RSS
Email
Print
ShareVernier's In-Band NAC Product Takes Work
Posted by
Mike Fratto, Editor
November 17, 2007
THE UPSHOT |
|
CLAIM:
In-band NAC products are superior to out-of-band NAC offerings because they can monitor and filter all traffic passing through the appliance; implementation requires no network changes other than recabling. Since all traffic passes through in-band products, they can act on malicious traffic such as worms, scans, and DoS attacks. CONTEXT: The argument over the best NAC deployment style is based on two questions: When does an assessment occur, and how is access control enforced? Out-of-band NAC products grant network access based on the host's condition, while in-band NAC products restrict access to network resources based on a variety of criteria, one of which is host condition. CREDIBILITY: EdgeWall is a mixed bag of granular, repetitious configuration; flexible policy development and network integration; thorough host assessment; intrusion detection; and network anomaly detection. Tedious configuration combined with spurious management issues, lackluster logging, and the inability to detect subsequent user logins without numerous configuration changes all left us concerned. Vernier has work to do to get this product right for the enterprise. |
On top of these security holes, we found the administration interface confusing, with new policies often failing to take effect when first defined. We sometimes had to apply changes several times before they took. Vernier also commits the cardinal sin of making policy development tedious and nonintuitive in an effort to make it powerful.
A further weakness: The Control Server and EdgeWall need to be in constant communication. Unlike other NAC products such as ConSentry's, which maintains the last configured policy, Vernier makes all access decisions on the Control Server. You can set up a secondary controller that will take over in the event the primary one fails.
On the upside, EdgeWall has some unique features that aid network integration. The 8800, which we tested, sports 24 SFP ports split across four card slots. Unlike products from ConSentry and Nevis Networks, where ingress and egress port pairings are one to one, EdgeWall's port assignment is flexible, letting us aggregate multiple host-facing ports onto a single uplink port. Bridge groups and VLAN assignment determine which frames are passed through EdgeWall. In addition, we could create bridge rules that let specific traffic bypass EdgeWall security processing.
THE SAUSAGE FACTORY Sausage is one of those foods that's messy to make but satisfying in the end. Vernier's management interface is like that. Similar to other NAC products, users move from policy to policy as their condition changes (from boot-up to assessment to domain login). Vernier's policies are made up of an identity profile that combines host and user data; a connection profile, which considers the EdgeWall's location; an integrity profile; and the access policies that define where a host can go in the network.
Page: 1 | 2 |3 |Next Page »
Related Reading
More data-protection Insights
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
