Symantec's Network Access Control platform provides the ability to interrogate, and if necessary, quarantine endpoint computers both prior to and while they are connected to the corporate network. The endpoints are scanned for compliance with administrator defined policies that can examine such features as the endpoint's patch update level, status of anti-virus software, etc.

The primary players in the Symantec Network Access control platform are the central Endpoint Protection Manager, the remote console facilitating access to the Endpoint Protection Manager, the persistent client for those machines that will support it, and various "Enforcer" components.

The Endpoint Protection Manager, which can also serve as the central management point for the vendor's Endpoint Protection product, provides the central policy definition, agent deployment and management, and reporting functions of the platform. Endpoint Protection Manager is a Java-based application that requires Windows 2000/XP/2003/2008 machines. It can be optionally accessed from remote locations via a separate Console application (Windows 2000/XP/2003/Vista/2008).

On the client side, three potential scanning choices are possible: A persistent client (Windows 2000/XP/2003/Vista/2008) that is loaded directly on the client itself and provides the most in terms of potential scanning and enforcement features; a new "dissolvable" Java-based client that can be delivered to the endpoint on-demand and removes itself when the connection session is completed (the on-demand client is delivered form a Gateway or DHCP-based Enforcer appliance); and an external scanner (Windows 2000/2003) that can remotely scan a target computer without requiring that it (the endpoint) be pre-loaded with specific software.

Finally, enforcement of the defined policies is the job of several "Enforcer" components, including an 802.1x-based LAN enforcer, an in-line network Gateway, and a DHCP enforcer, all of which are available as vendor delivered appliances (the DHCP enforcer can also be deployed as a Microsoft DHCP Server plugin). The persistent agent described above also supports self-enforcement capabilities, with the added advantage that the endpoint can be prevented from connecting to any other network (not just the corporate network) if policies are unmet. Non-compliant endpoints can be quarantined until remediation steps can be taken; and the persistent agent additionally features the ability to auto-remediate the endpoint if the administrator allows it.

New features in the latest Symantec Network Access Control release include the aforementioned on-demand client; identity-based access controls via a Web login in the dissolvable client and support for Active Directory, LDAP, RADIUS, or login data stored directly on the Enforcer; and MAC address-based access controls on the LAN 802.1x-based Enforcer (the MAC address of the endpoint is checked as it connects to an 802.1x switch, and allowed/blocked based on predefined lists of known MAC addresses).

Symantec Network Access Control is available now; the new release is expected to be available in August of 2008.

Visit the Symantec Web site for further information.