In most NAC systems, once a host is granted access, it's allowed onto the network until a host reassessment takes place. In the meantime, the NAC system is typically unaware of malicious activity.
Lockdown Networks' latest version of its network access control product, Enforcer 4.2.7, wants to address this weakness by accepting RFC 3164-formatted syslog events and Web services events for use in policy decisions. Enforcer policies can use syslog's severity field and the source IP to react to events by, for example, kicking a device off the network, quarantining it or alerting an administrator.
NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE
Products from other NAC vendors, including Consentry Networks, Enterasys Networks and Nevis Networks, can use IDS events to help make policy decisions. Lockdown's Enforcer is the first to accept syslog events, which means it can accept information feeds from IDSs and other network devices.
Although configuring Enforcer to accept syslog events and incorporate them into its policies is easy, Lockdown hasn't provided sufficient event-management capabilities to extract the full value of that information. Also, event severity and source IP aren't really enough to make good policy enforcement decisions. Finally, administrators must assign meaningful severity to syslog events being used by Enforcer at the source, while ensuring that the severity ratings don't affect other event-processing systems that consume the same events.