NAC appliances reveal who's rapping at your network door
NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders
The 7000 series of network access management appliances from Vernier covers all aspects of network security, from log-on location and device posture to authentication methods and access policies. End point assessment is one of the best for Windows PCs, with very flexible and detailed scan sets. EdgeWall can provide single sign-on services for Windows users as well as captive portal for non-Windows or guest devices. On-device reporting is the one weak spot in this NAC solution.
Vernier’s EdgeWall 7000 is a 2U appliance that sits inline with your network traffic. Like the Caymas 525, admins can install the EdgeWall anywhere in the network, but to be most effective, it needs to be located near the network core so that all user traffic passes through it. The EdgeWall comes with two Gigabit Ethernet interfaces standard (my test unit had four) and can optionally include fiber SX and LX interfaces. The EdgeWall can keep track of 3,000 concurrent users and inspects all traffic from Layer 2 through Layer 7.
I installed the EdgeWall 7000 on my test bench and had it online with a basic policy in less than 30 minutes. Like the other NAC appliances, it did take some time to get authentication servers, access control rights, and host-checking schemes in place. My trusty SBS acted as my authentication source for users and groups via Active Directory. Other available authentication sources for EdgeWall include NT Domain, 802.1x, RADIUS, Cisco Skinny (for SCCP [Skinny Client Control Protocol] IP phones), and a local user database. Like Caymas, admins can use multiple authentication services in a single authentication policy.
A unique feature in the EdgeWall is that it can “sniff” out a user’s SMB log-in information and provide single sign-on services for Windows users. As people log in to their PCs, their user credentials are intercepted by the EdgeWall and used to determine the appropriate group affiliations. For non-Windows or guest devices, captive portal is available for authentication.
A policy is defined by the identity of the user or device, the connection profile (authentication policy, location, and time of day restrictions), the security profile (host checking) and access policy (allowed and restricted traffic, encryption settings). Vernier’s policy engine allows administrators to craft very specific access control definitions no matter what the device may be. For instance, my test EdgeWall included an identity profile for Cisco SCCP phones that allowed me to bind them to a specific security policy.
Admins use the access policy to define to which network resources and services a particular policy can connect. I found the process of creating an access policy to be straightforward, if not a little intimidating, as I worked my way through all of the choices. The EdgeWall policy engine works top down to find the first match between user and access rights. The EdgeWall engine doesn’t automatically order the rule sets; it is up to the administrator to get them ordered correctly. If you don’t pay attention to how the list is ordered, a user may have greater access or may be denied entirely.