NAC smorgasbord: Four ways to police the network

Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access control

The Symantec Network Access Control (SNAC) system is a family of products -- including Symantec Network Access Control 5.1 MR2, Symantec Sygate Enterprise Protection 5.1 MR2, and the Symantec Network Access Control 6100 Enforcer Appliance -- that address multiple aspects of network access control. The system uses gateway and DHCP-based enforcement appliances controlled by a common policy management system. (We did not Click for larger view. test the DHCP enforcement as part of this review.) This approach allows enterprises to consider their functional requirements for each part of their networks and then deploy the appropriate solution in an integrated fashion.

06TCnac_ch1.gif
The Symantec Network Access Control (SNAC) system is a family of products -- including Symantec Network Access Control 5.1 MR2, Symantec Sygate Enterprise Protection 5.1 MR2, and the Symantec Network Access Control 6100 Enforcer Appliance -- that address multiple aspects of network access control. The system uses gateway and DHCP-based enforcement appliances controlled by a common policy management system. (We did not Click for larger view. test the DHCP enforcement as part of this review.) This approach allows enterprises to consider their functional requirements for each part of their networks and then deploy the appropriate solution in an integrated fashion.

Deployments will include the Symantec Policy Management Console and one or both of the Symantec LAN Enforcer and Gateway Enforcer, plus optionally the Sygate Protection Agent for Windows clients. The LAN Enforcer uses agent posture to determine access rights, with VLAN assignment on the infrastructure switches as the enforcement method. The Gateway Enforcer implements policy as traffic flows through it.

For this test, the LAN Enforcer was set up as a device on the network, while we directed traffic between an edge switch and the core via the Gateway Enforcer. The Gateway Enforcer is the primary method for controlling guest access in the Symantec Network Access Control system.

Policies are configured through the Symantec Policy Management Console, a Java client running on Windows Server 2003 that communicates to the Enforcers. In the Policy Management Console, you create policies in a policy library, which divides them into firewall policies, host integrity policies, and OS protection policies.

06TCSymantec.gif
Click for larger view.

Firewall policies are the specific connections that are allowed or disallowed based on host posture or packet inspection. For example, you could create a policy that specified, except for specific developer workstations, only port-80 traffic is allowed from all desktops to your intranet Web server.

Host integrity policies protect the host system from attack by making sure the required security applications are up-to-date and running properly; OS protection policies define the applications allowed to run on the system.

Administrators create new policies using a wizard-based interface in the Policy Management Console, by copying another policy and editing it, or by filling in a blank policy template from scratch. The policy list allows for the editing of the major policy fields through pull-downs on the screen -- a nice touch for quickly viewing options and making changes while being certain that you are choosing viable options.

Rules are defined separately from the policies and, thus, made available to the policy editor. So, for example, an “Allow VPN” rule can be applied or disabled for any of the policies independently but is easily visible when editing the policies. Rules are created, edited, and deleted from within the policy editor.

Once policies are created in the policy library, you assign them to locations where they will be applied. Within each location, the system administers policies based on user authentication status, host integrity status, and applications running on the host.

Policy enforcement is dependent upon the type of Enforcer in use. When configuring switches for the LAN Enforcer, the switch profiles include the VLANs and the VLAN assignment based on authentication status of both the host and the user as well as whether or not the system profile passed. Any combination of pass/fail for these states can cause a VLAN assignment.

Because the Gateway Enforcer manages traffic through inline filtering, and can make decisions based on active traffic, it provides more control than VLAN assignment. For example, the Gateway can detect changes in traffic patterns that could indicate a zero-day infection and isolate the traffic to keep it from spreading.

SNAC conquered all the scenarios we expected it to handle, but like McAfee Policy Enforcer, it does not support policy variation by authentication parameters such as user name or user group. It is not possible to assign policies based on those characteristics. It is, however, possible to assign policies based on whether or not the client passed authentication.

The availability of both a gateway device and a LAN enforcement device provides many options for implementation, especially for guest access. The policy management interface is comprehensive, but the presence of the different Enforcers creates multiple policy definitions that interact in ways that may be unclear to administrators who don’t not use the system daily.

Trend Micro Network VirusWall Enforcer 2.0

Trend Micro Network VirusWall Enforcer (NVWE) 2.0 and Trend Micro Control Manager (TMCM) 3.5 couple a NAC gateway appliance with a browser-based configuration interface. NVWE is a “plug-and-protect” device designed to ensure that all devices -- local or remote, managed or unmanaged -- are determined compliant before they are allowed onto the network. NVWE also offers network worm prevention, as well as port, agentless, and agent-based scanning of devices.

As a gateway solution, the Network VirusWall Enforcer allows for the enforcement of policy for any device attempting to send traffic through it. Using the Web-based Control Manager, administrators can quickly determine status of the environment as well as check, create, and update policies. The Network VirusWall Enforcer provides a broad range of checks for many different anti-virus programs and Windows registry-based checks.

