20-06-2011, 11:06 AM
[attachment=14129]
Abstract
McAfee Network Access Control® (MNAC) is an extension to ePolicy Orchestrator that provides network access security which is capable of detecting and assessing managed systems on the network and control access to network resources based on a system’s health level by means of enforcement. It also assesses unmanaged systems on the network and enforces network access based on systems health or user identity.The project is to develop test cases to automate unit testing on the development side of McAfee Network Access Control® (MNAC) and to automate the BVT tests. Automation mitigates risk of undetected errors, saves costs by detecting problems early, and saves time by keeping developers focused on the task of writing the software, instead of performing the tests manually. This ensures high quality of product on a continuous basis by assessing the code.To determine if sufficient number of test cases have been added or not, code coverage tool ‘gcov’ is used to measure the amount of code exercised through the test cases added. It is determined that certain sections of code or modules are not covered and appropriate unit tests are added for those sections as well.
Chapter 1
INTRODUCTION
1.1 Problem Definition
TITLE: McAfee Network Access Control®
Technologies used: C++, CPPUNIT framework, Perl
Platform: Linux and Mac
1. Unit Test cases have to be written for the following modules to facilitate automation of unit testing
•Enforce Policy
•Scan Client
•Enforce Client
•Firewall
•Startup/Shutdown Event
•Enforcement Event
•Scan Result Event
•Content Request
•Managed Policy Request Event
•UnManaged Policy Request Event
•IBAC Event
•MNAC Client and MNAC Server Communication
2. Code coverage of both unit test cases and the entire MNAC application using any freeware /commercially available application.
1.2 Background
McAfee Network Access Control® (MNAC) is a system security solution that defines, assesses, and enforces IT security policies to control how managed and unmanaged systems[1] access the network. It protects corporate networks by blocking access to systems that do not comply with IT security policies. The software integrates with McAfee ePolicy Orchestrator (ePO)[1]. It mitigates risk to corporate assets posed by systems that don't comply with the defined security policies. It combines powerful yet flexible policy control with a wide range of enforcement methods to protect the network.
Figure 1.1
It provides control when defining compliance for every system on the network and the ability to control the level of network access given to noncompliant systems. It detects new systems when they request access to or communicate on the network. For systems not running the McAfee NAC client (unmanaged systems[1]), this capability will be provided by the McAfee Network Security Platform Sensor. It scans systems using the McAfee NAC client to determine whether they meet the requirements of the compliance policy. For unmanaged systems, the McAfee NAC client software is downloadable from the remediation portal. It controls level of network access to systems based on scan results. It is able to execute ePO agent update of programs via command line, or any other command line application, on managed systems that fail compliance. After updating their systems, users can rescan their systems from the client system tray icon.
NAC with McAfee Network Security Platform protects remote access, high-risk branch offices, and wireless networks from infected workstations, servers or handheld devices. It works on the principle "Identify, quarantine, and remediate attack vectors before they spread". The McAfee ePolicy Orchestrator (ePO) management console gives you visibility and reporting on PCs used by guests or contractors, so that you can trigger anti-virus protections or automatically deploy an ePO agent to these systems
1.2.1 Control of network access
MNAC allows and blocks access to your network using the following actions:
• Detect and identify connected systems.
• Assess a system's health according to predefined rules in policies.
• Enforce n/w access restrictions based on policies that map n/w zones to health levels.
• Fix (remediate) systems that are not healthy.
Figure 1.2
1.2.2 System detection
Detecting the systems that are connected to a network is the responsibility of a detector. The primary purpose of detection is to identify a system as unique. A secondary purpose is to provide the NAC manager with information that determines a system's classification. McAfee NAC detects the system based on one or more of these factors:
• Acquisition of a DHCP assigned address.
• Periodic network broadcasts.
• Establishment of a network connection.
• Deployment of the McAfee Agent.
• Deployment of the NAC client.
