NAC smorgasbord: Four ways to police the network
Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access controlFollow @infoworld
Administrators create new policies using a wizard-based interface in the Policy Management Console, by copying another policy and editing it, or by filling in a blank policy template from scratch. The policy list allows for the editing of the major policy fields through pull-downs on the screen -- a nice touch for quickly viewing options and making changes while being certain that you are choosing viable options.
Rules are defined separately from the policies and, thus, made available to the policy editor. So, for example, an “Allow VPN” rule can be applied or disabled for any of the policies independently but is easily visible when editing the policies. Rules are created, edited, and deleted from within the policy editor.
Once policies are created in the policy library, you assign them to locations where they will be applied. Within each location, the system administers policies based on user authentication status, host integrity status, and applications running on the host.
Policy enforcement is dependent upon the type of Enforcer in use. When configuring switches for the LAN Enforcer, the switch profiles include the VLANs and the VLAN assignment based on authentication status of both the host and the user as well as whether or not the system profile passed. Any combination of pass/fail for these states can cause a VLAN assignment.
Because the Gateway Enforcer manages traffic through inline filtering, and can make decisions based on active traffic, it provides more control than VLAN assignment. For example, the Gateway can detect changes in traffic patterns that could indicate a zero-day infection and isolate the traffic to keep it from spreading.
SNAC conquered all the scenarios we expected it to handle, but like McAfee Policy Enforcer, it does not support policy variation by authentication parameters such as user name or user group. It is not possible to assign policies based on those characteristics. It is, however, possible to assign policies based on whether or not the client passed authentication.
The availability of both a gateway device and a LAN enforcement device provides many options for implementation, especially for guest access. The policy management interface is comprehensive, but the presence of the different Enforcers creates multiple policy definitions that interact in ways that may be unclear to administrators who don’t not use the system daily.
Trend Micro Network VirusWall Enforcer 2.0
Trend Micro Network VirusWall Enforcer (NVWE) 2.0 and Trend Micro Control Manager (TMCM) 3.5 couple a NAC gateway appliance with a browser-based configuration interface. NVWE is a “plug-and-protect” device designed to ensure that all devices -- local or remote, managed or unmanaged -- are determined compliant before they are allowed onto the network. NVWE also offers network worm prevention, as well as port, agentless, and agent-based scanning of devices.