NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders
As the NAC (network access control) market matures, the solutions are becoming more sophisticated at identifying users and assessing the security compliance of host devices. Answering questions such as how snugly they fit into the existing infrastructure (is it a forklift upgrade?) and how well they qualify a device’s security compliance posture before admitting it to the network helps to separate the wheat from the chaff.
NAC is all about identifying end-users, checking their host devices to ensure they’re within defined security requirements (anti-virus installed and running, for instance), and then assigning a security policy to them.
The security policy is key. It has to be created dynamically to fit a user’s current security status. The policy must determine whether the user is logged in on a wireless connection or in a conference room. Is it a line-of-business manager or the CEO? Are the user’s anti-virus signatures current? Are there any open ports on the hosts that violate acceptable policy? As a user’s posture changes, so should the security policy they receive.
When selecting a NAC system, administrators will also need to consider whether they want to deploy a solution that enforces at the host level or at the network layer. Doing it at the host level entails installing software agents on end-user systems across the enterprise and requires local access to each host. This approach can provide an extremely effective means of enforcement (see Elemental Compliance System).
Controlling user access at the network level may require wholesale equipment upgrades, but it can prevent an unknown user from gaining even the tiniest access to the LAN.
In this review, I tested four NAC appliances that enforce at the network layer and inspect all end-user traffic as it passes through. I had the opportunity to check out the Caymas 525 Identity-Driven Access Gateway, Lockdown Networks Enforcer 4.2, Nevis Networks LANenforcer 1048, and the Vernier EdgeWall 7000.
The good news is that each solution actually works insofar as authenticating users and applying access policies to them. All support a captive portal log-in for user authentication, which is fine for guest or unmanaged devices, but a captive portal is Caymas’ only means of logging in users. All vendors but Caymas support 802.1x for a more seamless log-in for managed devices. Two of the appliances reflect some of their past uses: Caymas has a strong SSL VPN history and Vernier includes many features borne of wireless security. Neither of these features detracts in any way from their respective products; they just add flavoring.
End point vulnerability assessment is where the products vary the most. Of the four, only Nevis currently lacks a host-checking engine. Caymas pushes either an ActiveX or Java agent down to the client on connect (which requires the logged-on user to have local administrative or power user rights), and destroys the agent at log-off. Vernier’s host check is agentless but does need Windows credentials to scan the device. Lockdown covers all bases with an agentless mode, Windows and Mac agents, and SMB (Service Message Block) scanning like that in Vernier. The one common theme is that for any of these solutions to truly determine the security posture of a host, access to the local device is required.
At the end of my evaluation, I found that none of the products cover every base. Each one is missing the last piece of the NAC puzzle: scalability, end point assessment, or reporting. The one that came closest to meeting all aspects of an ideal NAC solution is the Caymas 525 Identity-Driven Access Gateway. My biggest complaint is the cost of the unit -- $70,000 -- but this is for all features enabled, even the SSL VPN services for 5,000 concurrent users. Vernier’s EdgeWall 7000 was the low-price leader and was just narrowly edged out by the Caymas appliance. If it had a better on-device reporting system, it would have scored a little better and claimed top honors.
Caymas 525 Identity-Driven Access Gateway
The Caymas 525 Identity-Driven Access Gateway is an SSL VPN appliance for secure remote access to applications and data, as well as a flexible NAC solution for managing user access to the network. The 525 authenticates users then dynamically builds an access control policy based on their security postures. Its host-assessment capabilities aren’t as comprehensive as Vernier’s but they do provide a good measure of confidence.
Capable of handling as many as 5,000 concurrent users, the 525 is a 2U appliance with four Gigabit Ethernet interfaces and redundant power supplies. Each interface can provide connectivity to different network segments, allowing for flexible deployment. All user traffic must pass through the 525, but physical location in the infrastructure isn’t as important as how traffic flows through the device. Typically, like the other NAC solutions, admins will place the 525 near the network core.
Setting up, installing, and getting a basic default configuration online took me approximately an hour, with the better part of a morning getting device, application, and user groups defined. Microsoft SBS (Small Business Server) 2003 with AD (Active Directory) handled the authorization services. The 525 can also use LDAP, RADIUS, Secure ID, and a local database as a source of user names and passwords. I was able to map user groups in AD back to the Caymas appliance to take advantage of existing security groups. Caymas’ Java-based user interface was easier to navigate than most others in the group, second only to Vernier’s UI.
