NAC smorgasbord: Four ways to police the network

Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access control

In this age of worms, zombies, and botnets, mobile computers themselves are a kind of Trojan horse. Do you know where that computer’s been? No, you really don’t.

In its most basic form, NAC (network access control) enforces organizational policies on systems when they attempt to connect to the network or when they attempt to enter a particular part of the network (for example, when they connect from an edge switch into the core). A NAC system makes determinations about the device and access control decisions based on those determinations. The status of the device can be as simple as an authentication by a known user or as complex as an external or internal scan of the client system. The external scan may look for known vulnerabilities, open ports, and the like, while the internal scan may check operating system parameters and patch levels, installed or running processes, currency of applications such as anti-virus signatures, and so on. Based on this “posture” (in IETF parlance), the NAC system decides what access (if any) the device gets. The combination of authentication and posture produces substantial information for NAC policy granularity. (See also "NAC policy management wags the watchdog" and "Accelerate your 802.1x rollout.")

Something else to consider are changes that occur to devices after they are granted access. Whether the user is intentionally malicious or unknowingly so, the device may become a threat to the network after it has gained access, as new processes become active, new exploits propagate, or other events occur that turn the device into an attacker. More-sophisticated NAC systems can detect these kinds of events and trigger policies at times other than when the device initially connects to the network.

In this roundup, we examine four solutions that address the business problem of rogue systems: Enterasys Sentinel Trusted Access, McAfee Policy Enforcer, Symantec Network Access Control, and Trend Micro Network VirusWall Enforcer. We created six different scenarios that are typical for businesses and configured each of the NAC solutions to address them as closely as possible. The scenarios included access by an unauthenticated guest, an authenticated guest (using either 802.1x or Web-based authentication), an authenticated user (with good device posture, and with bad device posture), and a privileged user with special access rights. We also tested how the solutions handled a good device turning bad after access. For more details, see “How We Tested.”

The Enterasys, McAfee, Symantec, and Trend Micro solutions together offer a glimpse into the variety of options available to organizations that desire to protect their infrastructures from the ravages of compromised Windows systems.

The Enterasys system provides policy-based network enforcement on switches and uses system scanning, system state, and (optionally) network intrusion detection to determine the posture of the devices attempting to attack. The Trend Micro system is an enforcement gateway, examining traffic passing through the device and using posture collectors on the clients to determine status for consideration in enforcing the policies. Symantec offers both a NAC gateway and DHCP-based enforcement. You might use only one or both of the Symantec products in your NAC architecture, depending on requirements. Like the Trend Micro solution, Symantec’s system uses posture collector agents and examines traffic passing through the gateway to determine what is allowable and what is not.

The last system we tested was McAfee Policy Enforcer. Using a combination of a robust, multivendor policy manager and any of the supported network access requesters and posture collectors, this system allows administrators to apply fine-grained policies based on the characteristics reported by many different posture validators, including anti-virus systems from McAfee’s competitors. Policy Enforcer is not an enforcement gateway but uses VLAN assignment to control access.

For those networks that use VLANs to segregate devices, all four solutions are capable of using VLAN assignment to shuttle systems onto the appropriate VLANs for the various system states. The McAfee system is able to differentiate locale, and so can select the appropriate VLANs based on the user’s location. The Enterasys system supplements VLAN assignment with the port-based policy capabilities of the Enterasys switches, providing a number of improvements over the pure VLAN-based approach.

Another distinction among the systems is support for 802.1x. Some enterprises will want to tap 802.1x authentication to provide different services and different levels of network access based on the user’s identity. For them, a system that integrates 802.1x and user identity will be essential. Neither Symantec nor McAfee do this.

If you are concerned only about the security posture of the systems connecting and easy Internet access for guests, implementing 802.1x may be unnecessary. All four of these solutions have the capabilities necessary to meet these requirements.

