Storage

05:00 AM
Connect Directly
RSS
E-Mail
50%
50%

In-Band NAC: Three Products You Should Know About

Rolling Review wraps up assessment of ConSentry's LANShield Controller, Nevis' LANenforcer, and Vernier's Edgewall.

The only must-have for a successful attack? Access. Any security expert or penetration tester will tell you that once she gets in a network, subverting IT systems is just a matter of time. This is one reason wireless is such a boon to attackers--network access is no longer confined to the physical building. Security methods such as wireless encryption keep private data private, but the most critical measure is authenticating systems and users before granting access to the wireless LAN. The same holds for wired networks. While companies stressed over WEP's weaknesses, they were letting contractors, consultants, and other guests onto their wired networks with nary a passing thought.

chart: Strength in Software
Enter in-band network access control. Installed between access layer switches and distribution or core switches, in-band NAC creates a choke point in the network; only systems that pass muster can enter. This is more than a binary decision of grant access/deny access. In-band NAC appliances granularly regulate access to network servers and services. That's a powerful tool for mitigating the problems of wide-open entry rights that plague authentication-only access control systems.

In the products we tested for this Rolling Review--ConSentry Networks' LANShield Controller, Nevis Networks' LANenforcer, and Vernier Networks' Edgewall--access controls are applied when a computer starts to communicate on the network. The assumption is that all hosts require access to some services, such as DHCP for IP configuration, DNS for name resolution, and, in a Windows environment, access to a Domain Controller for login and registration. Broader access controls to other services are applied to users based on conditions such as user name or group membership, host condition, and time of day. Access controls are similar to conventional firewall rules, where source and destination IP addresses, services, and actions (such as allow, deny, or redirect) are defined. As a user's or computer's status changes, the system takes actions based on the best match (see diagram).

All of the appliances installed transparently, requiring only the plugging in of network cables. Vernier's Edgewall let us aggregate many host-facing links onto a single uplink. Authentication status and user names are detected through passive authentication snooping, and users' group memberships could be pulled from a directory. Enforcement capabilities let us control access to hosts and services and redirect users, in the event of a failed authentication or host assessment, to a Web portal.

The products diverged in policy development, host assessment capabilities, post-connection monitoring, and reporting and troubleshooting. NAC is complicated to implement, so management interfaces must make policies readily apparent and reduce repetition while enabling granular access control decisions. Products must also provide administrators with detailed information for troubleshooting as well as general reports for trending and analysis. MAKE THE RULES

Previous
1 of 5
Next
Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Video
Twitter Feed