Plug-n-click network access management

StillSecure, Vernier Networks keep close eye on policy compliance

In an increasingly crowded field, StillSecure Safe Access 3.0 and Vernier Networks EdgeWall Express 7000 NAM (Network Access Management) devices distinguish themselves by offering customers additional access-control protection with minimal configuration and customization

NAM solutions attempt to ensure that critical security policies are enforced before a computer connects to a protected network. Common compliance checks include checking for up-to-date anti-virus software, installed patches, and closed vulnerabilities. Other solutions may include the ability to monitor and detect newly emerging threats, quarantining problem computers, and automatically remediating security events. The goal is to stop computers with individual weaknesses from threatening the whole enterprise.

StillSecure Safe Access

Safe Access 3.0 is a solid layer 2 contender in the NAM field. Based on a hardened version of Red Hat Linux, the Safe Access server requires a Pentium 4 1.2GHz or faster processor, 1GB of RAM, and two network cards. Once the server portion is installed (an easy process), you connect over HTTPS using a browser.

At this point, most users could simply accept the defaults and have a solid NAM product. For those who want to go further, Safe Access has two main modes: gateway and DHCP. Gateway mode allows Safe Access to act as a layer 2 chokepoint. In DHCP mode, the product can refuse to assign a valid DHCP lease to clients until after they have met compliance criteria.

The DHCP mode is meant for a quick setup, but can be bypassed with a valid static IP address. Gateway mode forces the client into a restricted VLAN until the required tests are done; it is not easily bypassed. Access control checks are keyed off NetBIOS traffic or the client initiating a DCHP or DNS-resolution request.

Safe Access comes with dozens of predefined client (compiled Python) test scripts to test a client workstation for patch levels, current anti-virus software, various software settings, and Windows security settings.

The major weakness here is that clients cannot easily view the scripts to determine accuracy. For example, the default patch-checking scripts only query registry settings to determine compliance, which isn’t the most accurate method. You can create customized scripts in Python using an API to check file versions and MD5 hash values to ensure a higher rate of accuracy.

There are three predefined monitoring policies — Low, Medium, and High Security — and you can make custom policies. Although one policy is designated as the default, you may tie any client to any particular policy using its MAC or IP address, NetBIOS name, or domain-name suffix.

Safe Access can also be configured to recheck compliance at user-defined intervals — a feature not found in every NAM solution. It provides additional assurance that a client isn’t disabling security controls after he or she has successfully logged on.

The administrator determines the default action to take when a client fails a compliance test — the quarantine decision can be set per test, per policy, or per device. An administrator can give one type of access to internal users and another type to external users, vendors, and consultants.

Safe Access’s main console also lets an administrator allow or deny all access with one mouse click, which could be useful during a worm outbreak. It has a nifty customizable stoplight feature that shows, among other things, who has and hasn’t met the security policy criteria.

Safe Access tests policy compliance using one of three methods (most competitors only come with one or two): Agent, a Windows service, works with Windows 2000 and higher; ActiveX control, which is similar to Agent, works with Windows 98 and higher; and Agentless. The latter two methods are new in Version 3.0.

Safe Access’ Agentless method uses authenticated RPC (remote procedure call) to query the workstation. As expected with any agentless solution, it is a little slower and a bit less functional than the Agent and ActiveX counterparts, but you can configure the testing methods and state an order of preference.

EdgeWall Express 7000

The feature-rich EdgeWall NAM device relies heavily on its Nessus-related vulnerability scanner and its always-on status to detect client vulnerabilities and network malware hazards.

Connecting clients are screened to ensure that they are free of critical vulnerabilities and malware before they can access the network. EdgeWall can then restrict the resources that each client can access. Network traffic is inspected for malicious content and behavior, which is blocked, quarantined, or removed.

The EdgeWall family includes several models differentiated by feature set, rated throughput (300Mbps to 1Gbps), number of network ports, and fault-tolerant redundancy. All come with Identity-based Access Control and Intrusion Prevention; Vulnerability Scanning and Patch Management Integration modules are optional.

EdgeWall’s client-compatibility list is more extensive than most NAMs, including Windows, Macintosh, Unix, and Linux systems, and even some PDAs. Other features include VPN termination, VLAN tagging, MAC and LDAP authentication, QoS, bandwidth throttling, SNMP management, and wireless access.

The device itself is a 2U box with front-mounted connections, running FreeBSD and a host of other open source solutions. Initial configuration of the basic IP configuration and preshared key information must take place over a text-based serial session, but most admin tasks are configured by browser.

The EdgeWall device is slightly more complex than Safe Access 3.0. Its plethora of features and granularity begs detailed scrutiny. A pleasant tabbed Web interface lets you define “connection profiles,” which determine who can connect where, and “access policies,” which determine which traffic is allowed where.

EdgeWall-protected computers can be scanned for over 5,000 vulnerabilities and threats during and after initial network usage; you download various scans from Vernier’s subscription-based Threat Labs. Safe Access has a separate vulnerability scanning module as well.

During the scan, the client is allowed to access the Internet; a failed machine can be blocked from all network access. All events are recorded to a security log file which can be exported or sent to a system log server. However, to get distributable reports you must purchase another Vernier product, Private Investigator.

A few weaknesses are exposed here. Most NAM products allow a client’s configuration to be fully queried, or at the very least its anti-virus software and firewall status to be checked. The EdgeWall device doesn’t have many of these checks, although custom requests can be submitted to Threat Labs, according to Vernier. Host checks are hit and miss. For example, EdgeWall has two checks for the Microsoft ASN.1 hotfix, but none specifically for XP SP2.

Also, neither Safe Access nor EdgeWall allows administrators to view default test-script coding to see how current test checks are performed. For example, when the product checks for the existence of a patch, does it look for only the less-reliable registry entry, or does it check for version numbers of the involved files? Safe Access just checks for registry entries, and requires custom programming to check for file versions. EdgeWall checks for file versions, but only if you have the optional Patch Management Integration module.

Tallying the Results

Safe Access is an easy-to-use NAM. Most companies will be happy with the default test scripts, and the option to build your own is invaluable to the rest. Its three testing methods, overall flexibility, and solid default configuration settings make it a top choice, but the ability to view and modify default scripts would be nice.

EdgeWall’s IPS abilities and other functions make it an always-on, scalable, enterprise solution with a heavy reliance on vulnerability scanning and network-packet inspection. According to Vernier, a forthcoming update will fix the client-side shortcomings and improve EdgeWall’s control abilities. Until then, the missing checks will remain a concern.

InfoWorld Scorecard
Setup (15.0%)
Reporting (10.0%)
Value (10.0%)
Policy Enforcement (25.0%)
Policy Management (20.0%)
Security (20.0%)
Overall Score (100%)
StillSecure Safe Access 3.0 9.0 8.0 8.0 8.0 8.0 8.0 8.2
Vernier EdgeWall Express 7000 8.0 6.0 8.0 8.0 8.0 7.0 7.6