1.2.3 System health assessment
Assessing a system's health is the responsibility of an assessor. Assessment is based on configurable policies that allow you to define various types of security rules. Which assessor you can use depends on a system's classification. Health assessments (scans) can be scheduled and performed automatically, or initiated manually by an administrator through the NAC manager, or by a system user through the McAfee system tray. Health assessment also occurs automatically based on certain system conditions. The software predefines a set of health levels that administrators use to rank a system's health state based on what is wrong. A system's health is evaluated automatically against the policies you create, or it can be set manually.
In descending order, the health levels are:
• Healthy
• Fair
• Poor
• Serious
• Critical
The administrator can specify different actions based on these health levels. Only the relative order of these levels is important, and only as it relates to the way each level is mapped to network access zones [1].
“Unknown” health level is assigned to a system automatically in the following conditions:
• The first time a system is detected, including startup.
• The assessed health of a system expires.
• A scan fails to finish successfully.
• A system is unmanageable
• A change occurs to the system's network connection and it is detected again.
The Unknown health level is considered a special case, and typically is not considered part of the health ranking.
1.2.4 Enforcement of access restrictions
Enforcing network access restrictions is the responsibility of an enforcer. The enforcer is configurable, and the method of restricting network access depends on the enforcer. The choice of an enforcer depends on the products used for network access control. In McAfee NAC, access enforcement is based on a system's current health status.
The McAfee NAC enforcer bases enforcement on a configurable policy that maps network access zones to health levels. Enforcement takes place locally on managed systems using a local firewall to block new, outgoing connections. The resources that are blocked depend on how you define your network access zones. Other supported enforcement products (enforcers) might use a different method or even base enforcement on criteria other than health. Administrators can also control system enforcement by setting a health level manually.
1.2.5 Fixing unhealthy systems
Unhealthy systems can be brought back into compliance with your health policies manually or automatically. In McAfee NAC, a remediator is a component that can automatically try to fix problems or deficiencies with unhealthy systems. McAfee NAC includes a built-in remediator, but it can be used only with managed systems because:
• Use of the MNAC remediator is specified in policies that are passed only to managed systems.
• Remediation commands often require credentials, which are not typically available on unmanaged systems.
Abstract
McAfee Network Access Control® (MNAC) is an extension to ePolicy Orchestrator that provides network access security which is capable of detecting and assessing managed systems on the network and control access to network resources based on a system’s health level by means of enforcement. It also assesses unmanaged systems on the network and enforces network access based on systems health or user identity.The project is to develop test cases to automate unit testing on the development side of McAfee Network Access Control® (MNAC) and to automate the BVT tests. Automation mitigates risk of undetected errors, saves costs by detecting problems early, and saves time by keeping developers focused on the task of writing the software, instead of performing the tests manually. This ensures high quality of product on a continuous basis by assessing the code.To determine if sufficient number of test cases have been added or not, code coverage tool ‘gcov’ is used to measure the amount of code exercised through the test cases added. It is determined that certain sections of code or modules are not covered and appropriate unit tests are added for those sections as well.
Chapter 1
INTRODUCTION
1.1 Problem Definition
TITLE: McAfee Network Access Control®
Technologies used: C++, CPPUNIT framework, Perl
Platform: Linux and Mac
1. Unit Test cases have to be written for the following modules to facilitate automation of unit testing
•Enforce Policy
•Scan Client
•Enforce Client
•Firewall
•Startup/Shutdown Event
•Enforcement Event
•Scan Result Event
•Content Request
•Managed Policy Request Event
•UnManaged Policy Request Event
•IBAC Event
•MNAC Client and MNAC Server Communication
2. Code coverage of both unit test cases and the entire MNAC application using any freeware /commercially available application.
1.2 Background
McAfee Network Access Control® (MNAC) is a system security solution that defines, assesses, and enforces IT security policies to control how managed and unmanaged systems[1] access the network. It protects corporate networks by blocking access to systems that do not comply with IT security policies. The software integrates with McAfee ePolicy Orchestrator (ePO)[1]. It mitigates risk to corporate assets posed by systems that don't comply with the defined security policies. It combines powerful yet flexible policy control with a wide range of enforcement methods to protect the network.