Integrated Windows log-in is one feature missing from the system. This means Caymas cannot make use of users’ Windows credentials to authenticate them and place them into a security zone. To access the network, all users must authenticate using the captive portal feature. The solution can, however, look up users in a number of different directories to obtain their group affiliations. Caymas says integrated Windows authentication will be available in a future release.
Caymas’ policy engine, like the others, requires some planning to get the most out of it, but after it’s in place, it requires little ongoing maintenance. Admins can define networks, resources, and applications either singularly or in groups. Admins can also create various security zones that bind networks, authentication methods, and host-checker results to specific Web and file resources and applications.
For example, I created a Financial security zone that required my users to authenticate against Active Directory, to be on an internal network segment, and to successfully pass the host checker. To this security zone, I then assigned a group of applications and resources users would then be able to access. If a user fails any of the required security items, he or she would be placed into a limited-access quarantine policy.
As I was creating and changing my security policies and zones, I was happy to note that I could easily see what my users’ effective ACLs (access control lists) would be. No matter if I had selected a specific application or a group of users, I could see in the same window what the security policy was for that object. This glimpse made double-checking the effective rights much quicker.
The Caymas host-checking system does not require an agent to be installed on the host PC. During the authentication process, the appliance will scan the host by pushing either an ActiveX or Java agent (depending on the environment) to the client. On disconnect, the agent is removed with no traces left behind. For the agent to install and run on the host PC, the logged-on user must have power-user or administrative rights to his or her PC. This could be a problem in enterprises where users have limited local rights.
As of this release, Caymas doesn’t come with a predefined list of anti-virus, anti-spyware, or personal firewall vendors. Admins have to create their host checking policy by entering the process name or some other identifying information, such as rtvscan.exe, to look for Norton AntiVirus, for instance. With minimal effort, however, it will scan for open ports, Windows service pack level, Registry entries, and files. Admins can nest host-checker policies using Boolean logic to create complex rules. Later releases will feature built-in anti-virus, anti-spyware, and personal firewall lists, as well as the capability of scheduling recurring host checks.
The 525 inspects all user traffic from Layer 3 to Layer 7, taking advantage of the application security engine normally applied to SSL VPN deployments. In fact, the underlying SSL VPN and security features are very much a part of the system. Basically, Caymas provides a stateful inspection firewall for every user and builds ACLs based on the overall security profile of each user. Each packet is inspected as it passes through the appliance, no matter where it comes from. Unlike with Nevis and Lockdown, a “one user to one port” association is not necessary.
Reporting is very well represented in the 525. Admins can view reports on user and resource activity, the number of successful and failed log-ins, and other system information. Admins can export the reports to CSV (comma-separated value) files for analysis in other reporting tools.
Lockdown Networks Enforcer
The Enforcer from Lockdown Networks takes an entirely different tack than the other NAC solutions in this review: It performs enforcement at the managed-switch level through SNMP by placing users into policy-defined VLANs. The policy engine is robust, though not the most intuitive one of the bunch. It does include various sample policies on which to build. Reporting features are the best of the lot with a wide variety of rich reports and graphs.
The Enforcer is available in 1U and 2U configurations (I tested the 1U device), with the 2U doubling the CPU and power supplies. Both versions come with a single Gigabit Ethernet interface for connecting to your managed switches. A single Enforcer can manage up to 256 switches and 4,096 VLANs.
Lockdown also offers the Sentry, a low-cost appliance that brings policy-based access control to remote offices, and the Commander, an appliance that will allow admins to manage multiple Enforcers and Sentries from a single console. Neither the Sentry nor the Commander were part of my testbed.
Among all the NAC appliances reviewed here, Enforcer is the only one that does not sit inline with the flow of traffic. Instead, it talks to managed switches via SNMP and places each port on the switch, based on user authentication, in various VLANs. Each security policy corresponds to a VLAN, either an existing one or one defined for the purpose of managing access to specific resources.
