The LANenforcer 1048 is a 1U 48-port Gigabit Ethernet access layer switch that, unlike those from Caymas and Vernier, needs
to be installed closer to the user, normally in the workgroup wiring closet. Currently, it has a one-MAC-address-per-port
limitation, preventing it from enforcing policy on users connected to upstream workgroup switches (this limitation is being
addressed in the next major release). It does, however, inspect traffic from Layer 2 on up.
Installing the 1048 on my test bench took less than an hour, but like all the others, creating a default policy took most
of a morning. Nevis uses an external management server called LANsight for all configuration and management chores. For my
evaluation, LANsight came preinstalled on a Dell PowerEdge server, but admins will have to provide their own hardware to install
LANsight when they purchase the system.
The list of authentication sources Nevis supports isn’t as long as Caymas’, but will fit most situations. On it, admins will
find LDAP, Active Directory, RADIUS, and TACACS+ (Terminal Access Controller Access Control System). As with the other vendors,
Active Directory was my authentication source for Nevis.
Users authenticate either through captive portal or 802.1x. Nevis’s captive portal implementation is a little different than
the others: The browser window must stay open, although it can be minimized, while the user is logged in. The reason for this
is the portal page provides a heartbeat so that LANenforcer knows the user is still logged in. When users close the browser,
they are immediately logged off. Alternately, captive portal can be configured not to provide the heartbeat, but users would
then have to manually log off or unplug their PCs from the network for LANenforcer to explicitly log them off -- not the preferred
method of handling this.
LANenforcer allows for a nearly seamless Windows single sign-on by way of integrating 802.1x into each Windows network client
setting. As long as the proper authentication policy is assigned to the port the user is logged in to, the user credentials
are passed through to LANsight for policy assignment. Like Lockdown, deployment of the appliance isn’t as flexible because
of the static authentication definitions assigned to each physical port in the switch. Using criteria other than port number
to define how a user will authenticate makes more sense.
I found navigating LANsight and managing access control policies a little daunting. Organization of the UI was not intuitive
and left me jumping from screen to screen to manage users and assign policies. Although the admin UI might have slowed me
down, it didn’t leave anything out in terms of functionality. I was able to create groups and place users into them and then
assign a security policy to the group. LANsight will check for any externally mapped group memberships (from your authentication
service) and merge them into a single security policy for each user.
For example, one of my test accounts in AD was a member of three different groups. LANsight combined the effective rights
from each group and created a security policy that reflected what access those group memberships were allowed to have. When
users fail required security checks, LANsight automatically places them into a quarantine security policy.
In this release of the LANenforcer, there is no way to check the host for vulnerabilities or determine its security posture.
I did, however, receive a demo of Nevis’ host assessment system, Client Endpoint Integrity (CEI) currently in beta, which
will be available in a future release. When it ships, CEI should be on par with the host-checking systems currently in other
products. It will include support for all major client-based anti-virus and anti-spyware applications and will scan the host
prior to their authentication. One drawback is that it is going to use an ActiveX control, limiting it to Windows systems.
Reporting and monitoring are also solid in LANsight, with many different views into the current status of the appliance. Historical
reporting is limited to displaying a single user or IP address’s activity, and admins have to know the information to search
for. The monitoring section is much more admin-friendly with real-time information about active and blocked users and current
network state. Much like Lockdown, I was able to dig into the LANenforcer and get quick access to which users were logged
into which ports and whether there had been any policy exceptions.
Vernier EdgeWall 7000
The 7000 series of network access management appliances from Vernier covers all aspects of network security, from log-on location
and device posture to authentication methods and access policies. End point assessment is one of the best for Windows PCs,
with very flexible and detailed scan sets. EdgeWall can provide single sign-on services for Windows users as well as captive
portal for non-Windows or guest devices. On-device reporting is the one weak spot in this NAC solution.
Caymas 525 Identity-Driven Access Gateway
Caymas Systems, caymassystems.com
|
 Very Good 8.1 |
|
| criteria |
score |
weight |
| Manageability |
8 |
20% |
 |
| Policy Enforcement |
8 |
20% |
|
| Scalability |
9 |
20% |
|
| Reporting |
8 |
15% |
|
| Setup |
8 |
15% |
|
| Value |
7 |
10% |
|
|
|
Cost:
$70,000 for 5,000 users with all features enabled
Bottom Line:
The 525 Identity-Driven Access Gateway blurs the line between SSL VPN and NAC device. The policy enforcement is good and doesn’t
have any gaping holes, although it does have the feel of an SSL VPN appliance. End point assessment works well, with only
minor shortcomings. A decent array of reporting choices makes reporting very good.
|
|
About our Reviews and Scoring Methodology
|
|
Lockdown Networks Enforcer
Lockdown Networks, lockdownnetworks.com
|
| Good 7.9 |
|
| criteria |
score |
weight |
| Manageability |
7 |
20% |
|
| Policy Enforcement |
8 |
20% |
|
| Scalability |
8 |
20% |
|
| Reporting |
9 |
15% |
|
| Setup |
8 |
15% |
|
| Value |
7 |
10% |
|
|
|
Cost:
1U model, $24,995; 2U model, $39,995; Commander, $9,995; Sentry, $1,495
Bottom Line:
The Enforcer takes a different approach on providing network security. Instead of inspecting packets and applying policy,
it places traffic in a VLAN on a per-port basis on a managed Ethernet switch. Scalability for large enterprises is a question,
but for smaller networks, creating the VLAN-base security scheme shouldn’t be a problem. End point assessment is well rounded.
|
|
About our Reviews and Scoring Methodology
|
|
Nevis LANenforcer
Nevis Networks, nevisnetworks.com
|
| Good 7.2 |
|
| criteria |
score |
weight |
| Manageability |
7 |
20% |
|
| Policy Enforcement |
7 |
20% |
|
| Scalability |
7 |
20% |
|
| Reporting |
8 |
15% |
|
| Setup |
7 |
15% |
|
| Value |
7 |
10% |
|
|
|
Cost:
LANenforcer, $19,995; LANsight management software, $2,000
Bottom Line:
The LANenforcer is on the cusp of being a major player in the NAC space. Security policy is rich but difficult to manage,
largely because of a clumsy UI. Host assessment is missing in this release, but the forthcoming Client Integrity Checking
will fill this gap very well. Historical reporting is weak, but real-time monitoring is strong.
|
|
About our Reviews and Scoring Methodology
|
|
Vernier Networks EdgeWall 7000
Vernier Networks, verniernetworks.com
|
| Very Good 8.0 |
|
| criteria |
score |
weight |
| Manageability |
8 |
20% |
|
| Policy Enforcement |
8 |
20% |
|
| Scalability |
8 |
20% |
|
| Reporting |
7 |
15% |
|
| Setup |
8 |
15% |
|
| Value |
9 |
10% |
|
|
|
Cost:
Price ranges from $9,000 to $31,000
Bottom Line:
Vernier’s EdgeWall 7000 proved to be a good all-around solution to the NAC problem. Policy enforcement is rock steady, and
end point assessment is a good mix of compliance and vulnerability checking. On-device reporting is the one area where EdgeWall
could use some work, but it can communicate with Network Intelligence for off-box analysis.
|
|
About our Reviews and Scoring Methodology
|
|
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
