Filter
Top Products
5 Barracuda NG Network Access Client - Administrator’s Guide
Before we have a closer look at the interplay of the various components and their roles let us briefly
study what has inspired the design of the Barracuda NG Network Access Client endpoint security
framework.
The originally very long list of requirements reads as follows in a slightly more condensed fashion:
• We want to create an endpoint security solution that is effective and yet still
simple enough to be implemented and operated in a cost efficient manner.
• We do not wish to require customers to completely change their
infrastructures. This means that we do not require 802.1x aware switches and
endpoints.
• We support guest networking. There must be a simple way to distinguish
between visitors and own users. We use a combination of client agent-based
and DHCP-based address assignment. A combination of agent-based and
DHCP enforcement will likely catch the most prevalent threats to network
security.
• We assess the client's health prior to its initial connecting to the network.
Client system health assessments should also be carried out periodically
afterwards to detect changes in the client health state.
• Policies, such as applicable firewall rule set or access rights, must be selected
according to both, identity and system health state. ID-based exceptions must
be possible to cater for real world scenarios. A forced client update of several
megabytes across a 2400 baud link is not meaningful when the link is required
for important messaging.
• Policies can be machine specific. A PC frequently going online with nobody
actually being logged in, may already have been compromised. This routine
situation must be easily accommodated within the policy framework. This also
means we’ve got to find means to identify a machine in a unique fashion.
• Policies may differ in different access contexts; this is the archetypal roaming
laptop problem. A certain policy will apply to its user when connecting from
within the corporate network. A different policy is required for accessing the
nearest WLAN hotspot on the airport to build a secure VPN connection. Again,
a different policy is required when operating the same equipment inside the
user's private home network.
The client software consists of the following subsystems:
• Barracuda NG Personal Firewall
Being a centrally managed host firewall, this advanced firewall engine can handle up
to four different firewall rule sets at once. Which rule sets are available to the firewall
engine and which one of these is currently enforced depends on the policy
applicable to user, machine, date, and time.
• Barracuda NG Access Monitor
This software is responsible for sending the endpoint health status to the Access
Control Service for baselining. Barracuda NG Access Monitors are dynamically
downloaded and updated as required, supporting same full and delta updates. They
are extremely light as they only occupy 340 KB in memory.
• Barracuda NG VPN Client
Provides an integrated VPN client that secures mobile desktops connecting to the
corporate LAN through the internet. The VPN client will establish a secure
connection to a VPN Service. The Barracuda NG Access Monitor will then
communicate through the VPN tunnel with the responsible so-called System Health
Validator (SHV). It is worth noticing that in this case the VPN server fully controls the
virtual connection.