Enforcer’s approach to policy enforcement differs greatly from that of its competitors; it’s also quite limiting. Part of the initial setup of my Enforcer included creating a connection, called a Control Point by Lockdown, via SNMP to my Cisco Catalyst 2950 switch. Each port in the Catalyst is enumerated in the Enforcer UI and assigned a specific type of policy enforcement. For example, ports 1 through 6 might be defined for use in a conference room where host assessment is required but authentication is not (guest access). Admins can assign other ports different access policies as needed.
Unlike Caymas and Vernier, Enforcer requires you to explicitly define which authentication methods apply to each switch port, a process that will require some forethought. Each port can support multiple authentication methods, or not require authentication at all. When assigning authentication methods, admins will have to tend on the side of security and place stricter policy settings across all ports in order to make sure all possible scenarios are covered. For many enterprises, however, physical switch and port connections are static and well known to IT. So in this case, administrators can make some assumptions about what type of device will connect and what access policy should be in place. To prevent any SNMP spoofing or poisoning, SNMP Version 3 will be supported in a later release.
Because user traffic doesn’t pass through the Enforcer, it relies on the physical port in the switch for enforcement, much like the Nevis LANenforcer. Therefore, if a group of users is connected in a remote workgroup switch and their traffic is aggregated back to a switch under Enforcer’s control, only a default policy can be applied to them. Because there is no one-to-one relationship between user and physical port, Enforcer cannot apply a specific policy or manage user authentication. Access control is accomplished using traditional methods, such as switch-based ACLs. The same goes for branch-offices: They either need their own Enforcer or their switch remotely managed by the enterprise Enforcer. Lockdown addresses these scenarios with the $1,495 Sentry box.
Enforcer’s user interface is one of the best looking of the quartet, providing easy access to the various management tasks. Creating a policy, on the other hand, isn’t quite as intuitive as with Caymas or Vernier. The policy editor is extremely powerful and allows for a very granular rule set.This is where the complexity creeps in: The wide range of choices and settings make policy definition seem difficult. With some help from technical support, I was able to create a handful of policies and assign them to different ports in the Catalyst.
Action sets are the muscle behind the policy rules -- they define what will happen when a user fits a specific policy set. One action set might move the user to the Production VLAN while another might move them to the Quarantine VLAN, for example, if the user’s anti-virus signatures are out of date. Other choices are to execute another rule set, require the agent to download to the host, and/or schedule an audit.
Authentication services are solid and will work in just about any situation. LDAP, RADIUS, 802.1x, Active Directory and captive portal are all available. The Active Directory worked flawlessly with my SBS server and was one of the easier AD connectors to create.
End point host assessment is very comprehensive and comes in both agent and agentless flavors. Agentless checks include open ports, running services, Mac software updates, and vulnerability scans. An agent is required on the host (a Windows and Mac version is available) to check for the existence and status of Windows and Macintosh anti-virus packages, Windows anti-spyware, and firewall vendors. The Enforcer can use SMB credentials to initiate a Windows anti-virus check and a Registry check.
I was really impressed with how detailed Enforcer’s reporting engine is. At a glance, I was able to see which users were logged in and to which port, which ones were in violation of a policy, and a list of detected vulnerabilities. A report builder allows IT to craft its own custom reports.
Nevis LANenforcer 1048
The Nevis LANenforcer is the only solution in my review that replaces the switches in the wiring closet. It provides access control on a per-port basis, providing each user with a personal DMZ on the network. Configuration is done through an external management server but policy management is hampered by a poorly organized user interface. Available authentication services will handle most situations, and like Lockdown’s Enforcer, each physical port is assigned a specific authentication policy. End point host checking is missing in this release, but it will be available in the future.
The LANenforcer 1048 is a 1U 48-port Gigabit Ethernet access layer switch that, unlike those from Caymas and Vernier, needs to be installed closer to the user, normally in the workgroup wiring closet. Currently, it has a one-MAC-address-per-port limitation, preventing it from enforcing policy on users connected to upstream workgroup switches (this limitation is being addressed in the next major release). It does, however, inspect traffic from Layer 2 on up.
Installing the 1048 on my test bench took less than an hour, but like all the others, creating a default policy took most of a morning. Nevis uses an external management server called LANsight for all configuration and management chores. For my evaluation, LANsight came preinstalled on a Dell PowerEdge server, but admins will have to provide their own hardware to install LANsight when they purchase the system.
