NAC appliances reveal who's rapping at your network door
NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders
Users authenticate either through captive portal or 802.1x. Nevis’s captive portal implementation is a little different than the others: The browser window must stay open, although it can be minimized, while the user is logged in. The reason for this is the portal page provides a heartbeat so that LANenforcer knows the user is still logged in. When users close the browser, they are immediately logged off. Alternately, captive portal can be configured not to provide the heartbeat, but users would then have to manually log off or unplug their PCs from the network for LANenforcer to explicitly log them off -- not the preferred method of handling this.
LANenforcer allows for a nearly seamless Windows single sign-on by way of integrating 802.1x into each Windows network client setting. As long as the proper authentication policy is assigned to the port the user is logged in to, the user credentials are passed through to LANsight for policy assignment. Like Lockdown, deployment of the appliance isn’t as flexible because of the static authentication definitions assigned to each physical port in the switch. Using criteria other than port number to define how a user will authenticate makes more sense.
I found navigating LANsight and managing access control policies a little daunting. Organization of the UI was not intuitive and left me jumping from screen to screen to manage users and assign policies. Although the admin UI might have slowed me down, it didn’t leave anything out in terms of functionality. I was able to create groups and place users into them and then assign a security policy to the group. LANsight will check for any externally mapped group memberships (from your authentication service) and merge them into a single security policy for each user.
For example, one of my test accounts in AD was a member of three different groups. LANsight combined the effective rights from each group and created a security policy that reflected what access those group memberships were allowed to have. When users fail required security checks, LANsight automatically places them into a quarantine security policy.
In this release of the LANenforcer, there is no way to check the host for vulnerabilities or determine its security posture. I did, however, receive a demo of Nevis’ host assessment system, Client Endpoint Integrity (CEI) currently in beta, which will be available in a future release. When it ships, CEI should be on par with the host-checking systems currently in other products. It will include support for all major client-based anti-virus and anti-spyware applications and will scan the host prior to their authentication. One drawback is that it is going to use an ActiveX control, limiting it to Windows systems.
Reporting and monitoring are also solid in LANsight, with many different views into the current status of the appliance. Historical reporting is limited to displaying a single user or IP address’s activity, and admins have to know the information to search for. The monitoring section is much more admin-friendly with real-time information about active and blocked users and current network state. Much like Lockdown, I was able to dig into the LANenforcer and get quick access to which users were logged into which ports and whether there had been any policy exceptions.
Vernier EdgeWall 7000