Figure 1.1
It provides control when defining compliance for every system on the network and the ability to control the level of network access given to noncompliant systems. It detects new systems when they request access to or communicate on the network. For systems not running the McAfee NAC client (unmanaged systems[1]), this capability will be provided by the McAfee Network Security Platform Sensor. It scans systems using the McAfee NAC client to determine whether they meet the requirements of the compliance policy. For unmanaged systems, the McAfee NAC client software is downloadable from the remediation portal. It controls level of network access to systems based on scan results. It is able to execute ePO agent update of programs via command line, or any other command line application, on managed systems that fail compliance. After updating their systems, users can rescan their systems from the client system tray icon.
NAC with McAfee Network Security Platform protects remote access, high-risk branch offices, and wireless networks from infected workstations, servers or handheld devices. It works on the principle "Identify, quarantine, and remediate attack vectors before they spread". The McAfee ePolicy Orchestrator (ePO) management console gives you visibility and reporting on PCs used by guests or contractors, so that you can trigger anti-virus protections or automatically deploy an ePO agent to these systems
1.2.1 Control of network access
MNAC allows and blocks access to your network using the following actions:
• Detect and identify connected systems.
• Assess a system's health according to predefined rules in policies.
• Enforce n/w access restrictions based on policies that map n/w zones to health levels.
• Fix (remediate) systems that are not healthy.
Figure 1.2
1.2.2 System detection
Detecting the systems that are connected to a network is the responsibility of a detector. The primary purpose of detection is to identify a system as unique. A secondary purpose is to provide the NAC manager with information that determines a system's classification. McAfee NAC detects the system based on one or more of these factors:
• Acquisition of a DHCP assigned address.
• Periodic network broadcasts.
• Establishment of a network connection.
• Deployment of the McAfee Agent.
• Deployment of the NAC client.
1.2.3 System health assessment
Assessing a system's health is the responsibility of an assessor. Assessment is based on configurable policies that allow you to define various types of security rules. Which assessor you can use depends on a system's classification. Health assessments (scans) can be scheduled and performed automatically, or initiated manually by an administrator through the NAC manager, or by a system user through the McAfee system tray. Health assessment also occurs automatically based on certain system conditions. The software predefines a set of health levels that administrators use to rank a system's health state based on what is wrong. A system's health is evaluated automatically against the policies you create, or it can be set manually.
In descending order, the health levels are:
• Healthy
• Fair
• Poor
• Serious
• Critical
The administrator can specify different actions based on these health levels. Only the relative order of these levels is important, and only as it relates to the way each level is mapped to network access zones [1].
“Unknown” health level is assigned to a system automatically in the following conditions:
• The first time a system is detected, including startup.
• The assessed health of a system expires.
• A scan fails to finish successfully.
• A system is unmanageable
• A change occurs to the system's network connection and it is detected again.
The Unknown health level is considered a special case, and typically is not considered part of the health ranking.
1.2.4 Enforcement of access restrictions
Enforcing network access restrictions is the responsibility of an enforcer. The enforcer is configurable, and the method of restricting network access depends on the enforcer. The choice of an enforcer depends on the products used for network access control. In McAfee NAC, access enforcement is based on a system's current health status.
The McAfee NAC enforcer bases enforcement on a configurable policy that maps network access zones to health levels. Enforcement takes place locally on managed systems using a local firewall to block new, outgoing connections. The resources that are blocked depend on how you define your network access zones. Other supported enforcement products (enforcers) might use a different method or even base enforcement on criteria other than health. Administrators can also control system enforcement by setting a health level manually.
1.2.5 Fixing unhealthy systems
Unhealthy systems can be brought back into compliance with your health policies manually or automatically. In McAfee NAC, a remediator is a component that can automatically try to fix problems or deficiencies with unhealthy systems. McAfee NAC includes a built-in remediator, but it can be used only with managed systems because:
• Use of the MNAC remediator is specified in policies that are passed only to managed systems.
• Remediation commands often require credentials, which are not typically available on unmanaged systems.