This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
GOLD | Symantec Network Access Control
Network access control for several years has been the most overhyped product category in the security industry, inheriting the title from previous
Symantec Network Access Control, like most similar offerings, uses a server-and-agent architecture in which an agent is installed on each endpoint on the network and administrators handle policy creation and enforcement from a central console. When a protected device connects to the network, the agent performs a series of integrity checks on it to determine whether it is complies with corporate policy.
Readers gave the product high marks for its enforcement options, ability to integrate with the existing infrastructure, as well as its logging and reporting capabilities.
Administrators can design policies that require certain patch levels, antivirus signature versions and personal firewall settings before access is granted. Symantec Network Access Control also ships with some canned policy templates. If a device is found to be noncompliant, the system can bring the machine into compliance by applying required patches or other protections before allowing it full access to the corporate network.
Symantec's product also has the ability to enforce policy on machines even when they're not connected to the network. And when an unknown device attempts to connect to the network via an SSL VPN, Web application or wireless switch, the system can install an on-demand agent to ensure the machine is within the accepted policy. It also includes support for 802.1x authentication over wired and wireless networks, as well as DHCP for LANs and wireless LANs. Interestingly, Symantec also has included support for Cisco's Network Admission Control agent.
The Symantec system gives customers the flexibility to use either a software and hardware approach or go with software only. The hybrid option requires the Symantec Sygate Policy Manager software and the Symantec Enforcer appliance, a 1U rack-mountable box that runs on a hardened version of Red Hat Linux ES 3.
SILVER | Cisco NAC
Cisco Systems recently changed gears on its Network Admission Control platform and began focusing its efforts on the NAC Appliance, formerly known as Cisco Clean Access. The company had been touting a more complex NAC system, which required expensive upgrades to routers and switches, but the cost and complexity of the system was an obstacle for many enterprises. The shift to the NAC Appliance has paid off, as Cisco pulled down the silver medal in the endpoint security category.
The appliance uses the network infrastructure to enforce security policy, authenticate and authorize users and evaluate and remediate wired and wireless devices before they are allowed full access to the network. The NAC Appliance not only has the ability to recognize devices, but also can identify individual users and their respective roles in the company, allowing it to make informed decisions on resource access.
BRONZE | McAfee Policy Enforcer
Price: $30 per host
Antivirus and intrusion prevention powerhouse McAfee garnered the bronze medal for its Policy Enforcer product. Policy Enforcer boasts all the features of other NAC systems, but is a software-based system and not an appliance. It's designed to be installed at various points across a network and integrates with the company's ePolicy Orchestrator management console for policy enforcement and effective control.
Policy Enforcer can discover managed and unmanaged devices on a network, and perform automated remediation in order to bring managed machines up to approved levels. McAfee also decided to include support for all major NAC enforcement frameworks in Policy Enforcer--Cisco NAC, Microsoft NAP (Network Access Protection) and the Trusted Computing Group's TNC (Trusted Network Connect). This gives administrators the flexibility to use whatever scheme they like best, without needing to replace agents or hardware.
This was first published in April 2007