NAC appliances reveal who's rapping at your network door
NAC boxes from Caymas, Lockdown, Nevis, and Vernier separate valid users from troublesome intruders
Its end-point host assessment is one of the strongest in our roundup, with a wide range of host-assessment tests and checks. Each host-assessment policy is made up of a policy-compliance scanset and a vulnerability scanset. A policy-compliance scanset defines requirements such as anti-virus, personal firewall, and OS patch level. I was happy to see that other choices, such as MS security updates and minimum browser versions (both IE and Firefox), are also included. Even more interesting are the vulnerability scansets. These OS-specific scansets allow admins to probe a host for specific vulnerabilities such as backdoors, port scanners, remote file access, and a wide range of exploitable applications.
As comprehensive as this appliance is, it does have one flaw: Instead of a Java or ActiveX scan engine, Vernier uses SMB credentials to gain access to the client. The scan engine needs a user name and password with rights to the local device in order to perform a thorough policy compliance check. This requirement also means that Mac and UNIX hosts cannot be scanned to the same level as Windows hosts. The end point compliance service, however, can scan a host for open ports or other vulnerabilities that don’t require local access to the system. I like that I could scan a host during authentication and also rescan the host on a recurring interval. This feature helps prevent users from disabling their anti-virus software after logging in. If this should happen, the EdgeWall would move the client into the appropriate policy until it was back in compliance.
Reporting is one weak area in EdgeWall. Admins can send log file information to a Syslog server or directly to a Network Intelligence system. Raw log files are available on the appliance, and you can apply some basic filters such as time period and severity, but graphical reports or user statistics are not available.
All of the NAC appliances I reviewed need some improvement, but Caymas and Vernier are clearly on the right track. When Nevis releases its host assessment service, and if the company works on its UI, its solution will be worth consideration. Lockdown is interesting because it doesn’t require IT to rip and replace a closetful of switches (a la Cisco); it works with what is already in place. Its use of VLANs is unique but does cause us to worry about scalability and flexibility. When deployed with some foresight, however, it will work well.
This review has been corrected to note the support for multiple authentication methods per port in Lockdown Enforcer and the availability of the Lockdown Sentry appliance for remote offices, two factors that make Lockdown's solution more flexible and scalable than was reflected in the original review. The score we awarded to Lockdown Enforcer for Scalability has been raised from 7 to 8, giving it an overall score of 7.9. InfoWorld regrets the errors.
Victor R. Garza and Roger A. Grimes contributed to this review.