NAC appliances reveal who's rapping at your network door

NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders

Enforcer’s user interface is one of the best looking of the quartet, providing easy access to the various management tasks. Creating a policy, on the other hand, isn’t quite as intuitive as with Caymas or Vernier. The policy editor is extremely powerful and allows for a very granular rule set.This is where the complexity creeps in: The wide range of choices and settings make policy definition seem difficult. With some help from technical support, I was able to create a handful of policies and assign them to different ports in the Catalyst.

Action sets are the muscle behind the policy rules -- they define what will happen when a user fits a specific policy set. One action set might move the user to the Production VLAN while another might move them to the Quarantine VLAN, for example, if the user’s anti-virus signatures are out of date. Other choices are to execute another rule set, require the agent to download to the host, and/or schedule an audit.

Authentication services are solid and will work in just about any situation. LDAP, RADIUS, 802.1x, Active Directory and captive portal are all available. The Active Directory worked flawlessly with my SBS server and was one of the easier AD connectors to create.

End point host assessment is very comprehensive and comes in both agent and agentless flavors. Agentless checks include open ports, running services, Mac software updates, and vulnerability scans. An agent is required on the host (a Windows and Mac version is available) to check for the existence and status of Windows and Macintosh anti-virus packages, Windows anti-spyware, and firewall vendors. The Enforcer can use SMB credentials to initiate a Windows anti-virus check and a Registry check.

I was really impressed with how detailed Enforcer’s reporting engine is. At a glance, I was able to see which users were logged in and to which port, which ones were in violation of a policy, and a list of detected vulnerabilities. A report builder allows IT to craft its own custom reports.

Nevis LANenforcer 1048

The Nevis LANenforcer is the only solution in my review that replaces the switches in the wiring closet. It provides access control on a per-port basis, providing each user with a personal DMZ on the network. Configuration is done through an external management server but policy management is hampered by a poorly organized user interface. Available authentication services will handle most situations, and like Lockdown’s Enforcer, each physical port is assigned a specific authentication policy. End point host checking is missing in this release, but it will be available in the future.

The LANenforcer 1048 is a 1U 48-port Gigabit Ethernet access layer switch that, unlike those from Caymas and Vernier, needs to be installed closer to the user, normally in the workgroup wiring closet. Currently, it has a one-MAC-address-per-port limitation, preventing it from enforcing policy on users connected to upstream workgroup switches (this limitation is being addressed in the next major release). It does, however, inspect traffic from Layer 2 on up.

Installing the 1048 on my test bench took less than an hour, but like all the others, creating a default policy took most of a morning. Nevis uses an external management server called LANsight for all configuration and management chores. For my evaluation, LANsight came preinstalled on a Dell PowerEdge server, but admins will have to provide their own hardware to install LANsight when they purchase the system.

The list of authentication sources Nevis supports isn’t as long as Caymas’, but will fit most situations. On it, admins will find LDAP, Active Directory, RADIUS, and TACACS+ (Terminal Access Controller Access Control System). As with the other vendors, Active Directory was my authentication source for Nevis.

Users authenticate either through captive portal or 802.1x. Nevis’s captive portal implementation is a little different than the others: The browser window must stay open, although it can be minimized, while the user is logged in. The reason for this is the portal page provides a heartbeat so that LANenforcer knows the user is still logged in. When users close the browser, they are immediately logged off. Alternately, captive portal can be configured not to provide the heartbeat, but users would then have to manually log off or unplug their PCs from the network for LANenforcer to explicitly log them off -- not the preferred method of handling this.

LANenforcer allows for a nearly seamless Windows single sign-on by way of integrating 802.1x into each Windows network client setting. As long as the proper authentication policy is assigned to the port the user is logged in to, the user credentials are passed through to LANsight for policy assignment. Like Lockdown, deployment of the appliance isn’t as flexible because of the static authentication definitions assigned to each physical port in the switch. Using criteria other than port number to define how a user will authenticate makes more sense.

I found navigating LANsight and managing access control policies a little daunting. Organization of the UI was not intuitive and left me jumping from screen to screen to manage users and assign policies. Although the admin UI might have slowed me down, it didn’t leave anything out in terms of functionality. I was able to create groups and place users into them and then assign a security policy to the group. LANsight will check for any externally mapped group memberships (from your authentication service) and merge them into a single security policy for each user.

For example, one of my test accounts in AD was a member of three different groups. LANsight combined the effective rights from each group and created a security policy that reflected what access those group memberships were allowed to have. When users fail required security checks, LANsight automatically places them into a quarantine security policy.

In this release of the LANenforcer, there is no way to check the host for vulnerabilities or determine its security posture. I did, however, receive a demo of Nevis’ host assessment system, Client Endpoint Integrity (CEI) currently in beta, which will be available in a future release. When it ships, CEI should be on par with the host-checking systems currently in other products. It will include support for all major client-based anti-virus and anti-spyware applications and will scan the host prior to their authentication. One drawback is that it is going to use an ActiveX control, limiting it to Windows systems.

Reporting and monitoring are also solid in LANsight, with many different views into the current status of the appliance. Historical reporting is limited to displaying a single user or IP address’s activity, and admins have to know the information to search for. The monitoring section is much more admin-friendly with real-time information about active and blocked users and current network state. Much like Lockdown, I was able to dig into the LANenforcer and get quick access to which users were logged into which ports and whether there had been any policy exceptions.

