NAC smorgasbord: Four ways to police the network

Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access control

In this age of worms, zombies, and botnets, mobile computers themselves are a kind of Trojan horse. Do you know where that computer’s been? No, you really don’t.

In its most basic form, NAC (network access control) enforces organizational policies on systems when they attempt to connect to the network or when they attempt to enter a particular part of the network (for example, when they connect from an edge switch into the core). A NAC system makes determinations about the device and access control decisions based on those determinations. The status of the device can be as simple as an authentication by a known user or as complex as an external or internal scan of the client system. The external scan may look for known vulnerabilities, open ports, and the like, while the internal scan may check operating system parameters and patch levels, installed or running processes, currency of applications such as anti-virus signatures, and so on. Based on this “posture” (in IETF parlance), the NAC system decides what access (if any) the device gets. The combination of authentication and posture produces substantial information for NAC policy granularity. (See also "NAC policy management wags the watchdog" and "Accelerate your 802.1x rollout.")

Something else to consider are changes that occur to devices after they are granted access. Whether the user is intentionally malicious or unknowingly so, the device may become a threat to the network after it has gained access, as new processes become active, new exploits propagate, or other events occur that turn the device into an attacker. More-sophisticated NAC systems can detect these kinds of events and trigger policies at times other than when the device initially connects to the network.

In this roundup, we examine four solutions that address the business problem of rogue systems: Enterasys Sentinel Trusted Access, McAfee Policy Enforcer, Symantec Network Access Control, and Trend Micro Network VirusWall Enforcer. We created six different scenarios that are typical for businesses and configured each of the NAC solutions to address them as closely as possible. The scenarios included access by an unauthenticated guest, an authenticated guest (using either 802.1x or Web-based authentication), an authenticated user (with good device posture, and with bad device posture), and a privileged user with special access rights. We also tested how the solutions handled a good device turning bad after access. For more details, see “How We Tested.”

The Enterasys, McAfee, Symantec, and Trend Micro solutions together offer a glimpse into the variety of options available to organizations that desire to protect their infrastructures from the ravages of compromised Windows systems.

The Enterasys system provides policy-based network enforcement on switches and uses system scanning, system state, and (optionally) network intrusion detection to determine the posture of the devices attempting to attack. The Trend Micro system is an enforcement gateway, examining traffic passing through the device and using posture collectors on the clients to determine status for consideration in enforcing the policies. Symantec offers both a NAC gateway and DHCP-based enforcement. You might use only one or both of the Symantec products in your NAC architecture, depending on requirements. Like the Trend Micro solution, Symantec’s system uses posture collector agents and examines traffic passing through the gateway to determine what is allowable and what is not.

The last system we tested was McAfee Policy Enforcer. Using a combination of a robust, multivendor policy manager and any of the supported network access requesters and posture collectors, this system allows administrators to apply fine-grained policies based on the characteristics reported by many different posture validators, including anti-virus systems from McAfee’s competitors. Policy Enforcer is not an enforcement gateway but uses VLAN assignment to control access.

For those networks that use VLANs to segregate devices, all four solutions are capable of using VLAN assignment to shuttle systems onto the appropriate VLANs for the various system states. The McAfee system is able to differentiate locale, and so can select the appropriate VLANs based on the user’s location. The Enterasys system supplements VLAN assignment with the port-based policy capabilities of the Enterasys switches, providing a number of improvements over the pure VLAN-based approach.

Another distinction among the systems is support for 802.1x. Some enterprises will want to tap 802.1x authentication to provide different services and different levels of network access based on the user’s identity. For them, a system that integrates 802.1x and user identity will be essential. Neither Symantec nor McAfee do this.

If you are concerned only about the security posture of the systems connecting and easy Internet access for guests, implementing 802.1x may be unnecessary. All four of these solutions have the capabilities necessary to meet these requirements.

Enterasys Sentinel Trusted Access

The Enterasys NAC solution we tested combined the company’s Sentinel Trusted Access Manager (TAM) 1.1, Sentinel Trusted Access Gateway (TAG) 1.1, NetSight Policy Manager 2.2, NetSight Automated Security Manager 2.2, Dragon Security Command Console 7.2.5, and Dragon Network Intrusion Detection System 7.1. The Sentinel system can make use of (but does not require) the extensive port-based policy capabilities of Enterasys’ line of switches. Combining policy management, access management, and a network IDS, Enterasys delivered a comprehensive -- if complicated -- response to our test scenarios.

Click for larger view.

Configuration of the system requires three related but separate applications, as well as connectivity to external systems for posture scanning and IDS. Policies are created in the NetSight Policy Manager and pushed to the appropriate network enforcement points.

The Sentinel TAM -- which is responsible for managing the Sentinel TAGs that enforce the policies -- provides authentication proxy and network enforcement. One TAM can manage many TAGs, allowing for centralized management of a widely distributed network.