The list of authentication sources Nevis supports isn’t as long as Caymas’, but will fit most situations. On it, admins will find LDAP, Active Directory, RADIUS, and TACACS+ (Terminal Access Controller Access Control System). As with the other vendors, Active Directory was my authentication source for Nevis.
Users authenticate either through captive portal or 802.1x. Nevis’s captive portal implementation is a little different than the others: The browser window must stay open, although it can be minimized, while the user is logged in. The reason for this is the portal page provides a heartbeat so that LANenforcer knows the user is still logged in. When users close the browser, they are immediately logged off. Alternately, captive portal can be configured not to provide the heartbeat, but users would then have to manually log off or unplug their PCs from the network for LANenforcer to explicitly log them off -- not the preferred method of handling this.
LANenforcer allows for a nearly seamless Windows single sign-on by way of integrating 802.1x into each Windows network client setting. As long as the proper authentication policy is assigned to the port the user is logged in to, the user credentials are passed through to LANsight for policy assignment. Like Lockdown, deployment of the appliance isn’t as flexible because of the static authentication definitions assigned to each physical port in the switch. Using criteria other than port number to define how a user will authenticate makes more sense.
I found navigating LANsight and managing access control policies a little daunting. Organization of the UI was not intuitive and left me jumping from screen to screen to manage users and assign policies. Although the admin UI might have slowed me down, it didn’t leave anything out in terms of functionality. I was able to create groups and place users into them and then assign a security policy to the group. LANsight will check for any externally mapped group memberships (from your authentication service) and merge them into a single security policy for each user.
For example, one of my test accounts in AD was a member of three different groups. LANsight combined the effective rights from each group and created a security policy that reflected what access those group memberships were allowed to have. When users fail required security checks, LANsight automatically places them into a quarantine security policy.
In this release of the LANenforcer, there is no way to check the host for vulnerabilities or determine its security posture. I did, however, receive a demo of Nevis’ host assessment system, Client Endpoint Integrity (CEI) currently in beta, which will be available in a future release. When it ships, CEI should be on par with the host-checking systems currently in other products. It will include support for all major client-based anti-virus and anti-spyware applications and will scan the host prior to their authentication. One drawback is that it is going to use an ActiveX control, limiting it to Windows systems.
Reporting and monitoring are also solid in LANsight, with many different views into the current status of the appliance. Historical reporting is limited to displaying a single user or IP address’s activity, and admins have to know the information to search for. The monitoring section is much more admin-friendly with real-time information about active and blocked users and current network state. Much like Lockdown, I was able to dig into the LANenforcer and get quick access to which users were logged into which ports and whether there had been any policy exceptions.
Vernier EdgeWall 7000
The 7000 series of network access management appliances from Vernier covers all aspects of network security, from log-on location and device posture to authentication methods and access policies. End point assessment is one of the best for Windows PCs, with very flexible and detailed scan sets. EdgeWall can provide single sign-on services for Windows users as well as captive portal for non-Windows or guest devices. On-device reporting is the one weak spot in this NAC solution.
Vernier’s EdgeWall 7000 is a 2U appliance that sits inline with your network traffic. Like the Caymas 525, admins can install the EdgeWall anywhere in the network, but to be most effective, it needs to be located near the network core so that all user traffic passes through it. The EdgeWall comes with two Gigabit Ethernet interfaces standard (my test unit had four) and can optionally include fiber SX and LX interfaces. The EdgeWall can keep track of 3,000 concurrent users and inspects all traffic from Layer 2 through Layer 7.
I installed the EdgeWall 7000 on my test bench and had it online with a basic policy in less than 30 minutes. Like the other NAC appliances, it did take some time to get authentication servers, access control rights, and host-checking schemes in place. My trusty SBS acted as my authentication source for users and groups via Active Directory. Other available authentication sources for EdgeWall include NT Domain, 802.1x, RADIUS, Cisco Skinny (for SCCP [Skinny Client Control Protocol] IP phones), and a local user database. Like Caymas, admins can use multiple authentication services in a single authentication policy.
A unique feature in the EdgeWall is that it can “sniff” out a user’s SMB log-in information and provide single sign-on services for Windows users. As people log in to their PCs, their user credentials are intercepted by the EdgeWall and used to determine the appropriate group affiliations. For non-Windows or guest devices, captive portal is available for authentication.
