Among all the NAC appliances reviewed here, Enforcer is the only one that does not sit inline with the flow of traffic. Instead,
it talks to managed switches via SNMP and places each port on the switch, based on user authentication, in various VLANs.
Each security policy corresponds to a VLAN, either an existing one or one defined for the purpose of managing access to specific
resources.
Enforcer’s approach to policy enforcement differs greatly from that of its competitors; it’s also quite limiting. Part of
the initial setup of my Enforcer included creating a connection, called a Control Point by Lockdown, via SNMP to my Cisco
Catalyst 2950 switch. Each port in the Catalyst is enumerated in the Enforcer UI and assigned a specific type of policy enforcement.
For example, ports 1 through 6 might be defined for use in a conference room where host assessment is required but authentication
is not (guest access). Admins can assign other ports different access policies as needed.
Unlike Caymas and Vernier, Enforcer requires you to explicitly define which authentication methods apply to each switch port,
a process that will require some forethought. Each port can support multiple authentication methods, or not require authentication
at all. When assigning authentication methods, admins will have to tend on the side of security and place stricter policy
settings across all ports in order to make sure all possible scenarios are covered. For many enterprises, however, physical
switch and port connections are static and well known to IT. So in this case, administrators can make some assumptions about
what type of device will connect and what access policy should be in place. To prevent any SNMP spoofing or poisoning, SNMP
Version 3 will be supported in a later release.
Because user traffic doesn’t pass through the Enforcer, it relies on the physical port in the switch for enforcement, much
like the Nevis LANenforcer. Therefore, if a group of users is connected in a remote workgroup switch and their traffic is
aggregated back to a switch under Enforcer’s control, only a default policy can be applied to them. Because there is no one-to-one
relationship between user and physical port, Enforcer cannot apply a specific policy or manage user authentication. Access
control is accomplished using traditional methods, such as switch-based ACLs. The same goes for branch-offices: They either
need their own Enforcer or their switch remotely managed by the enterprise Enforcer. Lockdown addresses these scenarios with
the $1,495 Sentry box.
Enforcer’s user interface is one of the best looking of the quartet, providing easy access to the various management tasks.
Creating a policy, on the other hand, isn’t quite as intuitive as with Caymas or Vernier. The policy editor is extremely powerful
and allows for a very granular rule set.This is where the complexity creeps in: The wide range of choices and settings make
policy definition seem difficult. With some help from technical support, I was able to create a handful of policies and assign
them to different ports in the Catalyst.
Action sets are the muscle behind the policy rules -- they define what will happen when a user fits a specific policy set.
One action set might move the user to the Production VLAN while another might move them to the Quarantine VLAN, for example,
if the user’s anti-virus signatures are out of date. Other choices are to execute another rule set, require the agent to download
to the host, and/or schedule an audit.
Authentication services are solid and will work in just about any situation. LDAP, RADIUS, 802.1x, Active Directory and captive
portal are all available. The Active Directory worked flawlessly with my SBS server and was one of the easier AD connectors
to create.
End point host assessment is very comprehensive and comes in both agent and agentless flavors. Agentless checks include open
ports, running services, Mac software updates, and vulnerability scans. An agent is required on the host (a Windows and Mac
version is available) to check for the existence and status of Windows and Macintosh anti-virus packages, Windows anti-spyware,
and firewall vendors. The Enforcer can use SMB credentials to initiate a Windows anti-virus check and a Registry check.
I was really impressed with how detailed Enforcer’s reporting engine is. At a glance, I was able to see which users were logged
in and to which port, which ones were in violation of a policy, and a list of detected vulnerabilities. A report builder allows
IT to craft its own custom reports.
Nevis LANenforcer 1048
The Nevis LANenforcer is the only solution in my review that replaces the switches in the wiring closet. It provides access
control on a per-port basis, providing each user with a personal DMZ on the network. Configuration is done through an external
management server but policy management is hampered by a poorly organized user interface. Available authentication services
will handle most situations, and like Lockdown’s Enforcer, each physical port is assigned a specific authentication policy.
End point host checking is missing in this release, but it will be available in the future.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