Our test system used an Enterasys Matrix N-series core switch and a B-series edge switch equipped with the system daughter card. The daughter card ran the TAG.

Our Enterasys environment also included the Dragon Security Command Console to manage security events and the Dragon network intrusion detection product to watch network traffic and report anomalies for action. The Dragon components are not a necessary part of Enterasys’ NAC implementation, and they come at significant additional cost.

The Enterasys system, especially when including the optional IDS, is more comprehensive than the other three solutions. The system provided integrated capabilities for all of our test scenarios, using agent-based scanning of the clients to determine client posture. The Enterasys solution supports the VLAN assignment approach, but by leveraging the Enterasys switches, we were able to assign policies that were even more granular. As a result, for example, devices did not change IP subnets as they moved from one state to another, eliminating the need to force a DHCP release/renew and the accompanying delay.

The switch policies also allowed us to limit the traffic both to and from the attached devices on each port, and the TAM could optionally force a vulnerability assessment scan of the device using Nessus.

Using either VLAN assignment or port policies, the Sentinel system can appropriately limit access of the client systems based on both the identity of the user and the posture of the system. Using the network IDS to detect changes in traffic to or from a client, Sentinel could even trigger changes to the network configuration in response -- a great asset for larger organizations defending against zero-day attacks.

Furthermore, the port-level policies allowed us to configure ports to permit only the traffic that made sense for each user and device. For example, telephones could talk only to the call manager, and guests could access the Internet only on certain ports. We could also lock down the network using predefined policies based on user identity, effectively ensuring that only appropriate traffic could be sent or received.

On the downside, the policy configuration for Sentinel was quite complex, especially since it crossed the boundaries of multiple products. But once the general concepts were stored in the system, creating new policies was typically a matter of duplicating other policies and modifying the specific protocols, networks, and other traffic limitations for each policy. And in this case, the extra effort can pay off. Per-port policies are powerful, providing an extra level of protection that’s attractive in these days of nasty network surprises.

McAfee Policy Enforcer 2.0

McAfee Policy Enforcer (MPE) 2.0 is a policy management product that integrates with McAfee’s anti-virus agent and (perhaps surprisingly) other anti-virus products. A free add-on to McAfee ePolicy Orchestrator (EPO), MPE is both the user interface for configuring and managing access policies and the enforcement decision-maker. It uses EPO as the control agent for deployment, updates, notification, and other management tasks.

Click for larger view.

MPE provides an effective visual summary of the current status of compliance by systems, subnets, and switches. It allows an administrator to drill into the details but provides a color-coded picture of the current state of the environment. The system represents an intuitive and highly visual view into the compliance status of the network.

Based on host posture, the system uses VLAN assignment to move hosts onto appropriate VLANs for remediation or quarantine. The system is unique in this roundup in that it does not depend on McAfee hardware or agents. MPE can gather posture information through an amazing variety of agents, including all the leading anti-virus clients, and it handles agentless systems through guest access policies.

Policy configuration starts with the definition of Quarantine Zones, the VLANs assigned for various purposes that are other than standard data VLANs. Examples include VLANs for cleaning infected systems, for updating noncompliant ones, and for isolating those that are unmanaged. These VLANs are the primary enforcement mechanisms for systems not running the EPO client.

Once these VLANs are configured, you define rulesets for the combination of states that comprise a client posture. These states can include a broad range of information, and they can be set to trigger an alert, or to enforce the policy, or to ignore the violation. These options are convenient when creating new rules or when wanting to determine the state of systems before introducing new requirements for network access.

Next, the policies can contain multiple compliance rules that are first based on the version of Windows on the client. Additional parameters include the running anti-virus product, its state, the presence of a firewall on the host, security bulletins for the operating system and applications, and infections. The infections list is interesting in that it allows you to set individual rules based on the presence of a specific infection, a feature McAfee says customers have requested.

Once you’ve selected the posture, you determine the actions to take for noncompliance. The tabbed GUI gives admins a nicely focused set of choices within each tab. We found it easy to make changes without having to hunt for the settings.

McAfee Policy Enforcer correctly handled all of the scenarios it is designed to tackle. Unlike the Enterasys system, it cannot make access decisions based on user identity, but only on pass/fail authentication. It could not differentiate between authenticated guests and authenticated employees, nor did it differentiate between unrelated users or user groups that were authenticated.

The system is also limited to determining the host posture, so, unlike gateways and switch-based solutions, it cannot enforce policy based on traffic appearing from a system that already has access. This limits its ability to address a zero-day attack, although McAfee offers additional products to do so.

McAfee Policy Enforcer stands out with its friendly, visual interface for managing host posture for network access. Using standards-based VLAN assignment, it provides fine-grained rules definition, which allows administrators specific visibility into and control of hosts. The ability to collect host posture information from other vendors’ anti-virus clients is a big plus.

Symantec Network Access Control

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies