Product Group Tests

NAC (2010)

by Michael Lipinski September 01, 2010
products

GROUP SUMMARY:

Network Sentry v4.1.1 from Bradford Networks is the Best Buy for its strong performance, great device discovery tools and ability to phrase in protection.

We rate McAfee Network Access Control Recommended. It is a fully featured strong platform, with numerous policy options.

Controlling access to the network takes the right tools. Michael Lipinski reviews seven possibilities.

In trying to protect our host-based computing platforms and network resources from threats that are brought in by our employees, vendors, contractors and guests, we have created policies that control how these are allowed to access our resources.

How do we validate that all of our endpoints comply with our network access policies? We deploy anti-virus and firewalls, but are they up-to-date and properly configured? We ban certain applications and peer-to-peer programs from use in our environment, but do we know for sure that our IDS/IPS solutions are catching anyone that tries to use them anyway? We have to provide guest access to our network resources, so how do we ensure that guest machines are compliant with the same policies that our employees must adhere to?

Controlling access to network resources at the endpoint has become a powerful tool in a security architecture.

Network Access Control (NAC) products can be used to validate the existence of certain security measures and validate that those are properly configured and up-to-date. These can also validate the existence of up-to-date operating system patches and can be used to manage the complexity associated with managing permissions and authorisations for various groups of users. Most will integrate with a common directory structure; some will provide local authentication capabilities, while others can match something on the endpoint such as an agent or Mac address, before allowing access to the protected network resources. With all of these capabilities, it is easy to see how this technology can be a critical component in defending zero-day malware threats.

When choosing a NAC solution, you will have numerous options, such as inline verses out-of-band. Inline products act more like internal firewalls and have all of the traffic passing through them. Out-of-band solutions rely on agents on the endpoints that communicate with a centralised management console.

Out-of-band NAC solutions can use those agents to validate policy compliance, and can either front-end directory/authentication systems to block that access if not compliant, or configure network switches to enforce that policy by controlling port access or through VLAN assignment. The types of agents these solutions use is important for your environment. Some may use a small Java-based agent in the browser, others will deploy persistent or dissoluble agents and some may be agentless.

Both choices of inline verses out-of-band and agent-type support will all be important for supporting a variety of end-user access requirements, such as contractor or guest access. Some products focus on pre-admission compliance scans, some have post-admission monitoring capabilities, while others provide the pre-authorisation and integrate with other security defences to monitor and deliver post admission monitoring.

For this group, our test and review methodology was based upon vendor provided web demos. We focused on the same key criteria that we have always used: end-user experience relating to implementation of the technology, set up, use and ongoing management and support. We reviewed the features and functionality of the technologies as they related to the core requirements of NAC. We looked for key product differentiators and add-on technologies that went beyond the basics.

We focused on the ability of these products to deploy and scale within a large enterprise and looked for features such as scalability, central management, reporting and alerting capabilities and disaster recovery/survivability capabilities. Since we used a web demo platform for reviewing these, we did not perform the actual product installations and initial configurations. We did however review each product's implementation and quick-start guides so that we could provide some level of detail on the expected deployment expectations and requirements.

Choosing the right NAC solution will come down to the needs of the enterprise. You may require an easily deployed technology that fits into the existing network infrastructure. You may want strong agent-based control of the endpoints. Is a solution that sits 'on the wire' and looks at network traffic something that you require? We found some technologies that delivered the best of inline and agent-based approaches.

All of the products we reviewed delivered on one or more parts of the NAC value proposition. Most provided a mature, easy to use management system for configuring and managing the endpoint access.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US