Vernier EdgeWall 7000

The 7000 series of network access management appliances from Vernier covers all aspects of network security, from log-on location and device posture to authentication methods and access policies. End point assessment is one of the best for Windows PCs, with very flexible and detailed scan sets. EdgeWall can provide single sign-on services for Windows users as well as captive portal for non-Windows or guest devices. On-device reporting is the one weak spot in this NAC solution.

Vernier’s EdgeWall 7000 is a 2U appliance that sits inline with your network traffic. Like the Caymas 525, admins can install the EdgeWall anywhere in the network, but to be most effective, it needs to be located near the network core so that all user traffic passes through it. The EdgeWall comes with two Gigabit Ethernet interfaces standard (my test unit had four) and can optionally include fiber SX and LX interfaces. The EdgeWall can keep track of 3,000 concurrent users and inspects all traffic from Layer 2 through Layer 7.

I installed the EdgeWall 7000 on my test bench and had it online with a basic policy in less than 30 minutes. Like the other NAC appliances, it did take some time to get authentication servers, access control rights, and host-checking schemes in place. My trusty SBS acted as my authentication source for users and groups via Active Directory. Other available authentication sources for EdgeWall include NT Domain, 802.1x, RADIUS, Cisco Skinny (for SCCP [Skinny Client Control Protocol] IP phones), and a local user database. Like Caymas, admins can use multiple authentication services in a single authentication policy.

A unique feature in the EdgeWall is that it can “sniff” out a user’s SMB log-in information and provide single sign-on services for Windows users. As people log in to their PCs, their user credentials are intercepted by the EdgeWall and used to determine the appropriate group affiliations. For non-Windows or guest devices, captive portal is available for authentication.

A policy is defined by the identity of the user or device, the connection profile (authentication policy, location, and time of day restrictions), the security profile (host checking) and access policy (allowed and restricted traffic, encryption settings). Vernier’s policy engine allows administrators to craft very specific access control definitions no matter what the device may be. For instance, my test EdgeWall included an identity profile for Cisco SCCP phones that allowed me to bind them to a specific security policy.

Admins use the access policy to define to which network resources and services a particular policy can connect. I found the process of creating an access policy to be straightforward, if not a little intimidating, as I worked my way through all of the choices. The EdgeWall policy engine works top down to find the first match between user and access rights. The EdgeWall engine doesn’t automatically order the rule sets; it is up to the administrator to get them ordered correctly. If you don’t pay attention to how the list is ordered, a user may have greater access or may be denied entirely.

Its end-point host assessment is one of the strongest in our roundup, with a wide range of host-assessment tests and checks. Each host-assessment policy is made up of a policy-compliance scanset and a vulnerability scanset. A policy-compliance scanset defines requirements such as anti-virus, personal firewall, and OS patch level. I was happy to see that other choices, such as MS security updates and minimum browser versions (both IE and Firefox), are also included. Even more interesting are the vulnerability scansets. These OS-specific scansets allow admins to probe a host for specific vulnerabilities such as backdoors, port scanners, remote file access, and a wide range of exploitable applications.

As comprehensive as this appliance is, it does have one flaw: Instead of a Java or ActiveX scan engine, Vernier uses SMB credentials to gain access to the client. The scan engine needs a user name and password with rights to the local device in order to perform a thorough policy compliance check. This requirement also means that Mac and UNIX hosts cannot be scanned to the same level as Windows hosts. The end point compliance service, however, can scan a host for open ports or other vulnerabilities that don’t require local access to the system. I like that I could scan a host during authentication and also rescan the host on a recurring interval. This feature helps prevent users from disabling their anti-virus software after logging in. If this should happen, the EdgeWall would move the client into the appropriate policy until it was back in compliance.

Reporting is one weak area in EdgeWall. Admins can send log file information to a Syslog server or directly to a Network Intelligence system. Raw log files are available on the appliance, and you can apply some basic filters such as time period and severity, but graphical reports or user statistics are not available.

All of the NAC appliances I reviewed need some improvement, but Caymas and Vernier are clearly on the right track. When Nevis releases its host assessment service, and if the company works on its UI, its solution will be worth consideration. Lockdown is interesting because it doesn’t require IT to rip and replace a closetful of switches (a la Cisco); it works with what is already in place. Its use of VLANs is unique but does cause us to worry about scalability and flexibility. When deployed with some foresight, however, it will work well.

This review has been corrected to note the support for multiple authentication methods per port in Lockdown Enforcer and the availability of the Lockdown Sentry appliance for remote offices, two factors that make Lockdown's solution more flexible and scalable than was reflected in the original review. The score we awarded to Lockdown Enforcer for Scalability has been raised from 7 to 8, giving it an overall score of 7.9. InfoWorld regrets the errors.

Victor R. Garza and Roger A. Grimes contributed to this review.

InfoWorld Scorecard
Policy Enforcement (20.0%)
Reporting (15.0%)
Scalability (20.0%)
Manageability (20.0%)
Setup (15.0%)
Value (10.0%)
Overall Score (100%)
Caymas 525 Identity-Driven Access Gateway 8.0 8.0 9.0 8.0 8.0 7.0 8.1
Lockdown Networks Enforcer 8.0 9.0 8.0 7.0 8.0 7.0 7.9
Nevis LANenforcer 7.0 8.0 7.0 7.0 7.0 7.0 7.2
Vernier Networks EdgeWall 7000 8.0 7.0 8.0 8.0 8.0 9.0 8.0
| 1 2 Page 8