www.novell.

com
Brochure
RESOURCE MANAGEMENT

Novell ZENworks ® ®

Network Access Control

1 2
 Novell and Your Strong Perimeter

Fast pre-connect testing Novell® ZENworks® Network Access Control SC Magazine’s 2008 Reader Trust Award
that does not interfere stops unauthorized access, prevents mali- as the Best Endpoint Security Solution
with the end user’s cious endpoint activity and enforces specified A “Positive” rating in Gartner’s Marketscope
­logging on experience security policies. As the network access for Network Access Control in 2008
­control (NAC) solution of choice for many TechWorld’s 2007 Endpoint Security
Accurate and fast deep
organizations, ZENworks Network Access ­Product of the Year
testing using hundreds
Control protects some of the largest, most Windows IT Pro 2007 Editor’s Choice
of off-the-shelf tests
sensitive networks in the world, including SC Magazine’s 2006 Best Endpoint
Flexible endpoint
branches of the U.S. military. It has been ­Security Solution
­testing, enforcement
­honored with numerous awards, including:
and remediation
Continuous post-
connect monitoring Complete NAC
Windows OS and
Mac OS X coverage
Scalability that can
support hundreds of
thousands of endpoints
Identity-based
­management controls

Figure 1. This image shows how Novell ZENworks Network Access Control operates on the network. Based on
both pre-connect testing and post-connect monitoring, ZENworks Network Access Control enforces security
policies for managed and unmanaged endpoints belonging to users inside the firewall, remote users, contractors,
visitors and wireless users.

p. 2
Novell ZENworks Network Access Control
Novell ZENworks Network Access Control is
a complete NAC solution, delivering on the
four vital areas of NAC: pre-connect testing,
post-connect monitoring, identity-based
management and remediation. It gives
­administrators a NAC solution that has
­comprehensive endpoint testing without
­affecting end-user productivity. It also delivers
an easy-to-use interface that allows you to
see exactly who is on the network and what
they are doing. In addition, ZENworks Network
Access Control includes multiple enforcement
options for quarantining endpoints, enabling
you to enforce policy compliance across
complex, heterogeneous networks. You can
blend multiple enforcement options within a
ZENworks Network Access Control imple-
mentation and manage those options from
a single Web-based console. Enforcement
options include:
802.1x enforcement and switch
­configuration in the GUI
DHCP enforcement
Endpoint-based enforcement
In-line enforcement
Endpoint Health and True NAC
The proprietary testing and enforcement
engine of Novell ZENworks Network Access
Control provides extremely fast and thorough
pre-connect endpoint testing for both
­Windows* and Macintosh* computers.
End users are unaware of any delay in
the login process because device testing
takes only seconds. If quarantined, users are
given clear instructions on how to remediate
the problem, so they can get back on the
network cleanly and securely.
Unlike other NAC solutions that are built on
top of vulnerability scanners, intrusion detec-
tion/prevention (IDS/IPS) systems or personal
firewalls, ZENworks Network Access Control
is not weighed down by irrelevant processes
www.novell.com
or constrained by limited testing capabilities. The network access
It thoroughly evaluates endpoint health before ­control (NAC) solution
the device is allowed to forward traffic to the of choice for many
network—a key requirement for true NAC— organizations, ZENworks
and helps prevent unhealthy endpoints from Network Access Control
spreading damage. protects some of the
largest, most sensitive
Pre-connect Endpoint Testing networks in the world,
including branches of
Novell ZENworks Network Access Control
the U.S. military.
applies the most comprehensive scans to
fully assess endpoint security. Using three
flexible endpoint testing options (agentless,
Web-based and agent-based), ZENworks
Network Access Control allows a full range of
devices, both Windows and Macintosh, to be
tested thoroughly before being allowed onto
the network. Novell adds new tests on an
ongoing basis, and you can develop custom
tests to meet organization-specific needs.
Pre-connect tests scan for:
OS support (Windows and Macintosh),
including Vista*
OS Service Packs and hotfixes
Browser and OS security settings
Installed and up-to-date antivirus and
­antispyware software
Installed and up-to-date personal firewall
Presence of peer-to-peer applications
Worms, viruses and trojans
Presence of administrator-defined required
or prohibited software
And much more
Post-connect Monitoring
Novell ZENworks Network Access Control
continues to monitor the compliance of end­
points after network access has been granted.
As devices remain connected to the network,
they are periodically revalidated using the
same testing criteria used for the pre-connect
assessment, ensuring that devices remain
compliant throughout the session.
p. 3
ZENworks Network
Access Control is a
Multi-node Architecture
complete NAC solution,
delivering on the four vital
areas of NAC: pre-connect
testing, post-connect
monitoring, identity-
based management and
remediation. It provides
administrators with a
NAC solution that has
comprehensive endpoint
testing without affecting
end-user productivity.

Figure 2. In the multi-node architecture of Novell ZENworks Network Access Control, a single Management Server
controls multiple Enforcement Server clusters, regardless of the blend of enforcement options deployed. Multi-user,
role-based access is assignable at the cluster level. Access policies and tests are centrally managed. Reporting
and access data is rolled up at the cluster and corporate levels.