Enterasys Sentinel Trusted Access

The Enterasys NAC solution we tested combined the company’s Sentinel Trusted Access Manager (TAM) 1.1, Sentinel Trusted Access Gateway (TAG) 1.1, NetSight Policy Manager 2.2, NetSight Automated Security Manager 2.2, Dragon Security Command Console 7.2.5, and Dragon Network Intrusion Detection System 7.1. The Sentinel system can make use of (but does not require) the extensive port-based policy capabilities of Enterasys’ line of switches. Combining policy management, access management, and a network IDS, Enterasys delivered a comprehensive -- if complicated -- response to our test scenarios.

Click for larger view.

Configuration of the system requires three related but separate applications, as well as connectivity to external systems for posture scanning and IDS. Policies are created in the NetSight Policy Manager and pushed to the appropriate network enforcement points.

The Sentinel TAM -- which is responsible for managing the Sentinel TAGs that enforce the policies -- provides authentication proxy and network enforcement. One TAM can manage many TAGs, allowing for centralized management of a widely distributed network.

Our test system used an Enterasys Matrix N-series core switch and a B-series edge switch equipped with the system daughter card. The daughter card ran the TAG.

Our Enterasys environment also included the Dragon Security Command Console to manage security events and the Dragon network intrusion detection product to watch network traffic and report anomalies for action. The Dragon components are not a necessary part of Enterasys’ NAC implementation, and they come at significant additional cost.

The Enterasys system, especially when including the optional IDS, is more comprehensive than the other three solutions. The system provided integrated capabilities for all of our test scenarios, using agent-based scanning of the clients to determine client posture. The Enterasys solution supports the VLAN assignment approach, but by leveraging the Enterasys switches, we were able to assign policies that were even more granular. As a result, for example, devices did not change IP subnets as they moved from one state to another, eliminating the need to force a DHCP release/renew and the accompanying delay.

The switch policies also allowed us to limit the traffic both to and from the attached devices on each port, and the TAM could optionally force a vulnerability assessment scan of the device using Nessus.

Using either VLAN assignment or port policies, the Sentinel system can appropriately limit access of the client systems based on both the identity of the user and the posture of the system. Using the network IDS to detect changes in traffic to or from a client, Sentinel could even trigger changes to the network configuration in response -- a great asset for larger organizations defending against zero-day attacks.

Furthermore, the port-level policies allowed us to configure ports to permit only the traffic that made sense for each user and device. For example, telephones could talk only to the call manager, and guests could access the Internet only on certain ports. We could also lock down the network using predefined policies based on user identity, effectively ensuring that only appropriate traffic could be sent or received.

On the downside, the policy configuration for Sentinel was quite complex, especially since it crossed the boundaries of multiple products. But once the general concepts were stored in the system, creating new policies was typically a matter of duplicating other policies and modifying the specific protocols, networks, and other traffic limitations for each policy. And in this case, the extra effort can pay off. Per-port policies are powerful, providing an extra level of protection that’s attractive in these days of nasty network surprises.

McAfee Policy Enforcer 2.0

McAfee Policy Enforcer (MPE) 2.0 is a policy management product that integrates with McAfee’s anti-virus agent and (perhaps surprisingly) other anti-virus products. A free add-on to McAfee ePolicy Orchestrator (EPO), MPE is both the user interface for configuring and managing access policies and the enforcement decision-maker. It uses EPO as the control agent for deployment, updates, notification, and other management tasks.

Click for larger view.

MPE provides an effective visual summary of the current status of compliance by systems, subnets, and switches. It allows an administrator to drill into the details but provides a color-coded picture of the current state of the environment. The system represents an intuitive and highly visual view into the compliance status of the network.

Based on host posture, the system uses VLAN assignment to move hosts onto appropriate VLANs for remediation or quarantine. The system is unique in this roundup in that it does not depend on McAfee hardware or agents. MPE can gather posture information through an amazing variety of agents, including all the leading anti-virus clients, and it handles agentless systems through guest access policies.

