Network Access Enforcement

Network Access Enforcement provides an extra layer of security when a user device (desktop, server, laptop, or mobile device) connects to your corporate network either remotely using a VPN connection or locally using a Wi-Fi connection.

The user device that tries to connect to the corporate network using a VPN or a Wi-Fi connection must meet a series of security requirements for the connection to be allowed. If it does not meet those requirements, the connection is rejected.

The Cytomic agent installed on the user device collects and sends the information that the Firebox or access point requires to verify that the device meets the necessary requirements.

Random UUID and authentication key generation

A UUID (Universal Unique Identifier) is a character string used to uniquely identify a device.

The Firebox or access point uses a UUID and authentication key to validate VPN or Wi-Fi network connections. Specify the same UUID-authentication key pair on the Firebox and in the Advanced EDR console.

If you have not configured a UUID on a local-managed Firebox, you must generate one. UUID is an open format. To generate a random UUID, there are free tools available from vendors such as Microsoft or https://www.uuidgenerator.net/.

Use a long authentication key that includes uppercase, numeric, and special characters.

For more information about the Firebox and the VPN connection settings, see Network Access Enforcement Overview.

Requirements

For a user device to connect to the corporate network, it must meet these security requirements:

  • It must have the security software installed, running, and correctly configured.

  • You must have a valid UUID and authentication key configured on the device that validates the connection and in the Advanced EDR console.

  • Operating system installed on the user device:

    • Windows 8.1 or higher.

    • macOS Catalina 10.15 or higher.

    • Android 6 or higher.

    With Android, unlike Windows or macOS, the Firebox console user cannot select the operating system version. On devices that run Android 6.0 or higher, Network Access Enforcement enables after they receive the relevant settings from the Cytomic servers.

  • Open ports on the user device: The Cytomic agent requires that TCP port 33000 be open to communicate with the device that validates the connection.

  • Security software settings: Advanced EDR advanced protection must be enabled in hardening or lock mode, or antivirus enabled and running.

Network Access Enforcement does not support Linux devices.

Requirements verification

When a user device tries to connect to the corporate network, the device that validates the connection performs these actions: 

  • Requests information about the status of the protection installed on the user device.

  • Verifies the account UUID and the authentication key are valid.

  • Verifies the user device operating system against the operating systems defined in its settings.

If all requirements are met, the user device is allowed to access the corporate network. Otherwise, the connection is rejected.

By default, all devices are forced to comply with the security requirements to connect to the corporate network.

Accessing the Network Access Enforcement settings

  • From the side menu, select Network services.

  • Select the Network Access Enforcement tab.

  • To enable the protection, click the toggle.

  • Enter the account UUID and the authentication key.

  • Click Save changes.