A policy is defined by the identity of the user or device, the connection profile (authentication policy, location, and time of day restrictions), the security profile (host checking) and access policy (allowed and restricted traffic, encryption settings). Vernier’s policy engine allows administrators to craft very specific access control definitions no matter what the device may be. For instance, my test EdgeWall included an identity profile for Cisco SCCP phones that allowed me to bind them to a specific security policy.
Admins use the access policy to define to which network resources and services a particular policy can connect. I found the process of creating an access policy to be straightforward, if not a little intimidating, as I worked my way through all of the choices. The EdgeWall policy engine works top down to find the first match between user and access rights. The EdgeWall engine doesn’t automatically order the rule sets; it is up to the administrator to get them ordered correctly. If you don’t pay attention to how the list is ordered, a user may have greater access or may be denied entirely.
Its end-point host assessment is one of the strongest in our roundup, with a wide range of host-assessment tests and checks. Each host-assessment policy is made up of a policy-compliance scanset and a vulnerability scanset. A policy-compliance scanset defines requirements such as anti-virus, personal firewall, and OS patch level. I was happy to see that other choices, such as MS security updates and minimum browser versions (both IE and Firefox), are also included. Even more interesting are the vulnerability scansets. These OS-specific scansets allow admins to probe a host for specific vulnerabilities such as backdoors, port scanners, remote file access, and a wide range of exploitable applications.
As comprehensive as this appliance is, it does have one flaw: Instead of a Java or ActiveX scan engine, Vernier uses SMB credentials to gain access to the client. The scan engine needs a user name and password with rights to the local device in order to perform a thorough policy compliance check. This requirement also means that Mac and UNIX hosts cannot be scanned to the same level as Windows hosts. The end point compliance service, however, can scan a host for open ports or other vulnerabilities that don’t require local access to the system. I like that I could scan a host during authentication and also rescan the host on a recurring interval. This feature helps prevent users from disabling their anti-virus software after logging in. If this should happen, the EdgeWall would move the client into the appropriate policy until it was back in compliance.
Reporting is one weak area in EdgeWall. Admins can send log file information to a Syslog server or directly to a Network Intelligence system. Raw log files are available on the appliance, and you can apply some basic filters such as time period and severity, but graphical reports or user statistics are not available.
All of the NAC appliances I reviewed need some improvement, but Caymas and Vernier are clearly on the right track. When Nevis releases its host assessment service, and if the company works on its UI, its solution will be worth consideration. Lockdown is interesting because it doesn’t require IT to rip and replace a closetful of switches (a la Cisco); it works with what is already in place. Its use of VLANs is unique but does cause us to worry about scalability and flexibility. When deployed with some foresight, however, it will work well.
This review has been corrected to note the support for multiple authentication methods per port in Lockdown Enforcer and the availability of the Lockdown Sentry appliance for remote offices, two factors that make Lockdown's solution more flexible and scalable than was reflected in the original review. The score we awarded to Lockdown Enforcer for Scalability has been raised from 7 to 8, giving it an overall score of 7.9. InfoWorld regrets the errors.
Victor R. Garza and Roger A. Grimes contributed to this review.
Policy Enforcement (20.0%)
Overall Score (100%)
|Caymas 525 Identity-Driven Access Gateway||8.0||8.0||9.0||8.0||8.0||7.0|
|Lockdown Networks Enforcer||8.0||9.0||8.0||7.0||8.0||7.0|
|Vernier Networks EdgeWall 7000||8.0||7.0||8.0||8.0||8.0||9.0|
Windows 7 is suddenly telling users it isn't genuine -- and it has nothing to do with Windows being...
Windows users are reporting significant problems with four more October Black Tuesday patches
The larger design is very welcome, but there's much more to the iPhone 6 than a bigger screen
Sponsored by Rackspace
Sponsored by Nuage Networks
Sponsored by Fibre Channel Industry Association
More control over video, pluggable languages, stronger microformats -- here’s where W3C should steer...
The Appery.io online mobile development platform crosses categories, but support for native apps and...
In its debut, the Aurelia modular framework enables customization and accommodates the latest...
Hortonworks launches a comprehensive three-point plan to shore up data governance in Hadoop