Security managers today have a mandate to prevent the theft or exposure of private customer data, and many must also be able to give auditors reports proving that due care has been taken to secure that information. In addition, enterprises are increasingly allowing PCs that they do not own or manage to connect remotely to their networks. Customer and supplier PCs, and sometimes employee home PCs are being granted remote access to critical systems and data.
Enforcing an access policy on all PCs that connect to the network has become recognized as one of the best ways to defend against the malware and other endpoint-related attacks used to compromise confidential information. However, the potential network disruption and added management complexity of most network access control (NAC) approaches has limited adoption of the technology.
Check Point Endpoint Security features unified NAC that protects enterprises from the risks of unsafe endpoints connecting to their networks. But unlike other solutions, it makes maximum use of existing investments in firewalls, VPNs, switches, and endpoint security.
1. Ensures endpoint policy compliance
Both before and after granting network access to an endpoint, Check Point NAC enforces policies that require up to date antivirus, antispyware, firewall rules, and software patches; specific application versions and registry entries; and other criteria. It quarantines unsafe employee PCs and brings them into compliance automatically, without involving end users. Check Point NAC also restricts network access by contractors, customers, and unknown guest users, mitigating the risks posed by unmanaged PCs.
2. Provides cooperative enforcement
Check Point Endpoint Security can enforce policy compliance with a comprehensive Network Access Control (NAC) policy prior to granting corporate owned or guest machine access to the network. Check Point Endpoint Security uses Cooperative Enforcement™ (host-based NAC)technology to pre-integrate with OPSEC partners and many other networking and security vendors. The Check Point Endpoint Security client software assesses NAC policy compliance on a PC and communicates the results to gateways that allow or block network access.
For internal NAC, Check Point Endpoint Security cooperates with the firewall component of Check Point’s VPN-1 security gateway to provide network segmentation level NAC with a firewall. Check Point Endpoint Security also cooperates with switches and wireless access points from many other vendors to ensure that only secure, policy-compliant PCs gain access to the LAN. In addition, Check Point Endpoint Security’s support for industry-standard 802.1x authentication enables NAC in multi-vendor networking environments, and does not lock an enterprise into one vendor’s networking equipment or software. The result is more cost-effective and non-disruptive NAC deployments.
With Cooperative Enforcement, the firewall component of VPN-1 can cooperatively enforce endpoint security compliance with Check Point Endpoint Security. This feature utilizes the Check Point Endpoint Security server compliance capability to verify connections arriving from various hosts across the internal network. Using Cooperative Enforcement, any host initiating a connection through a gateway is tested for compliance. For example, as an endpoint attempts to traverse the firewall, VPN-1 can check for the presence of Check Point Endpoint Security and then ensure that the proper security stance, such as correct policy, patch level, or antivirus, is active on the machine. If the endpoint is compliant, it is granted access to the corporate network. If the endpoint is not compliant, it is restricted to an isolated Virtual Local Area Network (VLAN), or traffic is limited to specific destination IP addresses, ports, and protocols. This increases the integrity of the network because it prevents hosts with malicious software components from accessing the network. By providing Cooperative Enforcement with Check Point Endpoint Security, VPN-1 enables administrators to use their security gateways to gain control over their internal network.
For remote access NAC, Check Point Endpoint Security cooperates with Check Point VPN-1 and Connectra gateways as well as VPNs from other vendors including Cisco Systems, Microsoft, and Nortel Networks. Check Point Endpoint Security will check for the compliance of the endpoint connecting via the VPN before traffic is permitted to the network.
3. Secure auto-remediation
Check Point Endpoint security provides auto remediation to correct access policy violations such as out-of-date antivirus or missing patches. Check Point Endpoint Security can pull updates from the management server and install them automatically on the non-compliant endpoint without affecting end-user productivity.
4. Centrally managed
All the Check Point products used for network access control can be managed from a single management platform. Unified management makes the solution efficient to administer, and it provides consistent and complete connectivity and security event reports for auditors and executives.
Considering the potential cost of confidential data theft or exposure now is the time to stop unsafe endpoints from connecting to your network. To learn more about Check Point Endpoint Security’s unified NAC solution, use the resources listed below.