Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

StillSecure Steps Up: Page 2 of 4

DIG DEEPER
NEW TO NAC?
Our network access control primer can help you determine which architecture best fits your needs.

Installation and ongoing modifications are rather hands-on affairs, requiring us to configure the product through both the command line and GUI, an odd mix. In addition, altering some configuration settings, like SafeAccess' ability to control a switch, required messing with scripts. Never fun.

As with other out-of-band NAC products, assessing against policy is a three-step process: compare the host's condition against a pre-defined policy, determine what action should be taken, then take the action. Our policy was fairly simple. If a host's condition was acceptable, the computer would be assigned to a VLAN. If the host failed and needed remediation, off to quarantine until it passed.Policies are grouped, and policy groups are assigned to SafeAccess enforcement points or clusters. Polices can be applied to hosts based on a limited set of criteria, such as operating system, Windows domain, IP address or range, and MAC address.

Policy assignment is missing some important functionality. For example, policy selection is based solely on identification of the computer, rather than on the user who is logged in. In a way, this makes sense because out-of-band NAC products like SafeAccess don't handle post-connection enforcement--hosts are either on or off the network. However, computers can be assigned to groups in Active Directory, yet SafeAccess doesn't use group membership to assign hosts to policies. And policies generally didn't offer us many configuration options.

Policies can be arranged in order, and the first match wins. A common tactic is to put specific host groups at the top of the list and set the default policy as the last policy in the list, for use by guests.

IN DETAIL
FEATURED PRODUCT:
StillSecure SafeAccess V5; $20 per user at 2,500 seats
ABOUT THIS ROLLING REVIEW:

We tested out-of-band NAC products using a basic access control policy on an existing network. We focused on policy development, enforcement features, host assessment, logging, and troubleshooting.
NEXT UP:
Hewlett-Packard NAC-800
OTHER VENDORS INVITED:
AEP Networks, Array Networks, Bradford, Cisco, Enterasys, FireEye, ForeScout Technologies, Hewlett-Packard, ImpulsePoint, InfoExpress, Juniper, Mirage, Nortel, Sophos, Symantec, Trend Micro, and TippingPoint Technologies

Once a user logs on via 802.1X, SafeAccess quarantines and assesses the host, either with a persistent agent or via an ActiveX client that the user must download and launch. Alternatively, SafeAccess can assess hosts using Windows remote procedure calls.