Avenda’s improved clustering capabilities allow enterprises to support large numbers of appliances (hardware or virtual machine) across widely distributed locations. (Avenda says that in-house testing has confirmed a minimum of 30 appliances can be supported, but believe that hundreds of appliances will work efficiently in a given deployment.) Cluster nodes can be placed behind load balancers, and high availability is maintained through failover to the next available machine on the network, rather than appliance pairing.
eTIPS is managed through a Web-based console that can be accessed from any location in the deployed environment without need for a master management console, giving it a high degree of administrative flexibility. Policy is automatically populated to all nodes, both initially and incrementally, as policies are added or modified; administrative roles are now highly customizable.
"Avenda scales well; you have consistent information across all the nodes," says Phil Schacter, Gartner managing VP for IT1 security and risk management. "You can deal with fluctuations in demand, so you are not slowing down the network because you don’t have enough RADIUS servers and policy systems in your environment."
The new release includes device registration, improving the ability to apply policy to employee-owned mobile devices, including tablets, smartphones and personal laptops. Enterprises have the option of registration through IT or user self-registration. Devices are tracked through MAC address, and verified with additional device-specific information, such as exact OS version, to reduce vulnerability to MAC spoofing.
"The iPad has changed things," says Schacter. "Enterprises are looking for better systems to help them identify when devices are on the network and give them opportunity to have different policies for unmanaged devices."
eTIPS 4.0 improves endpoint security "health checks" and remediation. Windows-based devices can be evaluated for the latest security patches and remediated if they are not current. In addition, enterprises can enforce basic (allow or deny) USB device policies for devices seeking network entry.
These health checks, however, are no longer the primary driver for NAC, as they were when the buzz around NAC was hottest.
"Back then, it was all about the notion of security posture," he says. "Enterprises were so worried about malware getting into the organization through the endpoint. Now it seems most people are more interested in the identity of the user coming in, and whether it is a managed or unmanaged device."
See more on this topic by subscribing to Network Computing Pro Reports Security That Never Sleeps (subscription required).