Plug-n-click network access management
StillSecure, Vernier Networks keep close eye on policy complianceFollow @rogeragrimes
In an increasingly crowded field, StillSecure Safe Access 3.0 and Vernier Networks EdgeWall Express 7000 NAM (Network Access Management) devices distinguish themselves by offering customers additional access-control protection with minimal configuration and customization
NAM solutions attempt to ensure that critical security policies are enforced before a computer connects to a protected network. Common compliance checks include checking for up-to-date anti-virus software, installed patches, and closed vulnerabilities. Other solutions may include the ability to monitor and detect newly emerging threats, quarantining problem computers, and automatically remediating security events. The goal is to stop computers with individual weaknesses from threatening the whole enterprise.
StillSecure Safe Access
Safe Access 3.0 is a solid layer 2 contender in the NAM field. Based on a hardened version of Red Hat Linux, the Safe Access server requires a Pentium 4 1.2GHz or faster processor, 1GB of RAM, and two network cards. Once the server portion is installed (an easy process), you connect over HTTPS using a browser.
At this point, most users could simply accept the defaults and have a solid NAM product. For those who want to go further, Safe Access has two main modes: gateway and DHCP. Gateway mode allows Safe Access to act as a layer 2 chokepoint. In DHCP mode, the product can refuse to assign a valid DHCP lease to clients until after they have met compliance criteria.
The DHCP mode is meant for a quick setup, but can be bypassed with a valid static IP address. Gateway mode forces the client into a restricted VLAN until the required tests are done; it is not easily bypassed. Access control checks are keyed off NetBIOS traffic or the client initiating a DCHP or DNS-resolution request.
Safe Access comes with dozens of predefined client (compiled Python) test scripts to test a client workstation for patch levels, current anti-virus software, various software settings, and Windows security settings.
The major weakness here is that clients cannot easily view the scripts to determine accuracy. For example, the default patch-checking scripts only query registry settings to determine compliance, which isn’t the most accurate method. You can create customized scripts in Python using an API to check file versions and MD5 hash values to ensure a higher rate of accuracy.
There are three predefined monitoring policies — Low, Medium, and High Security — and you can make custom policies. Although one policy is designated as the default, you may tie any client to any particular policy using its MAC or IP address, NetBIOS name, or domain-name suffix.
Safe Access can also be configured to recheck compliance at user-defined intervals — a feature not found in every NAM solution. It provides additional assurance that a client isn’t disabling security controls after he or she has successfully logged on.
The administrator determines the default action to take when a client fails a compliance test — the quarantine decision can be set per test, per policy, or per device. An administrator can give one type of access to internal users and another type to external users, vendors, and consultants.
Safe Access’s main console also lets an administrator allow or deny all access with one mouse click, which could be useful during a worm outbreak. It has a nifty customizable stoplight feature that shows, among other things, who has and hasn’t met the security policy criteria.