NAC smorgasbord: Four ways to police the network
Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access controlFollow @infoworld
The Enterasys system provides policy-based network enforcement on switches and uses system scanning, system state, and (optionally) network intrusion detection to determine the posture of the devices attempting to attack. The Trend Micro system is an enforcement gateway, examining traffic passing through the device and using posture collectors on the clients to determine status for consideration in enforcing the policies. Symantec offers both a NAC gateway and DHCP-based enforcement. You might use only one or both of the Symantec products in your NAC architecture, depending on requirements. Like the Trend Micro solution, Symantec’s system uses posture collector agents and examines traffic passing through the gateway to determine what is allowable and what is not.
The last system we tested was McAfee Policy Enforcer. Using a combination of a robust, multivendor policy manager and any of the supported network access requesters and posture collectors, this system allows administrators to apply fine-grained policies based on the characteristics reported by many different posture validators, including anti-virus systems from McAfee’s competitors. Policy Enforcer is not an enforcement gateway but uses VLAN assignment to control access.
For those networks that use VLANs to segregate devices, all four solutions are capable of using VLAN assignment to shuttle systems onto the appropriate VLANs for the various system states. The McAfee system is able to differentiate locale, and so can select the appropriate VLANs based on the user’s location. The Enterasys system supplements VLAN assignment with the port-based policy capabilities of the Enterasys switches, providing a number of improvements over the pure VLAN-based approach.
Another distinction among the systems is support for 802.1x. Some enterprises will want to tap 802.1x authentication to provide different services and different levels of network access based on the user’s identity. For them, a system that integrates 802.1x and user identity will be essential. Neither Symantec nor McAfee do this.
If you are concerned only about the security posture of the systems connecting and easy Internet access for guests, implementing 802.1x may be unnecessary. All four of these solutions have the capabilities necessary to meet these requirements.
Enterasys Sentinel Trusted Access
Click for larger view.
Configuration of the system requires three related but separate applications, as well as connectivity to external systems for posture scanning and IDS. Policies are created in the NetSight Policy Manager and pushed to the appropriate network enforcement points.