Product Group Tests

NAC (2008)

Group Summary

The BigFix Enterprise Server is our Best Buy. It is a true top-rate product that boasts easier administration than most while still including a massive number of features.

Our Recommended award goes to Sophos NAC Advanced for its great balance between ease of use and security, plus free lifetime support.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Network access control tools work best if used with 802.1x for authentication, but many organisations are missing out on this added protection against intruders. Justin Peltier reports.

Network Access Control (NAC) is most commonly used as a software component to determine if a machine is in compliance with the NAC policy. Most vendors also support an agentless client that uses JAVA and a web browser to check for policy compliance.

Regardless of how the device is measured against the policy; the typical configuration employs virtual local area networks to segregate the physical LAN into multiple parts. Usually one VLAN is configured as part of the production network, where compliant machines are assigned. The other VLAN is a quarantine/purgatory network segment that only has internet access at best, but, in most cases, the non-compliant device can only reach remediation servers.

The agent can perform a number of checks, such as browser version and service packs; operating system configuration and patches; whether anti-virus is installed and has the most recent updates; whether the system has recently run a complete virus scan; and whether the required personal firewall is installed and active.

If the device passes all these tests, the usual next step is to authenticate the user. This is where 802.1x shines. Communication between the device and the supplication (router, switch, or wireless access point) begins at a data link-only connection. This connection further protects the network by only allowing authentication packets to pass through the supplicant to the authenticator (usually a Radius server or an internal user database), allowing the supplicant to function as a hardware firewall. If authentication is granted, many client configuration options will be sent along with the successful login message. These options can include the VLAN the device is supposed to be on and the IP address tied directly to a user ID.

Encryption keys can also be passed within the 802.1x successful messages. In the case of Cisco, the authentication can also specify the firewall rule set, which is tied to the user authentication. Despite the many security advantages of using 802.1x, most organisations have yet to incorporate and leverage the user authentication components.

Not every NAC offering uses 802.1x for authentication and the NAC device authenticates to a local database of users. All NAC offerings have a time-checking method, whereby the client has to continue to verify the device configuration and compare the current configuration against the NAC policy. Each NAC offering has the ability to check for newly activated ports on a switch or similar device. This allows the administrator to know within minutes if an authorised device has been attached to the network.

Some NAC products use the MAC address to determine if the rogue device may possibly be an unauthorised wireless access point. Many NAC products allow the NAC enforcer to disable the physical port on the switch until the device can be manually approved or disallowed.

The biggest drawback to NAC without the 802.1x authentication is the possibility that a clever intruder can spoof both IP addresses as well as hardware (MAC) addresses. Some NAC solutions have features to minimise the likelihood of a rogue system on the network, but the protection methods are not infallible.

Most NAC offerings include an agent that can be used on several operating systems. We were even able to use a Windows 98 machine to install, run the client, and authenticate for access to the corporate LAN. Some products included installation clients for Mac systems, but these clients were only functional on Mac OS 10.4 and 10.5. If the Mac system did not meet the compatibility criteria for the client, it could still access the production network through a web browser. None of the tools we tested had an agent for Linux machine or for X64 bits Windows OS. The devices would have to use the browser-based dissolvable agent instead.

How we tested
Each test was performed differently, depending on the manufacturer and the list of NAC compliance. We used up to five different clients; including Windows XP home edition, Windows XP professional edition, Vista business addition and Mac OS 10.4. This array of clients allowed us to test both the installed agent and the dissolvable agent.

Having been in this industry long enough to remember the first time node authentication was the new security solution; we have been slightly surprised at how far these devices have come.

- For details on how we test and score products, visit

All Products In This Group Test