NAC smorgasbord: Four ways to police the network
Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access controlFollow @infoworld
Click for larger view.
MPE provides an effective visual summary of the current status of compliance by systems, subnets, and switches. It allows an administrator to drill into the details but provides a color-coded picture of the current state of the environment. The system represents an intuitive and highly visual view into the compliance status of the network.
Based on host posture, the system uses VLAN assignment to move hosts onto appropriate VLANs for remediation or quarantine. The system is unique in this roundup in that it does not depend on McAfee hardware or agents. MPE can gather posture information through an amazing variety of agents, including all the leading anti-virus clients, and it handles agentless systems through guest access policies.
Policy configuration starts with the definition of Quarantine Zones, the VLANs assigned for various purposes that are other than standard data VLANs. Examples include VLANs for cleaning infected systems, for updating noncompliant ones, and for isolating those that are unmanaged. These VLANs are the primary enforcement mechanisms for systems not running the EPO client.
Once these VLANs are configured, you define rulesets for the combination of states that comprise a client posture. These states can include a broad range of information, and they can be set to trigger an alert, or to enforce the policy, or to ignore the violation. These options are convenient when creating new rules or when wanting to determine the state of systems before introducing new requirements for network access.
Next, the policies can contain multiple compliance rules that are first based on the version of Windows on the client. Additional parameters include the running anti-virus product, its state, the presence of a firewall on the host, security bulletins for the operating system and applications, and infections. The infections list is interesting in that it allows you to set individual rules based on the presence of a specific infection, a feature McAfee says customers have requested.
Once you’ve selected the posture, you determine the actions to take for noncompliance. The tabbed GUI gives admins a nicely focused set of choices within each tab. We found it easy to make changes without having to hunt for the settings.
McAfee Policy Enforcer correctly handled all of the scenarios it is designed to tackle. Unlike the Enterasys system, it cannot make access decisions based on user identity, but only on pass/fail authentication. It could not differentiate between authenticated guests and authenticated employees, nor did it differentiate between unrelated users or user groups that were authenticated.