NAC smorgasbord: Four ways to police the network
Enterasys, McAfee, Symantec, and Trend Micro take myriad routes to policy-based access controlFollow @infoworld
The step-by-step policy configuration was simple to create, thanks to the wizardlike interface. Using a browser for configuration is an obvious advantage, and the ability of the device to direct cleanup of end points is a major advantage. Integration with Trend Micro Real-Time Scanner, a small applet that allows systems without a normal agent to have one loaded for analysis, helps with guest access.
Like McAfee and Symantec, Trend Micro supports other vendors’ anti-virus products for host posture collection. While it does not offer the same depth of options for each of the alternatives as McAfee, it does allow for integration across multiple products.
The products we tested represent a broad range of options for organizations seeking policy-based network access control. The Enterasys system, which includes per-port policy management when married to Enterasys switches, represents the comprehensive and complex end of the spectrum. The gateway solutions from Trend Micro and Symantec, which provide extensive traffic analysis as an integral part of NAC, offer a middle ground. Finally, we reach the other end of the scale with the easy policy management systems from McAfee and Symantec. The variety of options allows organizations to consider their goals for NAC and to choose a solution that maps to their needs.
Solutions that use a gateway system through which all network traffic passes and those that integrate directly with the switch infrastructure allow for complex traffic analysis to be an integral component of NAC. They also allow for traffic anomalies such as zero-day worms to trigger network access policies that isolate infected systems and protect the network and other systems from infection. More basic NAC is available through host-based analysis.
Before analyzing your options, define the policies you want to be able to enforce, and consider whether or not you need to be able to base your policies on user identity and user group information, or if authentication pass/fail is sufficient. Not all solutions can handle identity-based scenarios. The Symantec and McAfee solutions operate independently of or in concert with authentication systems such as 802.1x, but neither can take user identity into account. The Enterasys and Trend Micro solutions can act as a RADIUS proxy and the Trend Micro system can use LDAP or AD. Both can tap user and group information as components of policies.
The first step on the road to NAC is to develop a comprehensive network security policy that involves the complete network topography and the policies for access to every corner of it. For most, deploying 802.1x for standards-based authentication is essential. Without authentication, fine-grained policies aren’t possible.
The products continue to improve. Begin to budget for implementation because it will not be long before you’ll be ready to do it.