Management and Administration
Regardless of the size or complexity of the
network, Novell ZENworks Network Access
Control centrally consolidates the manage-
ment of all testing and enforcement activities,
providing a single-pane-of-glass view of end-
point security. It provides administrators with
an easy-to-use, intuitive GUI that allows them
to quickly determine what is happening with
endpoints, who is quarantined and why.
The user interface simplifies deployment
and provides easy access to many functions
usually reserved for back-end configuration.
Where other NAC vendors make you use
the command line to configure features and
functionality, ZENworks Network Access
Control has pulled those features into the GUI.
A single ZENworks Network Access Con-
trol Management Server controls multiple
Enforcement Servers (grouped together in
clusters as shown in Figure 2). Enforcement
Servers allow ZENworks Network Access
Control to seamlessly accommodate dis-
persed geographic locations, heterogeneous
network topologies and the full range of
endpoint connection types (see Figure 3
on the next page).

p. 4
Novell ZENworks Network Access Control
Managing Clusters
Figure 3. This graphic shows how clusters are managed in the Novell ZENworks Network Access Control interface.
In the ZENworks Network Access Control GUI, the Cluster window displays real-time access control data and
performance statistics for the selected Enforcement Server cluster. In this example, the ‘Provo’ cluster is displayed,
which contains an individual Enforcement Server (znac-es.mycompany.com).
Through the Management Server, custom
tests and access policies can be distributed
to all Enforcement Servers in a single opera-
tion. System monitoring and reporting are
rolled up at the cluster and corporate levels.
Administrative access to the system is strictly
controlled through user roles and cluster
assignments. Administrators may create
­additional roles using fine-grained permis-
sions. Devices and functions are exposed
on a need-to-know basis. For example,
an administrator may only view data for
­endpoints within their assigned clusters.
High Availability and
Load Balancing
Novell ZENworks Network Access Control
provides true high availability capabilities.
Should an Enforcement Server fail, other
servers within a cluster will automatically
provide coverage for the affected network
www.novell.com
Regardless of the size or
complexity of the network,
Novell ZENworks Network
Access Control centrally
consolidates the
management of all
testing and enforcement
activities, providing a
single-pane-of-glass
view of endpoint security.
segment. Likewise, a spike in testing activity
directed at a single Enforcement Server is
load balanced across the cluster.
Integrated in the IT Environment
Novell ZENworks Network Access Control
features an open architecture that allows
the import and export of data to and from
­ZENworks Network Access Control. The open
architecture also allows third-party systems
to control testing and quarantining functions
and enables sharing of endpoint security
data with other IT systems.
ZENworks Network Access Control also
­provides a DHCP plug-in, allowing companies
to have DHCP enforcement without requiring
it to be in-line. In addition, SMB signing pro-
vides agentless testing and an added layer
of security to specific Microsoft* endpoints.
p. 5
Device Activity Window
Figure 4. The Device Activity window displays the testing and connection status of all devices attempting to
­connect to the network during the specified time period (one hour in this case).
Automated and Manual Repair,
Minimal Impact on End Users
Novell closes the NAC loop by facilitating a
variety of remediation options for endpoints
that test non-compliant with your security
policy, including automated remediation,
self-remediation and access grace period.
Administrators have complete control over
the depth and frequency with which end users
are informed of testing activities and results.
Communication can be as visible or as invis-
ible as necessary. End users may be notified
of device testing, test results and the steps
needed to bring the endpoint into compliance.
Reporting for Management
and Auditors
Novell ZENworks Network Access Control
­includes robust reporting capabilities that
­allow you to meet the needs of auditors,
managers and IT staff. Reports provide
p. 6
concise security status information on device
compliance and access activity. Available
reports include: device list, actions taken,
­access policy results, test details, test results,
test results by device, test results by user,
test results by IP address and more.
Start Strengthening Your
­Perimeter Today
Novell ZENworks Network Access Control is
ready to help you take network security to the
next level—by testing all of your endpoints
before they connect to the network, proac-
tively monitoring them after they connect and
making it easy to enforce security policies and
perform remediation through a single manage­
ment console. Visit www.novell.com/nac to
learn more about how these crucial capabilities
can lead directly to less risk for your business;
lower IT costs and administrative requirements;
and a safer, more stable and more compliant
IT environment.
 www.novell.com

Contact your local Novell

Solutions Provider, or call
Novell at:

1 800 714 3400  U.S./Canada

1 801 861 1349  Worldwide
1 801 861 8473  Facsimile

Novell, Inc.
404 Wyman Street
Waltham, MA 02451 USA

463-001029-001 | 09/08 | © 2008 Novell, Inc. All rights reserved. Novell, the Novell logo, the N logo and ZENworks are r­ egistered
­trademarks of Novell, Inc. in the United States and other countries.

*All third-party trademarks are the property of their respective owners.

1 2