GOLD | Symantec Network Access Control
Network access control for several years has been the most overhyped product category in the security industry, inheriting the title from previous champion PKI. Although vendors have promoted their wares as the next big thing, few have actually delivered any working products. Among those that have brought a system to market is Symantec, winner of the gold medal for endpoint security with its Network Access Control offering.
Symantec Network Access Control, like most similar offerings, uses a server-and-agent architecture in which an agent is installed on each endpoint on the network and administrators handle policy creation and enforcement from a central console. When a protected device connects to the network, the agent performs a series of integrity checks on it to determine whether it is complies with corporate policy.
Readers gave the product high marks for its enforcement options, ability to integrate with the existing infrastructure, as well as its logging and reporting capabilities.
Administrators can design policies that require certain patch levels, antivirus signature versions and personal firewall settings before access is granted. Symantec Network Access Control also ships with some canned policy templates. If a device is found to be noncompliant, the system can bring the machine into compliance by applying required patches or other protections before allowing it full access to the corporate network.
Symantec's product also has the ability to enforce policy on machines even when they're not connected to the network. And when an unknown device attempts to connect to the network via an SSL VPN, Web application or wireless switch, the system can install an on-demand agent to ensure the machine is within the accepted policy. It also includes support for 802.1x authentication over wired and wireless networks, as well as DHCP for LANs and wireless LANs. Interestingly, Symantec also has included support for Cisco's Network Admission Control agent.
The Symantec system gives customers the flexibility to use either a software and hardware approach or go with software only. The hybrid option requires the Symantec Sygate Policy Manager software and the Symantec Enforcer appliance, a 1U rack-mountable box that runs on a hardened version of Red Hat Linux ES 3.
SILVER | Cisco NAC
Cisco Systems recently changed gears on its Network Admission Control platform and began focusing its efforts on the NAC Appliance, formerly known as Cisco Clean Access. The company had been touting a more complex NAC system, which required expensive upgrades to routers and switches, but the cost and complexity of the system was an obstacle for many enterprises. The shift to the NAC Appliance has paid off, as Cisco pulled down the silver medal in the endpoint security category.
The appliance uses the network infrastructure to enforce security policy, authenticate and authorize users and evaluate and remediate wired and wireless devices before they are allowed full access to the network. The NAC Appliance not only has the ability to recognize devices, but also can identify individual users and their respective roles in the company, allowing it to make informed decisions on resource access.
BRONZE | McAfee Policy Enforcer
Price: $30 per host
Antivirus and intrusion prevention powerhouse McAfee garnered the bronze medal for its Policy Enforcer product. Policy Enforcer boasts all the features of other NAC systems, but is a software-based system and not an appliance. It's designed to be installed at various points across a network and integrates with the company's ePolicy Orchestrator management console for policy enforcement and effective control.
Policy Enforcer can discover managed and unmanaged devices on a network, and perform automated remediation in order to bring managed machines up to approved levels. McAfee also decided to include support for all major NAC enforcement frameworks in Policy Enforcer--Cisco NAC, Microsoft NAP (Network Access Protection) and the Trusted Computing Group's TNC (Trusted Network Connect). This gives administrators the flexibility to use whatever scheme they like best, without needing to replace agents or hardware.
In the trenches
A NAC for access control
Network access control technology is fine for evaluating system health, but IT wants to extend those capabilities to users, not just machines.
NAC and other endpoint security technologies have garnered a lot of press and attention in the last year, and much of that attention has focused on the products' ability to check the security posture of machines attempting to connect to the network. Vendors have touted the ability to admit or deny users based on the relative health of their machines as the key to keeping their networks clean.
However, some users say that while the health check capability is all well and good, the true value of network access control lies in its ability to limit network access for specific users, and not just their machines. Deployed at strategic points inside a network, and not simply at the network edge, NAC systems can function as gatekeepers and prevent unauthorized users from accessing network segments or resources they're not meant to see.
"What I was looking for was an admission control system that could automatically assign users to a VLAN based on the user, not the machine," says George Owoc, director of business administration at EADS Astrium North America, a manufacturer of satellites and other space systems. EADS Astrium uses a NAC appliance from Lockdown Networks. "We have a lot of contracts that are controlled by the State Department because of export issues and a lot of classified material," Owoc says. "We also have a lot of interns and students and we had to make sure that we didn't have any unauthorized access."
This access-control role in the past has been played with varying levels of success by inward-facing firewalls and simple password protection on sensitive servers. In some cases, classified or otherwise restricted material is placed on a separate network, but this approach can hamper the ability of legitimate users to access files. So NAC systems have begun taking over that function in some large, distributed enterprises like EADS Astrium with clear needs to segment their user populations.
"I needed a way to isolate visitors and others by their access to data," Owoc says. "And I didn't want something with a client, because the administrators of those visitors' machines have locked them down as much as they can, and probably have them set to deny any software that's pushed down to them."
The forthcoming NAC-NAP offerings from Cisco Systems and Microsoft will be uniquely well positioned to perform this access-control function as well. Cisco's position as the provider of networking infrastructure for many enterprises, and Microsoft's equally dominant position in the server realm, give them the ability to determine who can access what resources and when.