Policy configuration starts with the definition of Quarantine Zones, the VLANs assigned for various purposes that are other than standard data VLANs. Examples include VLANs for cleaning infected systems, for updating noncompliant ones, and for isolating those that are unmanaged. These VLANs are the primary enforcement mechanisms for systems not running the EPO client.

Once these VLANs are configured, you define rulesets for the combination of states that comprise a client posture. These states can include a broad range of information, and they can be set to trigger an alert, or to enforce the policy, or to ignore the violation. These options are convenient when creating new rules or when wanting to determine the state of systems before introducing new requirements for network access.

Next, the policies can contain multiple compliance rules that are first based on the version of Windows on the client. Additional parameters include the running anti-virus product, its state, the presence of a firewall on the host, security bulletins for the operating system and applications, and infections. The infections list is interesting in that it allows you to set individual rules based on the presence of a specific infection, a feature McAfee says customers have requested.

Once you’ve selected the posture, you determine the actions to take for noncompliance. The tabbed GUI gives admins a nicely focused set of choices within each tab. We found it easy to make changes without having to hunt for the settings.

McAfee Policy Enforcer correctly handled all of the scenarios it is designed to tackle. Unlike the Enterasys system, it cannot make access decisions based on user identity, but only on pass/fail authentication. It could not differentiate between authenticated guests and authenticated employees, nor did it differentiate between unrelated users or user groups that were authenticated.

The system is also limited to determining the host posture, so, unlike gateways and switch-based solutions, it cannot enforce policy based on traffic appearing from a system that already has access. This limits its ability to address a zero-day attack, although McAfee offers additional products to do so.

McAfee Policy Enforcer stands out with its friendly, visual interface for managing host posture for network access. Using standards-based VLAN assignment, it provides fine-grained rules definition, which allows administrators specific visibility into and control of hosts. The ability to collect host posture information from other vendors’ anti-virus clients is a big plus.

Symantec Network Access Control

The Symantec Network Access Control (SNAC) system is a family of products -- including Symantec Network Access Control 5.1 MR2, Symantec Sygate Enterprise Protection 5.1 MR2, and the Symantec Network Access Control 6100 Enforcer Appliance -- that address multiple aspects of network access control. The system uses gateway and DHCP-based enforcement appliances controlled by a common policy management system. (We did not Click for larger view. test the DHCP enforcement as part of this review.) This approach allows enterprises to consider their functional requirements for each part of their networks and then deploy the appropriate solution in an integrated fashion.

The Symantec Network Access Control (SNAC) system is a family of products -- including Symantec Network Access Control 5.1 MR2, Symantec Sygate Enterprise Protection 5.1 MR2, and the Symantec Network Access Control 6100 Enforcer Appliance -- that address multiple aspects of network access control. The system uses gateway and DHCP-based enforcement appliances controlled by a common policy management system. (We did not Click for larger view. test the DHCP enforcement as part of this review.) This approach allows enterprises to consider their functional requirements for each part of their networks and then deploy the appropriate solution in an integrated fashion.

Deployments will include the Symantec Policy Management Console and one or both of the Symantec LAN Enforcer and Gateway Enforcer, plus optionally the Sygate Protection Agent for Windows clients. The LAN Enforcer uses agent posture to determine access rights, with VLAN assignment on the infrastructure switches as the enforcement method. The Gateway Enforcer implements policy as traffic flows through it.

For this test, the LAN Enforcer was set up as a device on the network, while we directed traffic between an edge switch and the core via the Gateway Enforcer. The Gateway Enforcer is the primary method for controlling guest access in the Symantec Network Access Control system.

Policies are configured through the Symantec Policy Management Console, a Java client running on Windows Server 2003 that communicates to the Enforcers. In the Policy Management Console, you create policies in a policy library, which divides them into firewall policies, host integrity policies, and OS protection policies.

