NAC appliances reveal who's rapping at your network door

Vernier’s EdgeWall 7000 is a 2U appliance that sits inline with your network traffic. Like the Caymas 525, admins can install the EdgeWall anywhere in the network, but to be most effective, it needs to be located near the network core so that all user traffic passes through it. The EdgeWall comes with two Gigabit Ethernet interfaces standard (my test unit had four) and can optionally include fiber SX and LX interfaces. The EdgeWall can keep track of 3,000 concurrent users and inspects all traffic from Layer 2 through Layer 7.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

I installed the EdgeWall 7000 on my test bench and had it online with a basic policy in less than 30 minutes. Like the other NAC appliances, it did take some time to get authentication servers, access control rights, and host-checking schemes in place. My trusty SBS acted as my authentication source for users and groups via Active Directory. Other available authentication sources for EdgeWall include NT Domain, 802.1x, RADIUS, Cisco Skinny (for SCCP [Skinny Client Control Protocol] IP phones), and a local user database. Like Caymas, admins can use multiple authentication services in a single authentication policy.

A unique feature in the EdgeWall is that it can “sniff” out a user’s SMB log-in information and provide single sign-on services for Windows users. As people log in to their PCs, their user credentials are intercepted by the EdgeWall and used to determine the appropriate group affiliations. For non-Windows or guest devices, captive portal is available for authentication.

A policy is defined by the identity of the user or device, the connection profile (authentication policy, location, and time of day restrictions), the security profile (host checking) and access policy (allowed and restricted traffic, encryption settings). Vernier’s policy engine allows administrators to craft very specific access control definitions no matter what the device may be. For instance, my test EdgeWall included an identity profile for Cisco SCCP phones that allowed me to bind them to a specific security policy.

Admins use the access policy to define to which network resources and services a particular policy can connect. I found the process of creating an access policy to be straightforward, if not a little intimidating, as I worked my way through all of the choices. The EdgeWall policy engine works top down to find the first match between user and access rights. The EdgeWall engine doesn’t automatically order the rule sets; it is up to the administrator to get them ordered correctly. If you don’t pay attention to how the list is ordered, a user may have greater access or may be denied entirely.

Its end-point host assessment is one of the strongest in our roundup, with a wide range of host-assessment tests and checks. Each host-assessment policy is made up of a policy-compliance scanset and a vulnerability scanset. A policy-compliance scanset defines requirements such as anti-virus, personal firewall, and OS patch level. I was happy to see that other choices, such as MS security updates and minimum browser versions (both IE and Firefox), are also included. Even more interesting are the vulnerability scansets. These OS-specific scansets allow admins to probe a host for specific vulnerabilities such as backdoors, port scanners, remote file access, and a wide range of exploitable applications.

As comprehensive as this appliance is, it does have one flaw: Instead of a Java or ActiveX scan engine, Vernier uses SMB credentials to gain access to the client. The scan engine needs a user name and password with rights to the local device in order to perform a thorough policy compliance check. This requirement also means that Mac and UNIX hosts cannot be scanned to the same level as Windows hosts. The end point compliance service, however, can scan a host for open ports or other vulnerabilities that don’t require local access to the system. I like that I could scan a host during authentication and also rescan the host on a recurring interval. This feature helps prevent users from disabling their anti-virus software after logging in. If this should happen, the EdgeWall would move the client into the appropriate policy until it was back in compliance.

Reporting is one weak area in EdgeWall. Admins can send log file information to a Syslog server or directly to a Network Intelligence system. Raw log files are available on the appliance, and you can apply some basic filters such as time period and severity, but graphical reports or user statistics are not available.

All of the NAC appliances I reviewed need some improvement, but Caymas and Vernier are clearly on the right track. When Nevis releases its host assessment service, and if the company works on its UI, its solution will be worth consideration. Lockdown is interesting because it doesn’t require IT to rip and replace a closetful of switches (a la Cisco); it works with what is already in place. Its use of VLANs is unique but does cause us to worry about scalability and flexibility. When deployed with some foresight, however, it will work well.

Correction:
This review has been corrected to note the support for multiple authentication methods per port in Lockdown Enforcer and the availability of the Lockdown Sentry appliance for remote offices, two factors that make Lockdown's solution more flexible and scalable than was reflected in the original review. The score we awarded to Lockdown Enforcer for Scalability has been raised from 7 to 8, giving it an overall score of 7.9. InfoWorld regrets the errors.

Victor R. Garza and Roger A. Grimes contributed to this review.