NAC appliances reveal who's rapping at your network door
NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders
For example, I created a Financial security zone that required my users to authenticate against Active Directory, to be on an internal network segment, and to successfully pass the host checker. To this security zone, I then assigned a group of applications and resources users would then be able to access. If a user fails any of the required security items, he or she would be placed into a limited-access quarantine policy.
As I was creating and changing my security policies and zones, I was happy to note that I could easily see what my users’ effective ACLs (access control lists) would be. No matter if I had selected a specific application or a group of users, I could see in the same window what the security policy was for that object. This glimpse made double-checking the effective rights much quicker.
The Caymas host-checking system does not require an agent to be installed on the host PC. During the authentication process, the appliance will scan the host by pushing either an ActiveX or Java agent (depending on the environment) to the client. On disconnect, the agent is removed with no traces left behind. For the agent to install and run on the host PC, the logged-on user must have power-user or administrative rights to his or her PC. This could be a problem in enterprises where users have limited local rights.
As of this release, Caymas doesn’t come with a predefined list of anti-virus, anti-spyware, or personal firewall vendors. Admins have to create their host checking policy by entering the process name or some other identifying information, such as rtvscan.exe, to look for Norton AntiVirus, for instance. With minimal effort, however, it will scan for open ports, Windows service pack level, Registry entries, and files. Admins can nest host-checker policies using Boolean logic to create complex rules. Later releases will feature built-in anti-virus, anti-spyware, and personal firewall lists, as well as the capability of scheduling recurring host checks.
The 525 inspects all user traffic from Layer 3 to Layer 7, taking advantage of the application security engine normally applied to SSL VPN deployments. In fact, the underlying SSL VPN and security features are very much a part of the system. Basically, Caymas provides a stateful inspection firewall for every user and builds ACLs based on the overall security profile of each user. Each packet is inspected as it passes through the appliance, no matter where it comes from. Unlike with Nevis and Lockdown, a “one user to one port” association is not necessary.
Reporting is very well represented in the 525. Admins can view reports on user and resource activity, the number of successful and failed log-ins, and other system information. Admins can export the reports to CSV (comma-separated value) files for analysis in other reporting tools.
Lockdown Networks Enforcer
The Enforcer from Lockdown Networks takes an entirely different tack than the other NAC solutions in this review: It performs enforcement at the managed-switch level through SNMP by placing users into policy-defined VLANs. The policy engine is robust, though not the most intuitive one of the bunch. It does include various sample policies on which to build. Reporting features are the best of the lot with a wide variety of rich reports and graphs.
The Enforcer is available in 1U and 2U configurations (I tested the 1U device), with the 2U doubling the CPU and power supplies. Both versions come with a single Gigabit Ethernet interface for connecting to your managed switches. A single Enforcer can manage up to 256 switches and 4,096 VLANs.