06TCTrend.gif
Click for larger view.

The installation of the hardware is typical for a gateway, with one port connected to an edge device and the other connected to the core. All traffic passing through the Network VirusWall Enforcer must pass the configured policies, and the real-time dashboard provides insight into what the Enforcer has seen and what areas of concern may exist.

Policies are configured through the Web-based interface, as well. The system provides a concept of Network Zones. Through the use of IP addresses (individually or by subnets), administrators can define areas of the network that are controlled in consistent ways. So, for example, conference rooms may have different policies than office areas of an enterprise, and those policies would need to be defined only once, then applied to the appropriate Network Zones.

When creating policies, administrators specify the kind of agent for which the policy applies (agentless or persistent agent), the type of end point installation method, and what to do with non-Windows and unidentifiable operating systems. You also select how frequently to recheck both compliant and noncompliant end points.

Next, you set the Network Zones that will use this policy and specify whether it applies to authenticated users or unauthenticated users (the latter are considered guests by the Network VirusWall Enforcer). Next, you define the enforcement policies, including anti-virus program, version, and system threats. You can also specify system thread scanning, vulnerabilities, and registry key scans. If the vulnerability scan does not pass, you can set a redirect URL (such as Windows Update) for correction.

Next, you configure the Network Virus Policy, including what to do with end points that are transmitting viruses and the remedy you prefer. Last, you set URL exceptions for remediation servers. You repeat these steps for each policy that you define on the Enforcer.

The Network VirusWall Enforcer correctly handled all of the scenarios that it is designed to take on. Because it integrates with Active Directory and LDAP, it can differentiate between authenticated and unauthenticated guests and employees in those environments.

The system is limited to scanning and intercepting traffic that passes through the gateway. Therefore, neighboring systems are unprotected from worms and other attacks that do not pass through. However, given that most malicious software isn’t judicious in its traffic generation, it’s likely that the gateway will detect such activity quickly and lock the offending system out of the network.

The step-by-step policy configuration was simple to create, thanks to the wizardlike interface. Using a browser for configuration is an obvious advantage, and the ability of the device to direct cleanup of end points is a major advantage. Integration with Trend Micro Real-Time Scanner, a small applet that allows systems without a normal agent to have one loaded for analysis, helps with guest access.

Like McAfee and Symantec, Trend Micro supports other vendors’ anti-virus products for host posture collection. While it does not offer the same depth of options for each of the alternatives as McAfee, it does allow for integration across multiple products.

Key Differences

The products we tested represent a broad range of options for organizations seeking policy-based network access control. The Enterasys system, which includes per-port policy management when married to Enterasys switches, represents the comprehensive and complex end of the spectrum. The gateway solutions from Trend Micro and Symantec, which provide extensive traffic analysis as an integral part of NAC, offer a middle ground. Finally, we reach the other end of the scale with the easy policy management systems from McAfee and Symantec. The variety of options allows organizations to consider their goals for NAC and to choose a solution that maps to their needs.

Solutions that use a gateway system through which all network traffic passes and those that integrate directly with the switch infrastructure allow for complex traffic analysis to be an integral component of NAC. They also allow for traffic anomalies such as zero-day worms to trigger network access policies that isolate infected systems and protect the network and other systems from infection. More basic NAC is available through host-based analysis.

Before analyzing your options, define the policies you want to be able to enforce, and consider whether or not you need to be able to base your policies on user identity and user group information, or if authentication pass/fail is sufficient. Not all solutions can handle identity-based scenarios. The Symantec and McAfee solutions operate independently of or in concert with authentication systems such as 802.1x, but neither can take user identity into account. The Enterasys and Trend Micro solutions can act as a RADIUS proxy and the Trend Micro system can use LDAP or AD. Both can tap user and group information as components of policies.

The first step on the road to NAC is to develop a comprehensive network security policy that involves the complete network topography and the policies for access to every corner of it. For most, deploying 802.1x for standards-based authentication is essential. Without authentication, fine-grained policies aren’t possible.

The products continue to improve. Begin to budget for implementation because it will not be long before you’ll be ready to do it.

InfoWorld Scorecard
Scalability (20.0%)
Setup (15.0%)
Value (10.0%)
Policy Enforcement (20.0%)
Reporting (15.0%)
Manageability (20.0%)
Overall Score (100%)
Sentinel Trusted Access 1.1 9.0 7.0 6.0 9.0 7.0 7.0 7.7
McAfee Policy Enforcer 2.0 7.0 8.0 8.0 7.0 9.0 8.0 7.8
Symantec Network Access Control 5.1 MR2 8.0 8.0 7.0 8.0 7.0 7.0 7.6
Trend Micro Network VirusWall Enforcer v2.0 7.0 8.0 8.0 8.0 8.0 8.0 7.8
| 1 2 Page 3
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies