Sophos NAC: Administrator roll-out guidelines

  • ID dell'articolo: 32670
  • Aggiornato: 09 lug 2010
Sophos NAC provides easy-to-deploy network access control (NAC). It allows administrators to centrally define and manage security policies to identify and isolate non-compliant, compromised, or misconfigured computers accessing the corporate network. It seamlessly integrates with existing network infrastructures and security applications for a wide range of vendors. These guidelines cover the steps necessary to deploy Sophos NAC for Endpoint and Security and Control. You are strongly encouraged to follow these guidelines. These guidelines complement the following documentation. They are not a replacement for it.
  • Endpoint Security and Control quick startup guide
  • Endpoint Security and Control advanced startup guide
  • Endpoint Security and Control quick upgrade guide
  • Endpoint Security and Control advanced upgrade guide
  • Sophos NAC Manager configuration guide
  • Sophos NAC DHCP configuration guide
  • Sophos NAC release notes
  • Sophos Compliance Agent configuration guide

Contents

  1. System requirements
  2. Installing Sophos NAC
  3. Verifying the NAC URL server address
  4. Accessing the NAC Manager
  5. Pre-defined NAC policies and policy customization
  6. Sophos Enterprise Console configuration
  7. Phased deployment of network access control
  8. Troubleshooting

1. System requirements

See the Sophos NAC release notes.

2. Installing Sophos NAC

You can install Sophos NAC as a single server or multiple server installation.

For installations that are 1,000 endpoints or less, Sophos NAC can be installed on the same server as Sophos Enterprise Console. For larger installations, the Sophos NAC application, the Sophos NAC databases, and Sophos Enterprise Console each requires its own server, for a total of three servers. NAC requires that the server run a supported version of Windows Server. For more information, see the Sophos NAC release notes.
  1. Install Sophos NAC using the Sophos NAC installer on the Sophos website (Go to https://secure2.sophos.com/en-us/mysophos/cookies.aspx, type your MySophos username and password, and download the installer on the Endpoint Security and Control downloads page). For more information, see the appropriate startup guide.
  2. Install the Compliance Dissolvable Agent using the Compliance Dissolvable Agent installer on the Sophos website (Go to https://secure2.sophos.com/en-us/mysophos/cookies.aspx, type your MySophos username and password, and download the installer on the Endpoint Security and Control downloads page). For more information, see the appropriate startup guide.
    The Dissolvable Agent is used for guest and other unmanaged users. The Dissolvable Agent may be installed on the server where you installed Sophos NAC or another Web server. This Agent uses the Unmanaged policy to enforce compliance and grant guest users appropriate network access. Guest and other unmanaged users can access the Dissolvable Agent using the URL you provide to them.

3. Verifying the NAC URL Server Address

Install Sophos Enterprise Console and ensure that the NAC URL server address is configured correctly. For more information, see the appropriate startup guide.

Note: The Sophos Enterprise Console installation attempts to pre-populate the NAC URL with the correct server address. If successful, the NAC Manager opens when you click the NAC toolbar icon in Sophos Enterprise Console. If not successful, you are prompted to type the correct server address when you click the NAC toolbar icon. The Agent uses the NAC URL to communicate with the NAC server. For more information, see the appropriate startup guide.

NAC URL: This URL is the IP address or DNS name of the Sophos NAC server. If Sophos NAC was installed on more than one server, this URL is the IP address or DNS name of the application server and not the database server. Guest and other unmanaged users can access the Dissolvable Agent using the URL you provide to them.

4. Accessing the NAC Manager

The NAC Manager provides a centralized location for policy definition and endpoint compliance reporting.

Since you have installed Sophos NAC as part of Sophos Endpoint Security and Control, you can access the NAC Manager from Sophos Enterprise Console. To do this, click the NAC button on the toolbar. For more information, see the Sophos Enterprise Console help.

OR

Access the NAC Manager directly using the following steps:
  1. Open Internet Explorer.
  2. Type the following address: http://<ip address/DNS of the Sophos NAC server>/SophosNAC. The NACManager Logon page appears.
  3. Type Admin in the Account Name field and a password of your choice in the Password field.
  4. Click OK.
Important: For the NAC Manager to display and save information and to display graphics appropriately, you must turn off pop-up blocking when you access the NAC Manager.

5. Pre-defined NAC policies and policy customization

Using the NAC Manager, you can update the pre-defined policies, profiles, and access templates as appropriate. Policies control access to enterprise network resources based on profile evaluations on the endpoint. Policies manage the configuration that determines the endpoint compliance state, messages that display, remediation actions that are performed, and enforcement actions that are taken.

Use Pre-defined Policies

Use the pre-defined policies to enforce security compliance for both managed and unmanaged endpoints. The pre-defined policies include Default, Managed, and Unmanaged. During the endpoint compliance assessment, the Agent retrieves the policy associated with the endpoint's group in Sophos Enterprise Console. For more information, see step 6: Sophos Enterprise Console configuration.
  • Default: This policy is used if an endpoint has the Sophos Compliance Agent installed and no other policy has been assigned. By default, the policy mode is set to Report Only. This policy performs remediation actions on the endpoint if the policy mode is set to Remediate or Enforce.
  • Managed: This policy can be used for endpoints that are managed with Sophos Enterprise Console and have the Sophos Compliance Agent installed. By default, the policy mode is set to Report Only. This policy performs remediation actions on the endpoint if the policy mode is set to Remediate or Enforce.
  • Unmanaged: This policy can be used for endpoints from outside of the company. This policy does not perform remediation actions on the endpoint. The Dissolvable Agent uses the Unmanaged policy.
Customize Pre-defined Policies

Ensure that the correct enterprise profiles, messaging, and enforcement are applied to the Managed and Unmanaged policies in the NAC Manager:
  1. Ensure that the correct profiles are added to the Managed and Unmanaged policies. You can create production-ready profiles or update the profiles that are pre-defined by the software so they are production-ready.
    Note: Production-ready profiles should contain the operating systems and applications, as well as the required messaging and remediation actions.
  2. Ensure that the correct access templates are added to the Managed and Unmanaged policies. You can use the default access templates or create new production-ready access templates as necessary.

6. Sophos Enterprise Console configuration

Sophos Enterprise Console Group and Policy Assignment

Once you have installed Sophos NAC as part of Sophos Enterprise Console, you must use Sophos Enterprise Console to create or import groups and apply the Managed policy to groups. For more information, see the Sophos Enterprise Console help.

Sophos Compliance Agent deployment

Once you have used Sophos Enterprise Console to create or import groups and apply NAC policies to groups, you can deploy Sophos Compliance Agents to endpoints using the Protect computers wizard. For more information, see the Sophos Enterprise Console help.

7. Phased deployment of network access control

Use a phased deployment to roll out Sophos NAC. Change the Policy Mode for your policies from Report Only to Remediate to Enforce to ensure a seamless deployment.

Report-only policy

Sophos NAC defaults to Report Only. Sophos recommends that you do not remediate or enforce policy across your entire network until your policy configuration has been thoroughly checked and tested.
  1. Assess enterprise compliance using Report Only policy mode. The Managed policy defaults to Report Only policy mode.
  2. Use the reports in the NAC Manager to determine the current enterprise compliance state.
Note: The reports provide a realistic view of how compliant users are with the enterprise security policy. Ensure that for each profile, the conditions were evaluated and accurate compliance states were applied. View the Assessment Details page in the NAC Manager reports for compliance assessment details regarding each profile and its capabilities.

Remediation policy

Implement remediation policy.
  1. Update the Managed policy. Change the policy mode from Report Only to Remediate.
  2. Use the reports in the NAC Manager to determine the current enterprise compliance state.
Note: Over time, endpoints that are non-compliant and partially-compliant should remediate to improve the overall compliance state. Ensure that for each profile, the conditions were evaluated, accurate compliance states were applied, appropriate messaging displayed, and remediation actions were performed. View the Assessment Details page in the NAC Manager reports for compliance assessment details regarding each profile and its capabilities.

Enforcement policy

Implement enforcement policy. Once you enforce policy, all endpoints that are non-compliant will be quarantined with Internet access until they become compliant.
  1. Update the Managed policy. Change the policy mode from Remediate to Enforce.
  2. Use the reports in the NAC Manager to determine the current enterprise compliance state.
Note: Over time, endpoints that are non-compliant or partially-compliant must remediate or those users are denied access to network resources. Review the NAC Manager reports to determine the current enterprise compliance state.

For more information, see the Sophos NAC configuration guide. If you need additional information or guidance, then please contact technical support.

8. Troubleshooting

For information on troubleshooting issues, search the Sophos Knowledgebase.

 
Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente

Commenti