In-Band NAC: Three Products You Should Know About

The only must-have for a successful attack? Access. Any security expert or penetration tester will tell you that once she gets in a network, subverting IT systems is just a matter of time. This is one reason wireless is such a boon to attackers--network access is no longer confined to the physical building. Security methods such as wireless encryption keep private data private, but the most critical measure is authenticating systems and users before granting access to the wireless LAN. The same holds for wired networks. While companies stressed over WEP's weaknesses, they were letting contractors, consultants, and other guests onto their wired networks with nary a passing thought.Enter in-band network access control. Installed between access layer switches and distribution or core switches, in-band NAC creates a choke point in the network; only systems that pass muster can enter. This is more than a binary decision of grant access/deny access. In-band NAC appliances granularly regulate access to network servers and services. That's a powerful tool for mitigating the problems of wide-open entry rights that plague authentication-only access control systems.

In the products we tested for this Rolling Review--ConSentry Networks' LANShield Controller, Nevis Networks' LANenforcer, and Vernier Networks' Edgewall--access controls are applied when a computer starts to communicate on the network. The assumption is that all hosts require access to some services, such as DHCP for IP configuration, DNS for name resolution, and, in a Windows environment, access to a Domain Controller for login and registration. Broader access controls to other services are applied to users based on conditions such as user name or group membership, host condition, and time of day. Access controls are similar to conventional firewall rules, where source and destination IP addresses, services, and actions (such as allow, deny, or redirect) are defined. As a user's or computer's status changes, the system takes actions based on the best match (see diagram).

All of the appliances installed transparently, requiring only the plugging in of network cables. Vernier's Edgewall let us aggregate many host-facing links onto a single uplink. Authentication status and user names are detected through passive authentication snooping, and users' group memberships could be pulled from a directory. Enforcement capabilities let us control access to hosts and services and redirect users, in the event of a failed authentication or host assessment, to a Web portal.

The products diverged in policy development, host assessment capabilities, post-connection monitoring, and reporting and troubleshooting. NAC is complicated to implement, so management interfaces must make policies readily apparent and reduce repetition while enabling granular access control decisions. Products must also provide administrators with detailed information for troubleshooting as well as general reports for trending and analysis. MAKE THE RULESWhether you just want to give guests limited access while allowing corporate users full run of the network or you want to grant restricted access to specific servers based on a user's group, policy development is where you'll spend much of your management time.

Hierarchal management, where rules applied to parent roles are inherited by child roles, simplifies policy making. ConSentry's manager uses hierarchal management, while Nevis' uses rule groups. Vernier depends on an outdated model requiring repetitive policy development. With Edgewall, computers need access to basic services like DHCP and DNS and to your authentication system, whether Active Directory or a Web portal, regardless of their status. Using hierarchal management, we could define a complex policy just once, and it would be available for reuse. Vernier's model, in contrast, had us repeating policy configuration tasks, leading to mistakes that cut users off the network and made troubleshooting difficult, even with our relatively simple test network and policy set. More complex policies would be unmanageable. This is a problem Vernier must address.

ASSESS YOURSELF

Host assessment--the value of which is hotly debated--comprises everything from checking for installed and running (or not running) software to patch configuration to monitoring network activity after a policy has been applied. Network monitoring is a unique strength available to in-band NAC products because the appliances see all the packets passing through it.

Both ConSentry's and Nevis' host assessment capabilities are sparse. ConSentry licenses Check Point's Integrity Clientless Security product, while Nevis wrote its own ActiveX agent but licenses Opswat's libraries for host assessment. One policy is applied globally to all hosts, which limits the conditions you can check for and access decisions you can make based on the assessment. Nevis' agent has the unique ability to determine when a user has logged off the computer, regardless of whether the user was logged in to a domain or locally.On the plus side for Vernier, its management system was the only one that let us define multiple host assessment criteria and apply them to roles. ConSentry and Nevis consider host assessment a global configuration, treating all comers the same. There are numerous reasons different computers might have different assessment requirements. Vernier wrote its own host agent but uses Opswat's libraries for assessment.

Vernier's Edgewall also stands out for supporting network-based assessment capabilities using the Nessus scanner, useful in cases where an agent can't be installed. All three products analyze network traffic for malicious activity, but they vary in the types of actions they can detect. All three do anomaly detection, but only Nevis LANenforcer can find client-oriented activities, such as browser-based exploits and running of policy-sensitive applications, including IM. Vernier checks for broader network attacks, both client- and server-based.

Anomaly detection is particularly useful for spotting new worms and network scans because both leave distinct and easily detectable signatures. Sure, anomalous behavior detection can be prone to false positives, so some tuning is required. Actions, from sending an alert to quarantining the host, can be tied to anomaly detection and provide good protection against common malware.

More insidious are client-based exploits, such as, bots, spyware, worms, and Trojan activity. Nevis focuses primarily on these, while Vernier looks for both client and server problems. Detecting server exploits is useful for spotting attacks from malicious intruders. Signature policies can be enabled or disabled as needed, and both companies issue updates daily as new vulnerabilities and malware are detected, provided you maintain your service contracts.

(click image for larger view)

ENJOY THE VIEW

Every security vendor wants to sell you a "compliance solution," and ConSentry, Nevis, and Vernier are no different. The location of in-band NAC appliances does give give them a unique view of the protocols, applications, and activities on your network. Depending on what data is gathered during a host assessment, even endpoint configuration can be reported on. Included reports may satisfy some compliance reporting, but you'll need to merge the data with other network stats to get an overall picture.

Reporting covers daily, weekly, or monthly roll-ups that give the big-picture view. Unfortunately, Vernier's roll-up reporting was nonexistent; we were limited to viewing real-time events and exporting data to external servers using syslog. While we don't expect full-blown log analysis in a NAC product, historical trending and automated reporting should be basic features. Both ConSentry and Nevis offered more in-depth reporting.

ConSentry's and Nevis' management products offered scheduled capabilities that could be used for long-term trending and reporting. ConSentry's report templates were more robust and configurable than Nevis'; in addition, Nevis had few report templates, and they relied on using Crystal Reports to build custom trend reports.

Where Nevis has an edge is in troubleshooting. We could easily discover and resolve connection issues using the tools Nevis provided, while ConSentry's offering took more effort. Vernier's troubleshooting tools left much to be desired.In the end, no one product emerged as the Editor's Choice or as a Best Value. But both ConSentry's LANShield and Nevis' LANenforcer made our Short List. And the real winners are enterprise IT groups: In-band NAC vendors are in an arms race. ConSentry's newest version, shipping in the first quarter of 2008, should enhance an already strong product offering. Vernier does have some ground to make up on the policy and reporting fronts, but both ConSentry and Nevis could take a page from Vernier's playbook and beef up their host assessment functions. We'll be keeping an eye on this space.

THE REPORT: NAC Tutorial

Here's how to protect your networks from jmalicious and misconfigured hosts:

informationweekreports.com