NAC appliances reveal who's rapping at your network door
NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders
Action sets are the muscle behind the policy rules -- they define what will happen when a user fits a specific policy set. One action set might move the user to the Production VLAN while another might move them to the Quarantine VLAN, for example, if the user’s anti-virus signatures are out of date. Other choices are to execute another rule set, require the agent to download to the host, and/or schedule an audit.
Authentication services are solid and will work in just about any situation. LDAP, RADIUS, 802.1x, Active Directory and captive portal are all available. The Active Directory worked flawlessly with my SBS server and was one of the easier AD connectors to create.
End point host assessment is very comprehensive and comes in both agent and agentless flavors. Agentless checks include open ports, running services, Mac software updates, and vulnerability scans. An agent is required on the host (a Windows and Mac version is available) to check for the existence and status of Windows and Macintosh anti-virus packages, Windows anti-spyware, and firewall vendors. The Enforcer can use SMB credentials to initiate a Windows anti-virus check and a Registry check.
I was really impressed with how detailed Enforcer’s reporting engine is. At a glance, I was able to see which users were logged in and to which port, which ones were in violation of a policy, and a list of detected vulnerabilities. A report builder allows IT to craft its own custom reports.
Nevis LANenforcer 1048
The Nevis LANenforcer is the only solution in my review that replaces the switches in the wiring closet. It provides access control on a per-port basis, providing each user with a personal DMZ on the network. Configuration is done through an external management server but policy management is hampered by a poorly organized user interface. Available authentication services will handle most situations, and like Lockdown’s Enforcer, each physical port is assigned a specific authentication policy. End point host checking is missing in this release, but it will be available in the future.
The LANenforcer 1048 is a 1U 48-port Gigabit Ethernet access layer switch that, unlike those from Caymas and Vernier, needs to be installed closer to the user, normally in the workgroup wiring closet. Currently, it has a one-MAC-address-per-port limitation, preventing it from enforcing policy on users connected to upstream workgroup switches (this limitation is being addressed in the next major release). It does, however, inspect traffic from Layer 2 on up.
Installing the 1048 on my test bench took less than an hour, but like all the others, creating a default policy took most of a morning. Nevis uses an external management server called LANsight for all configuration and management chores. For my evaluation, LANsight came preinstalled on a Dell PowerEdge server, but admins will have to provide their own hardware to install LANsight when they purchase the system.
The list of authentication sources Nevis supports isn’t as long as Caymas’, but will fit most situations. On it, admins will find LDAP, Active Directory, RADIUS, and TACACS+ (Terminal Access Controller Access Control System). As with the other vendors, Active Directory was my authentication source for Nevis.