The last system we tested was McAfee Policy Enforcer. Using a combination of a robust, multivendor policy manager and any of the supported network access requesters and posture collectors, this system allows administrators to apply fine-grained policies based on the characteristics reported by many different posture validators, including anti-virus systems from McAfee’s competitors. Policy Enforcer is not an enforcement gateway but uses VLAN assignment to control access.

For those networks that use VLANs to segregate devices, all four solutions are capable of using VLAN assignment to shuttle systems onto the appropriate VLANs for the various system states. The McAfee system is able to differentiate locale, and so can select the appropriate VLANs based on the user’s location. The Enterasys system supplements VLAN assignment with the port-based policy capabilities of the Enterasys switches, providing a number of improvements over the pure VLAN-based approach.

Another distinction among the systems is support for 802.1x. Some enterprises will want to tap 802.1x authentication to provide different services and different levels of network access based on the user’s identity. For them, a system that integrates 802.1x and user identity will be essential. Neither Symantec nor McAfee do this.

If you are concerned only about the security posture of the systems connecting and easy Internet access for guests, implementing 802.1x may be unnecessary. All four of these solutions have the capabilities necessary to meet these requirements.

Enterasys Sentinel Trusted Access

Click for larger view.

The Enterasys NAC solution we tested combined the company’s Sentinel Trusted Access Manager (TAM) 1.1, Sentinel Trusted Access Gateway (TAG) 1.1, NetSight Policy Manager 2.2, NetSight Automated Security Manager 2.2, Dragon Security Command Console 7.2.5, and Dragon Network Intrusion Detection System 7.1. The Sentinel system can make use of (but does not require) the extensive port-based policy capabilities of Enterasys’ line of switches. Combining policy management, access management, and a network IDS, Enterasys delivered a comprehensive -- if complicated -- response to our test scenarios.

Configuration of the system requires three related but separate applications, as well as connectivity to external systems for posture scanning and IDS. Policies are created in the NetSight Policy Manager and pushed to the appropriate network enforcement points.

The Sentinel TAM -- which is responsible for managing the Sentinel TAGs that enforce the policies -- provides authentication proxy and network enforcement. One TAM can manage many TAGs, allowing for centralized management of a widely distributed network.

Our test system used an Enterasys Matrix N-series core switch and a B-series edge switch equipped with the system daughter card. The daughter card ran the TAG.

Our Enterasys environment also included the Dragon Security Command Console to manage security events and the Dragon network intrusion detection product to watch network traffic and report anomalies for action. The Dragon components are not a necessary part of Enterasys’ NAC implementation, and they come at significant additional cost.

The Enterasys system, especially when including the optional IDS, is more comprehensive than the other three solutions. The system provided integrated capabilities for all of our test scenarios, using agent-based scanning of the clients to determine client posture. The Enterasys solution supports the VLAN assignment approach, but by leveraging the Enterasys switches, we were able to assign policies that were even more granular. As a result, for example, devices did not change IP subnets as they moved from one state to another, eliminating the need to force a DHCP release/renew and the accompanying delay.