As the NAC (network access control) market matures, the solutions are becoming more sophisticated at identifying users and
assessing the security compliance of host devices. Answering questions such as how snugly they fit into the existing infrastructure
(is it a forklift upgrade?) and how well they qualify a device’s security compliance posture before admitting it to the network
helps to separate the wheat from the chaff.
NAC is all about identifying end-users, checking their host devices to ensure they’re within defined security requirements
(anti-virus installed and running, for instance), and then assigning a security policy to them.
The security policy is key. It has to be created dynamically to fit a user’s current security status. The policy must determine
whether the user is logged in on a wireless connection or in a conference room. Is it a line-of-business manager or the CEO?
Are the user’s anti-virus signatures current? Are there any open ports on the hosts that violate acceptable policy? As a user’s
posture changes, so should the security policy they receive.
When selecting a NAC system, administrators will also need to consider whether they want to deploy a solution that enforces
at the host level or at the network layer. Doing it at the host level entails installing software agents on end-user systems
across the enterprise and requires local access to each host. This approach can provide an extremely effective means of enforcement
(see Elemental Compliance System).
Controlling user access at the network level may require wholesale equipment upgrades, but it can prevent an unknown user
from gaining even the tiniest access to the LAN.
In this review, I tested four NAC appliances that enforce at the network layer and inspect all end-user traffic as it passes
through. I had the opportunity to check out the Caymas 525 Identity-Driven Access Gateway, Lockdown Networks Enforcer 4.2,
Nevis Networks LANenforcer 1048, and the Vernier EdgeWall 7000.
The good news is that each solution actually works insofar as authenticating users and applying access policies to them. All
support a captive portal log-in for user authentication, which is fine for guest or unmanaged devices, but a captive portal
is Caymas’ only means of logging in users. All vendors but Caymas support 802.1x for a more seamless log-in for managed devices.
Two of the appliances reflect some of their past uses: Caymas has a strong SSL VPN history and Vernier includes many features
borne of wireless security. Neither of these features detracts in any way from their respective products; they just add flavoring.
End point vulnerability assessment is where the products vary the most. Of the four, only Nevis currently lacks a host-checking
engine. Caymas pushes either an ActiveX or Java agent down to the client on connect (which requires the logged-on user to
have local administrative or power user rights), and destroys the agent at log-off. Vernier’s host check is agentless but
does need Windows credentials to scan the device. Lockdown covers all bases with an agentless mode, Windows and Mac agents,
and SMB (Service Message Block) scanning like that in Vernier. The one common theme is that for any of these solutions to
truly determine the security posture of a host, access to the local device is required.
At the end of my evaluation, I found that none of the products cover every base. Each one is missing the last piece of the
NAC puzzle: scalability, end point assessment, or reporting. The one that came closest to meeting all aspects of an ideal
NAC solution is the Caymas 525 Identity-Driven Access Gateway. My biggest complaint is the cost of the unit -- $70,000 --
but this is for all features enabled, even the SSL VPN services for 5,000 concurrent users. Vernier’s EdgeWall 7000 was the
low-price leader and was just narrowly edged out by the Caymas appliance. If it had a better on-device reporting system, it
would have scored a little better and claimed top honors.
Caymas 525 Identity-Driven Access Gateway
The Caymas 525 Identity-Driven Access Gateway is an SSL VPN appliance for secure remote access to applications and data, as
well as a flexible NAC solution for managing user access to the network. The 525 authenticates users then dynamically builds
an access control policy based on their security postures. Its host-assessment capabilities aren’t as comprehensive as Vernier’s but they do
provide a good measure of confidence.
Capable of handling as many as 5,000 concurrent users, the 525 is a 2U appliance with four Gigabit Ethernet interfaces and
redundant power supplies. Each interface can provide connectivity to different network segments, allowing for flexible deployment.
All user traffic must pass through the 525, but physical location in the infrastructure isn’t as important as how traffic
flows through the device. Typically, like the other NAC solutions, admins will place the 525 near the network core.
Caymas 525 Identity-Driven Access Gateway
Caymas Systems, caymassystems.com
|
 Very Good 8.1 |
|
| criteria |
score |
weight |
| Manageability |
8 |
20% |
 |
| Policy Enforcement |
8 |
20% |
|
| Scalability |
9 |
20% |
|
| Reporting |
8 |
15% |
|
| Setup |
8 |
15% |
|
| Value |
7 |
10% |
|
|
|
Cost:
$70,000 for 5,000 users with all features enabled
Bottom Line:
The 525 Identity-Driven Access Gateway blurs the line between SSL VPN and NAC device. The policy enforcement is good and doesn’t
have any gaping holes, although it does have the feel of an SSL VPN appliance. End point assessment works well, with only
minor shortcomings. A decent array of reporting choices makes reporting very good.
|
|
About our Reviews and Scoring Methodology
|
|
Lockdown Networks Enforcer
Lockdown Networks, lockdownnetworks.com
|
| Good 7.9 |
|
| criteria |
score |
weight |
| Manageability |
7 |
20% |
|
| Policy Enforcement |
8 |
20% |
|
| Scalability |
8 |
20% |
|
| Reporting |
9 |
15% |
|
| Setup |
8 |
15% |
|
| Value |
7 |
10% |
|
|
|
Cost:
1U model, $24,995; 2U model, $39,995; Commander, $9,995; Sentry, $1,495
Bottom Line:
The Enforcer takes a different approach on providing network security. Instead of inspecting packets and applying policy,
it places traffic in a VLAN on a per-port basis on a managed Ethernet switch. Scalability for large enterprises is a question,
but for smaller networks, creating the VLAN-base security scheme shouldn’t be a problem. End point assessment is well rounded.
|
|
About our Reviews and Scoring Methodology
|
|
Nevis LANenforcer
Nevis Networks, nevisnetworks.com
|
| Good 7.2 |
|
| criteria |
score |
weight |
| Manageability |
7 |
20% |
|
| Policy Enforcement |
7 |
20% |
|
| Scalability |
7 |
20% |
|
| Reporting |
8 |
15% |
|
| Setup |
7 |
15% |
|
| Value |
7 |
10% |
|
|
|
Cost:
LANenforcer, $19,995; LANsight management software, $2,000
Bottom Line:
The LANenforcer is on the cusp of being a major player in the NAC space. Security policy is rich but difficult to manage,
largely because of a clumsy UI. Host assessment is missing in this release, but the forthcoming Client Integrity Checking
will fill this gap very well. Historical reporting is weak, but real-time monitoring is strong.
|
|
About our Reviews and Scoring Methodology
|
|
Vernier Networks EdgeWall 7000
Vernier Networks, verniernetworks.com
|
| Very Good 8.0 |
|
| criteria |
score |
weight |
| Manageability |
8 |
20% |
|
| Policy Enforcement |
8 |
20% |
|
| Scalability |
8 |
20% |
|
| Reporting |
7 |
15% |
|
| Setup |
8 |
15% |
|
| Value |
9 |
10% |
|
|
|
Cost:
Price ranges from $9,000 to $31,000
Bottom Line:
Vernier’s EdgeWall 7000 proved to be a good all-around solution to the NAC problem. Policy enforcement is rock steady, and
end point assessment is a good mix of compliance and vulnerability checking. On-device reporting is the one area where EdgeWall
could use some work, but it can communicate with Network Intelligence for off-box analysis.
|
|
About our Reviews and Scoring Methodology
|
|
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
