NAC appliances reveal who's rapping at your network door
NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders
Lockdown also offers the Sentry, a low-cost appliance that brings policy-based access control to remote offices, and the Commander, an appliance that will allow admins to manage multiple Enforcers and Sentries from a single console. Neither the Sentry nor the Commander were part of my testbed.
Among all the NAC appliances reviewed here, Enforcer is the only one that does not sit inline with the flow of traffic. Instead, it talks to managed switches via SNMP and places each port on the switch, based on user authentication, in various VLANs. Each security policy corresponds to a VLAN, either an existing one or one defined for the purpose of managing access to specific resources.
Enforcer’s approach to policy enforcement differs greatly from that of its competitors; it’s also quite limiting. Part of the initial setup of my Enforcer included creating a connection, called a Control Point by Lockdown, via SNMP to my Cisco Catalyst 2950 switch. Each port in the Catalyst is enumerated in the Enforcer UI and assigned a specific type of policy enforcement. For example, ports 1 through 6 might be defined for use in a conference room where host assessment is required but authentication is not (guest access). Admins can assign other ports different access policies as needed.
Unlike Caymas and Vernier, Enforcer requires you to explicitly define which authentication methods apply to each switch port, a process that will require some forethought. Each port can support multiple authentication methods, or not require authentication at all. When assigning authentication methods, admins will have to tend on the side of security and place stricter policy settings across all ports in order to make sure all possible scenarios are covered. For many enterprises, however, physical switch and port connections are static and well known to IT. So in this case, administrators can make some assumptions about what type of device will connect and what access policy should be in place. To prevent any SNMP spoofing or poisoning, SNMP Version 3 will be supported in a later release.
Because user traffic doesn’t pass through the Enforcer, it relies on the physical port in the switch for enforcement, much like the Nevis LANenforcer. Therefore, if a group of users is connected in a remote workgroup switch and their traffic is aggregated back to a switch under Enforcer’s control, only a default policy can be applied to them. Because there is no one-to-one relationship between user and physical port, Enforcer cannot apply a specific policy or manage user authentication. Access control is accomplished using traditional methods, such as switch-based ACLs. The same goes for branch-offices: They either need their own Enforcer or their switch remotely managed by the enterprise Enforcer. Lockdown addresses these scenarios with the $1,495 Sentry box.
Enforcer’s user interface is one of the best looking of the quartet, providing easy access to the various management tasks. Creating a policy, on the other hand, isn’t quite as intuitive as with Caymas or Vernier. The policy editor is extremely powerful and allows for a very granular rule set.This is where the complexity creeps in: The wide range of choices and settings make policy definition seem difficult. With some help from technical support, I was able to create a handful of policies and assign them to different ports in the Catalyst.