I tested host-based enforcement by creating a simple rule requiring McAfee
AntiVirus Enterprise to be present on a system, and applied the rule to three
systems running the Enforcer agent and lacking the antivirus product. All three
reported the lack of compliance, and had restricted network access. Although
I could ping other systems on the network, I could access neither network shares
nor remote web sites.
McAfee has a lot on its development road map. Windows Vista support is planned
for later in 2007. Support for 802.1x and DHCP enforcement are both on the horizon,
without a specific timetable. Inline, pre-connect NAC features are also planned,
based on McAfee's IntruShield Intrusion Prevention System (IPS) security appliance.
Bottom line. MPE is a well designed, very manageable package. The EPO
console is a sweet piece of work that integrates MPE well with other elements
of McAfee's system and network security framework. Working with SNMP-manageable
switches in particular, it can provide effective NAC. I recommend it to those
who can live—for now—without 802.1x and DHCP enforcement methods.
McAfee Policy
Enforcer 2.0
PROS: Managed by ePolicy Orchestrator, Policy
Enforcer is relatively easy implement and manage, the client directory structure
supports automatic assignment of new clients by IP address; supports SNMP-managed
switch and agent-based enforcement
CONS: Lacks 802.1x- and DHCP-based
enforcement
RATING: 4 out of 5
PRICE: Tiered licensing.
At 1001 seats, a perpetual license for McAfee Policy Enforcer Plus EPO,
including 1 year gold support would be about $27.64. This price drops as
well as the number of seats goes up.
RECOMMENDATION: Policy Enforcer
is a well designed, easily managed NAC, particularly for users with SNMP-managed,
VLAN-capable switches. I enjoyed working with the EPO console, and the structure
linking network attributes to assessment rule sets, and rules to network
access limitations is very workable.
CONTACT: McAfee (http://www.mcafee.com)
888-847-8766 |
StillSecure Safe Access 5.0
StillSecure's Safe Access, unlike the other products reviewed here, is a Linux-based
application that installs to a bare-metal server. StillSecure provides implementation
assistance to all clients; an onsite technician performed the installation for
this review.
Architecture. SafeAccess supports agentless, ActiveX-based, and client-agent—based
endpoint assessment. On the enforcement side, SafeAccess supports 802.1x and
inline pre-connect enforcement, and agent-based and DHCP post-connect enforcement.
It also participates in a Cisco NAC framework.
Administrators of larger networks can place Safe Access Enforcement servers—either
individually or in load-balanced clusters—on network segments at various
locations. With this implementation, Enforcement servers all report to, and
are managed through, a single management server.
The Web browser-based management interface is well designed and accessible
through a secure HTTPS connection. Four classes of user IDs—System Administrator,
Cluster Administrator, Help Desk, and View Only—support a distributed
administration approach. As Figure 4
shows, the management interface displays the status of all detected systems
on the network, along with context-sensitive Help information.
As with the other products reviewed here, assessment and enforcement policies
provide a framework for every Safe Access implementation. StillSecure provides
a broad scope of assessment tests you can apply to your policies, including
testing for the presence of most common security applications, OS and browser
updates and settings, and common malware. You can also test for required and
prohibited applications. Safe Access ships with a variety of predefined policies,
offering high, medium, and low levels of enforcement. Safe Access automatically
downloads test updates, making them available for use but not automatically
applying any to active policies.
Safe Access offers many features that support a gradual, user-friendly NAC
implementation, including an ability to temporarily grant network access to
a system that has failed specific policies. When a system fails an assessment
test, you can provide the user instructions for manual remediation or make use
of Safe Access's support for several popular automated remediation applications.
Hands on. The basic installation, initiated by booting the server with
an installation CD, proceeded quickly. As with the other products, the initial
configuration took proportionally much longer than software installation. For
the testing, I configured Safe Access for 802.1x enforcement. Configuring Safe
Access to use 802.1x quarantine networks requires only providing the quarantine
subnet addresses and selecting the 802.1x check box. The balance of the configuration
included setting initial policies and configuring an 802.1x switch with the
required authentication and VLAN information. This post-installation configuration
took less than two hours.
Following the assisted initial implementation, I reviewed the available configuration
screens and tested additional features. Safe Access lets you specify which of
the three testing methods—Safe Access agent, ActiveX agent, or agentless—you
want to employ, along with the order in which the system will attempt then.
Safe Access supports three sources of credentials for authenticating agentless
endpoint testing: Windows IDs, LDAP, and a Java Database Connectivity (JDBC)-accessible
database.
Register
