NAC smorgasbord: Four ways to police the network
Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access controlFollow @infoworld
The Sentinel TAM -- which is responsible for managing the Sentinel TAGs that enforce the policies -- provides authentication proxy and network enforcement. One TAM can manage many TAGs, allowing for centralized management of a widely distributed network.
Our test system used an Enterasys Matrix N-series core switch and a B-series edge switch equipped with the system daughter card. The daughter card ran the TAG.
Our Enterasys environment also included the Dragon Security Command Console to manage security events and the Dragon network intrusion detection product to watch network traffic and report anomalies for action. The Dragon components are not a necessary part of Enterasys’ NAC implementation, and they come at significant additional cost.
The Enterasys system, especially when including the optional IDS, is more comprehensive than the other three solutions. The system provided integrated capabilities for all of our test scenarios, using agent-based scanning of the clients to determine client posture. The Enterasys solution supports the VLAN assignment approach, but by leveraging the Enterasys switches, we were able to assign policies that were even more granular. As a result, for example, devices did not change IP subnets as they moved from one state to another, eliminating the need to force a DHCP release/renew and the accompanying delay.
The switch policies also allowed us to limit the traffic both to and from the attached devices on each port, and the TAM could optionally force a vulnerability assessment scan of the device using Nessus.
Using either VLAN assignment or port policies, the Sentinel system can appropriately limit access of the client systems based on both the identity of the user and the posture of the system. Using the network IDS to detect changes in traffic to or from a client, Sentinel could even trigger changes to the network configuration in response -- a great asset for larger organizations defending against zero-day attacks.
Furthermore, the port-level policies allowed us to configure ports to permit only the traffic that made sense for each user and device. For example, telephones could talk only to the call manager, and guests could access the Internet only on certain ports. We could also lock down the network using predefined policies based on user identity, effectively ensuring that only appropriate traffic could be sent or received.
On the downside, the policy configuration for Sentinel was quite complex, especially since it crossed the boundaries of multiple products. But once the general concepts were stored in the system, creating new policies was typically a matter of duplicating other policies and modifying the specific protocols, networks, and other traffic limitations for each policy. And in this case, the extra effort can pay off. Per-port policies are powerful, providing an extra level of protection that’s attractive in these days of nasty network surprises.
McAfee Policy Enforcer 2.0