Network Access Control (NAC) is one tier of a multitiered approach to protect
the security and integrity of your network, applications, and data. The goal
of the NAC tier is to discover and vet each device on the network. Once the
system discovers a device, it evaluates that device—according to rules
that the administrator has set—to determine the likelihood that the device
will behave as a proper network citizen. These rules generally require that
endpoints run a minimum software configuration (e.g., antivirus software).
The products I cover in this comparative review—Sophos's EndForce Enterprise
2.6, InfoExpress's Dynamic NAC for Windows 5.1, McAfee's Policy Enforcer 2.0,
and StillSecure's Safe Access 5.0—all protect against endpoints that plug
into the local network. All these products are software that you install on
your own hardware. (An alternative in the market is the NAC appliance, a field
that deserves its own comparative coverage.) Another class of product—often
placed in-line with network gateways—acts in a pre-connect fashion to
filter and vet traffic originating outside the local network. Cisco NAC and
Microsoft Network Access Protection (NAP) are other proprietary approaches you'll
also want to know about. For more information about Microsoft NAP, see
the sidebar "Microsoft's NAP Option."
Enforcement Methods
There are several common NAC enforcement methods. Agent-based enforcement relies
on software running on each system to assess the system and restrict a failing
system's access to network resources. DHCP-based enforcement causes systems
that fail a policy assessment to receive a network configuration that restricts
their ability to communicate with other systems. SNMP-based enforcement works
with network switches capable of SNMP-managed Virtual LANs (VLANs); endpoints
that fail assessment are assigned to a limited-access VLAN. Finally, 802.1x-based
enforcement works with 802.1x-supporting switches; every time a client activates
a switch port, it's placed in a limited-access VLAN until it authenticates to
a NAC server and passes assessment.
One of the products tested here—InfoExpress's Dynamic NAC for
Windows—uses yet another enforcement method: Address Resolution Protocol
(ARP) redirection. Pre-connect and Post-connect testing differentiate the various
methods: 802.1x-based enforcement is a pre-connect method because a new endpoint's
traffic isn't allowed on the network until it passes muster. In general, the
other methods act in a post-connect fashion, which comes with its own associated
vulnerabilities.
Each enforcement method has positive and negative aspects. Agent-based enforcement
(distinct from agent-based assessment) is vulnerable to systems that aren't
running the agent. DHCP-based enforcement is vulnerable to systems with static
IP addresses. SNMP and 802.1x enforcement rely on hardware that many organizations
don't have.
Sophos EndForce Enterprise 2.6
EndForce Enterprise (EE) 2.6 is a Windows server—based NAC solution that
offers both pre- and post-connect enforcement. In January, Sophos acquired EndForce,
and in May (after the completion of this review) the company plans to release
an enhanced and rebranded version of the product: Sophos NAC 3.0. Although Sophos
routinely provides onsite installation assistance to new clients, I installed
it with a bit of telephone support.
Architecture. EE implements a client agent/server architecture, with
support for enforcement at the EndForce Agent, 802.1x switches, Microsoft or
Lucent DHCP servers, and VPN concentrators. It also supports the Cisco NAC framework.
In large networks, EE lets you install multiple, identically configured EE application
servers in a Network Load Balancing (NLB) configuration.
In all enforcement modes, EE relies on an agent installed on the endpoint
to assess the endpoint's policy compliance. EE includes ActiveX and Windows
service-based clients, but no clients for Linux or Macintosh systems. Prior
to installing an agent, you create a customized installation MSI file to set
the IP address of the EE application server it will work with, then select one
of three operating modes for the agent: Quarantine, which assesses the client
per policy before admission to the network and then periodically thereafter,
and quarantines the client whenever the system determines a policy violation;
Continuous, which is similar to Quarantine but doesn't quarantine the
client on policy failure; and On Demand, which is designed for VPN applications.
Distinct from the other products reviewed here, EE takes an end-user—oriented
(rather than computer-oriented) perspective toward NAC policy enforcement. In
EE, endpoints have one of three states: a known user on a managed endpoint,
a known user on an unmanaged endpoint, and an unknown user on an undetermined
endpoint. Within EE's Policy Manager, you assign policies to EE user
groups, which you can configure to associate with Active Directory (AD) user
groups.
Users often implement both DHCP-based enforcement (to quarantine new DHCP
client systems until they can be assessed) and Agent-based enforcement (for
ongoing management and periodic re-assessment of company systems). EE implements
DHCP enforcement with the use of a DHCP Enforcer module, which you install on
the DHCP server. Combined with the use of DHCP user classes, this allows EE
to cause the DHCP server to provide endpoints that fail policy tests with network
address settings that restrict their access to network resources. For example,
an endpoint in violation of policy might receive an IP address, subnet mask,
and gateway address that lets it access only a remediation server.
Previous
Register
