Sophos NAC Advanced v3.2.2
Strengths: Reporting, customisable policy templates, DHCP integration capabilities
Weaknesses: Subscription-based pricing may be costly for larger enterprises
Verdict: Decent NAC solution for managing patch, AV and firewall compliance on endpoints
Sophos NAC Advanced v3.2.2 is a software-based offering providing central management for policy, assessment, reporting/auditing/alerting, mitigation and enforcement by user group, through integration with both Active Directory and LDAP.
Installation requires quite a bit of preparation and configuration. Setup of the NAC Advanced Compliance Application Server is a fully scripted install. A typical customer installs the Sophos NAC Advanced Compliance Manager on a dedicated Windows Server 2003/2008 Enterprise edition. You can use the SQL database or have a separate SQL 2005/2008 database running on dedicated servers.
The solution supports a combination of agent-based enforcement for managed endpoints and DHCP-based enforcement for unmanaged endpoints. There is also a web agent that is downloadable as a dissolvable Java component and support for 802.1X.
Both pre- and post-authorisation of managed endpoints is included. Pre-authorisation is available for guest endpoints when using the dissoluble Java agent. It can also provide NAC for IPsec and SSL VPNs.
Sophos NAC Advanced includes pre-defined compliance detections for almost 800 applications, as well as over 1,600 OS patch detections. This provides over 2,400 predefined detections for inclusion within policy with just a simple click of the mouse. The roll up concept from groups, policies and profiles can be complicated at first but once you get the concept, this becomes a very comprehensive policy tool, delivering multiple levels of compliance. Numerous templates are available to help create enforcer templates.
The reporting and alerting capabilities are very detailed. Compliance level details are readily available and a compliance dashboard clearly displays the overall status of the user population. There are very detailed drilldown capabilities from the high-level reporting dashboard. Full audit logging for all system access and changes are available. Alerting is very flexible and the configuration is through an easy-to-use drop-down menu.
Standard 24/7 phone, email and web support is included with the product. There are upgraded support options available for a 15 and 25 per cent upgrade.
Sophos NAC Advanced takes some time to get running but is easy to manage once set up.