Click for larger view.

Firewall policies are the specific connections that are allowed or disallowed based on host posture or packet inspection. For example, you could create a policy that specified, except for specific developer workstations, only port-80 traffic is allowed from all desktops to your intranet Web server.

Host integrity policies protect the host system from attack by making sure the required security applications are up-to-date and running properly; OS protection policies define the applications allowed to run on the system.

Administrators create new policies using a wizard-based interface in the Policy Management Console, by copying another policy and editing it, or by filling in a blank policy template from scratch. The policy list allows for the editing of the major policy fields through pull-downs on the screen -- a nice touch for quickly viewing options and making changes while being certain that you are choosing viable options.

Rules are defined separately from the policies and, thus, made available to the policy editor. So, for example, an “Allow VPN” rule can be applied or disabled for any of the policies independently but is easily visible when editing the policies. Rules are created, edited, and deleted from within the policy editor.

Once policies are created in the policy library, you assign them to locations where they will be applied. Within each location, the system administers policies based on user authentication status, host integrity status, and applications running on the host.

Policy enforcement is dependent upon the type of Enforcer in use. When configuring switches for the LAN Enforcer, the switch profiles include the VLANs and the VLAN assignment based on authentication status of both the host and the user as well as whether or not the system profile passed. Any combination of pass/fail for these states can cause a VLAN assignment.

Because the Gateway Enforcer manages traffic through inline filtering, and can make decisions based on active traffic, it provides more control than VLAN assignment. For example, the Gateway can detect changes in traffic patterns that could indicate a zero-day infection and isolate the traffic to keep it from spreading.

SNAC conquered all the scenarios we expected it to handle, but like McAfee Policy Enforcer, it does not support policy variation by authentication parameters such as user name or user group. It is not possible to assign policies based on those characteristics. It is, however, possible to assign policies based on whether or not the client passed authentication.

The availability of both a gateway device and a LAN enforcement device provides many options for implementation, especially for guest access. The policy management interface is comprehensive, but the presence of the different Enforcers creates multiple policy definitions that interact in ways that may be unclear to administrators who don’t not use the system daily.

Trend Micro Network VirusWall Enforcer 2.0

Trend Micro Network VirusWall Enforcer (NVWE) 2.0 and Trend Micro Control Manager (TMCM) 3.5 couple a NAC gateway appliance with a browser-based configuration interface. NVWE is a “plug-and-protect” device designed to ensure that all devices -- local or remote, managed or unmanaged -- are determined compliant before they are allowed onto the network. NVWE also offers network worm prevention, as well as port, agentless, and agent-based scanning of devices.

As a gateway solution, the Network VirusWall Enforcer allows for the enforcement of policy for any device attempting to send traffic through it. Using the Web-based Control Manager, administrators can quickly determine status of the environment as well as check, create, and update policies. The Network VirusWall Enforcer provides a broad range of checks for many different anti-virus programs and Windows registry-based checks.

Click for larger view.

The installation of the hardware is typical for a gateway, with one port connected to an edge device and the other connected to the core. All traffic passing through the Network VirusWall Enforcer must pass the configured policies, and the real-time dashboard provides insight into what the Enforcer has seen and what areas of concern may exist.

Policies are configured through the Web-based interface, as well. The system provides a concept of Network Zones. Through the use of IP addresses (individually or by subnets), administrators can define areas of the network that are controlled in consistent ways. So, for example, conference rooms may have different policies than office areas of an enterprise, and those policies would need to be defined only once, then applied to the appropriate Network Zones.

When creating policies, administrators specify the kind of agent for which the policy applies (agentless or persistent agent), the type of end point installation method, and what to do with non-Windows and unidentifiable operating systems. You also select how frequently to recheck both compliant and noncompliant end points.

