Network Access Control

Expand all | Collapse all

Symantec Network Access Control : How to create a customised host intergrity policy based on my conditions

  • 1.  Symantec Network Access Control : How to create a customised host intergrity policy based on my conditions

    Posted 12-04-2013 05:04 AM

    Hi!!

     

    I would like to create a customised hist intergrity policy on the following conditions stated below:

     

         if antivirus is not installed

            then

                  it should install it

    and  If antivirus date is older than 14 it should install from symantec live update servers

    else

    it should take the symantec client out of the network.

     

    Thanks!!!!!laugh



  • 2.  RE: Symantec Network Access Control : How to create a customised host intergrity policy based on my conditions

    Posted 12-05-2013 04:06 AM
      |   view attached

    You can accomplish all of this with the default "Antivirus Requirement" template (see screenie).  Just populate the correct path the machine should download the SEP install package from, and change the "update command" to sepliveupdate.exe if using SEP12.1.*.

    Enforcement (i.e. take the client out of the network) is up to you.  Clearly self-enforcement won't work if the SEP client isn't installed, so presumably you've investigated the Full SNAC options (Gateway/LAN/DHCP enforcers).

    Also, please note that any HI policy is dependant upon, at the very least, the SNAC client being present on the endpoint (if not the full SEP+SNAC client).  If you want to do detection and quarantining of endpoints that have neither software installed, then you'll likely be looking at one of the enforcement options in Full SNAC.

    On a final note, you've posted in the SEP forums.  You might get better response to these queries if you re-post in the SNAC one:

    https://www-secure.symantec.com/connect/security/forums/network-access-control



  • 3.  RE: Symantec Network Access Control : How to create a customised host intergrity policy based on my conditions

    Posted 12-05-2013 04:51 AM

    Hello,

    SMLatCST is correct, you may use the "AV requirement" template but at the least the SNAC agent should be already installed otherwise the check can't be done.

    If a system does not have SEP, it is unlikely there's SNAC (but it is possible, one may have a non-Symantec AV and just SNAC w/o SEP); in such case, you need to use SNAC on-demand, i.e., if an unknown system is plugged in your network, it will get a temporary SNAC agent to perform the host integrity.

    "Take the symantec client out of the network." is not that banal task, it can be properly done if you have a complete SNAC solution (LAN enforcers, RADIUS servers, 802.1x switches, etc.), proper expertise is required to design and implement it.

    Finally, having the SEP 12.1 clients to use Symantec LU servers after X days w/o defs can be already set in the LiveUpdate policies, within the SEPM console, regardless of SNAC and HI policies.