Installation. EE runs on a Windows Server 2003 system configured with
Microsoft IIS and Internet Authentication Service (IAS). The product also requires
the use of a Microsoft SQL Server 2000 system. The basic installation routine
on the EE application server went fairly smoothly, followed by an hour of post-installation
configuration involving IIS and IAS, and—through EE's Web console interface—configuring
an agent MSI package. The Web console uses popup windows, so I had to turn off
my computer's popup blocking. I created a policy requiring only an EE agent;
this became the default policy because it was the first. I created an EE user
group and associated it with the domain users group, then assigned the policy
I had created to the EE user group.
To start testing, I installed the agent to a Windows workstation, then discovered
that users are required to provide a user ID and password to the agent for the
agent to register with the EE application server. The agent uses IAS to authenticate
and register clients with the EE application server. At first, my authentication
failed because my user ID lacked remote access privileges, so in IAS I created
a remote access policy to ignore a user account's dial-in properties. Registration
then succeeded, causing the agent to download default policies. Until then,
the workstation had been quarantined from the network because I had configured
that option in the agent installation .msi file. Next, I reconfigured the policy
to require an antivirus software package that it didn't have. Shortly—within
the short policy refresh interval I had set—the workstation was again
quarantined. I tried installing the agent to a second workstation, and the system
denied network access again. EE's Web console reported the quarantine and the
reason, as you see in Figure 1.
Bottom line. EE would be an effective addition to your network security toolkit,
with the highest security levels provided using 802.1x or Cisco NAC hardware,
which operate in a pre-connect mode. The combination of Agent-based and DHCP
enforcement will likely catch the most prevalent threats to network security.
I found the structure of EE more complex to implement and manage than that of
some of the other systems, and the necessity for users to key their user ID
and password into the agent is somewhat annoying. The user-oriented perspective
is consistent with the way many networks are managed, although I still would
have wanted to see the console able to present a list of all detected endpoints—not
just those with agents or DHCP-assigned addresses. The security console's Help
system describes all the configuration panels, but I didn't always find the
descriptions enlightening. I also looked for—and didn't find—documentation
that would describe the architecture in technical detail. Lacking that, I found
myself on the phone with my technical contact several times.
Sophos EndForce
Enterprise 2.6
PROS: Enforcement support includes 802.1x,
DHCP, agent-based, and VPN; user- (not computer-) oriented policy assessment
is consistent with the way many organizations manage systems
CONS:
Architecture is relatively complex, affecting ease of management; no
network device discovery
RATING: 3.5 out of 5
PRICE: Annual
subscription license; minimum 1000-user license: Sophos NAC $19.80, Sophos
NAC and Sophos Endpoint Security $30.69
RECOMMENDATION: Although
a capable system, the design occurred to me as more complex and difficult
to implement and administer. Some will find the user-oriented policies a
worthwhile tradeoff.
CONTACT: Sophos (http://www.sophos.com)
866-866-2802 |
InfoExpress Dynamic NAC for Windows 5.1
Dynamic NAC for Windows (DNW), a post-connect NAC solution, is available from
InfoExpress as installable Windows-based software and as an appliance. Although
InfoExpress markets the product as DNW, the UIs and installation module (i.e.,
cgsuite.exe) indicate that it's a function set within InfoExpress's CyberGatekeeper
(CG) product line. For consistency, I'll use the DNW product name.
Installation. The product has some basic requirements. It requires
a Windows 2003 system configured with IIS. It makes use of SQL Server and installs
Microsoft SQL Server Desktop Engine (MSDE) 2000 on the database system that
you designate if it fails to find an instance of SQL Server. I chose the default
installation, which proceeded quickly and painlessly.
Architecture. DNW is a client agent/server-based system with support
for Windows, Linux, and Mac network endpoints, although the Linux and Mac agents
won't support the NAC function set until later this year. An ActiveX agent is
also available. An optional reporting manager consolidates agent logs into the
database and generates activity reports. The DNW Server appoints selected endpoint
agent systems on each subnet to act as enforcers.
Dynamic NAC uses ARP redirection. To explain, I'll start with a brief networking
refresher. At the time of manufacture, a computer's Ethernet card is encoded
with a Media Access Control (MAC) address. To send a packet to a specific computer
or gateway device on the local subnet, a computer needs to know the target's
MAC address. ARP gives the computer the MAC address it needs when it wants to
communicate with a particular IP address. ARP redirection works by sending the
computer the MAC address of a system other than the one with the specified IP
address. Using ARP redirection, one computer can control another computer's
access to computers on the network. Note that this technology works on Windows
networks because the Windows IP stack seems to always honor the ARP packets
that others send to it. A clever programmer could write a stack that behaved
otherwise. Agents on each subnet listen for rogue systems—systems that
both lack the dynamic NAC agent and aren't defined on a white list for the subnet.
When a rogue device attempts to communicate with a system it's not allowed to
communicate with, the agent sends it ARP packets, which redirect its communication,
usually to a remediation server for installation of an agent and further policy
compliance analysis.
Hands on. DNW includes three UIs. You use the CyberGatekeeper Policy
Manager GUI to create the policy sets that the system uses to evaluate network
endpoints. The CyberGatekeeper Reporting and Management System (CGRMS) is a
Web-based interface for configuring and monitoring policy enforcement on network
subnets. CyberGatekeeper Server Configuration is another Web-based interface
for configuring aspects of DNW server's configuration. During DNW installation,
you assign a password to the default "root" account. CGRMS lets you
create additional users who are authorized to modify the DNW server's configuration,
modify Dynamic NAC configuration, and perform reporting.
DNW requires a fair amount of post-installation configuration. For example,
you need to designate subnets to monitor and router-style access lists that
let enforced systems (i.e., systems that DNW is restricting from full network
access) communicate with remediation servers and other network resources needed
for remediation.
Register
