NAC appliances reveal who's rapping at your network door
NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders
At the end of my evaluation, I found that none of the products cover every base. Each one is missing the last piece of the NAC puzzle: scalability, end point assessment, or reporting. The one that came closest to meeting all aspects of an ideal NAC solution is the Caymas 525 Identity-Driven Access Gateway. My biggest complaint is the cost of the unit -- $70,000 -- but this is for all features enabled, even the SSL VPN services for 5,000 concurrent users. Vernier’s EdgeWall 7000 was the low-price leader and was just narrowly edged out by the Caymas appliance. If it had a better on-device reporting system, it would have scored a little better and claimed top honors.
Caymas 525 Identity-Driven Access Gateway
The Caymas 525 Identity-Driven Access Gateway is an SSL VPN appliance for secure remote access to applications and data, as well as a flexible NAC solution for managing user access to the network. The 525 authenticates users then dynamically builds an access control policy based on their security postures. Its host-assessment capabilities aren’t as comprehensive as Vernier’s but they do provide a good measure of confidence.
Capable of handling as many as 5,000 concurrent users, the 525 is a 2U appliance with four Gigabit Ethernet interfaces and redundant power supplies. Each interface can provide connectivity to different network segments, allowing for flexible deployment. All user traffic must pass through the 525, but physical location in the infrastructure isn’t as important as how traffic flows through the device. Typically, like the other NAC solutions, admins will place the 525 near the network core.
Setting up, installing, and getting a basic default configuration online took me approximately an hour, with the better part of a morning getting device, application, and user groups defined. Microsoft SBS (Small Business Server) 2003 with AD (Active Directory) handled the authorization services. The 525 can also use LDAP, RADIUS, Secure ID, and a local database as a source of user names and passwords. I was able to map user groups in AD back to the Caymas appliance to take advantage of existing security groups. Caymas’ Java-based user interface was easier to navigate than most others in the group, second only to Vernier’s UI.
Integrated Windows log-in is one feature missing from the system. This means Caymas cannot make use of users’ Windows credentials to authenticate them and place them into a security zone. To access the network, all users must authenticate using the captive portal feature. The solution can, however, look up users in a number of different directories to obtain their group affiliations. Caymas says integrated Windows authentication will be available in a future release.
Caymas’ policy engine, like the others, requires some planning to get the most out of it, but after it’s in place, it requires little ongoing maintenance. Admins can define networks, resources, and applications either singularly or in groups. Admins can also create various security zones that bind networks, authentication methods, and host-checker results to specific Web and file resources and applications.