Next, you set the Network Zones that will use this policy and specify whether it applies to authenticated users or unauthenticated users (the latter are considered guests by the Network VirusWall Enforcer). Next, you define the enforcement policies, including anti-virus program, version, and system threats. You can also specify system thread scanning, vulnerabilities, and registry key scans. If the vulnerability scan does not pass, you can set a redirect URL (such as Windows Update) for correction.

Next, you configure the Network Virus Policy, including what to do with end points that are transmitting viruses and the remedy you prefer. Last, you set URL exceptions for remediation servers. You repeat these steps for each policy that you define on the Enforcer.

The Network VirusWall Enforcer correctly handled all of the scenarios that it is designed to take on. Because it integrates with Active Directory and LDAP, it can differentiate between authenticated and unauthenticated guests and employees in those environments.

The system is limited to scanning and intercepting traffic that passes through the gateway. Therefore, neighboring systems are unprotected from worms and other attacks that do not pass through. However, given that most malicious software isn’t judicious in its traffic generation, it’s likely that the gateway will detect such activity quickly and lock the offending system out of the network.

The step-by-step policy configuration was simple to create, thanks to the wizardlike interface. Using a browser for configuration is an obvious advantage, and the ability of the device to direct cleanup of end points is a major advantage. Integration with Trend Micro Real-Time Scanner, a small applet that allows systems without a normal agent to have one loaded for analysis, helps with guest access.

Like McAfee and Symantec, Trend Micro supports other vendors’ anti-virus products for host posture collection. While it does not offer the same depth of options for each of the alternatives as McAfee, it does allow for integration across multiple products.

Key Differences

The products we tested represent a broad range of options for organizations seeking policy-based network access control. The Enterasys system, which includes per-port policy management when married to Enterasys switches, represents the comprehensive and complex end of the spectrum. The gateway solutions from Trend Micro and Symantec, which provide extensive traffic analysis as an integral part of NAC, offer a middle ground. Finally, we reach the other end of the scale with the easy policy management systems from McAfee and Symantec. The variety of options allows organizations to consider their goals for NAC and to choose a solution that maps to their needs.

Solutions that use a gateway system through which all network traffic passes and those that integrate directly with the switch infrastructure allow for complex traffic analysis to be an integral component of NAC. They also allow for traffic anomalies such as zero-day worms to trigger network access policies that isolate infected systems and protect the network and other systems from infection. More basic NAC is available through host-based analysis.

Before analyzing your options, define the policies you want to be able to enforce, and consider whether or not you need to be able to base your policies on user identity and user group information, or if authentication pass/fail is sufficient. Not all solutions can handle identity-based scenarios. The Symantec and McAfee solutions operate independently of or in concert with authentication systems such as 802.1x, but neither can take user identity into account. The Enterasys and Trend Micro solutions can act as a RADIUS proxy and the Trend Micro system can use LDAP or AD. Both can tap user and group information as components of policies.

The first step on the road to NAC is to develop a comprehensive network security policy that involves the complete network topography and the policies for access to every corner of it. For most, deploying 802.1x for standards-based authentication is essential. Without authentication, fine-grained policies aren’t possible.

The products continue to improve. Begin to budget for implementation because it will not be long before you’ll be ready to do it.

InfoWorld Scorecard
Scalability (20.0%)
Setup (15.0%)
Value (10.0%)
Policy Enforcement (20.0%)
Reporting (15.0%)
Manageability (20.0%)
Overall Score (100%)
Sentinel Trusted Access 1.1 9.0 7.0 6.0 9.0 7.0 7.0 7.7
McAfee Policy Enforcer 2.0 7.0 8.0 8.0 7.0 9.0 8.0 7.8
Symantec Network Access Control 5.1 MR2 8.0 8.0 7.0 8.0 7.0 7.0 7.6
Trend Micro Network VirusWall Enforcer v2.0 7.0 8.0 8.0 8.0 8.0 8.0 7.8
From CIO: 8 Free Online Courses to Grow Your Tech Skills
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies