (post-connect).
The following sections contain more information:
NAC policies consist of individual tests that evaluate the security status of endpoints attempting to access the network. Specific tests assess operating systems, verify that key hotfixes and patches have been installed, ensure antivirus and other security applications are present and up-to-date, detect the presence of worms, trojans, and viruses, and check for potentially dangerous applications such as file sharing, peer-to-peer (P2P), or spyware. See Section B.0, Tests Help for more information.
Out-of-the-box NAC policies — High, medium, and low security are ready to use with no additional configuration required.
Standard and custom tests — Novell ZENworks Network Access Control comes with a broad range of tests. You can also create custom tests through the Novell ZENworks Network Access Control application programming interface (API).
Automatic test updates — Novell ZENworks Network Access Control is automatically updated with tests that cover newly released patches, hotfixes, software updates, worms, and trojans, and recommended security settings for common applications. New tests are automatically added to the test database as frequently as hourly, ensuring immediate protection against newly discovered threats.
Organization-specific policies — Any number of NAC policies can be created and tailored to your organizational needs. Create policies for like endpoints (for example, all Windows 2000 workstations), for an IP range or specific IPs, or by geographic location.
Novell ZENworks Network Access Control automatically tests all endpoints attempting to access your network through a LAN, RAS, VPN, or WiFi connection. Tests are fast and you are kept informed of test progress and results. After the initial compliance tests, Novell ZENworks Network Access Control periodically tests endpoints that have been granted access to ensure that real-time system changes do not violate the NAC policy.
HINT:Novell ZENworks Network Access Control passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single Novell ZENworks Network Access Control server for a single testing session with the High Security NAC policy (approximately 20 tests). It typically takes between 5 and 10 seconds to all tests in a policy on a 100Mb LAN. If your endpoints are taking longer to test, there might be a configuration problem with DNS on the Novell ZENworks Network Access Control server.
NOTE:If the end-user selects ActiveX test and then closes the browser, their endpoint is not retested until the end-user opens another browser session, reloading the ActiveX agent.
Multiple test method options — Agentless, ActiveX, or NAC Agent. Select the most appropriate method for your environment or endpoint.
Rapid testing and robust endpoint management — Thousands of endpoints can be tested and managed simultaneously.
Continual testing — Endpoints are retested on an administrator-defined interval as long as they remain connected to the network.
Based on endpoint test results, Novell ZENworks Network Access Control takes the appropriate action. Endpoints that test compliant with the applied policy are permitted access. Non-compliant endpoints are either quarantined, or are given access for a temporary period. Implement the necessary fixes during this period.
Flexible enforcement options — Grant or quarantine access criteria is designated by the administrator and driven by the criticality of selected tests and corporate security standards.
Manual overrides — Administrators can retest, quarantine, or grant access to endpoints on demand.
User notifications — Users of non-compliant endpoints receive immediate notification about the location of the endpoint deficiencies, as well as step-by-step information about implementing the corrections to achieve compliance.
Administrator notifications — Administrators receive a variety of notifications and alerts based on testing and access activity.
Graduated enforcement — Allows controlled system rollout.
Self-remediation — End-users are notified of where their endpoints are deficient and provided with remediation instructions.
Access grace period — Non-compliant endpoints are granted access for a temporary, administrator-defined period to facilitate remediation.
Patch Management — Novell ZENworks Network Access Control can integrate with patch management software, automating the process to get an endpoint updated and on the network.
Novell ZENworks Network Access Control reports provide concise security status information on endpoint compliance and access activity. Specific reports are available for auditors, managers, and IT staff members.
For more information, seeSection 14.0, Reports.