Rollout: Lockdown Networks Enforcer 4.2.7

The Upshot Lockdown Network's Enforcer 4.2.7 now uses syslog and Web services events to make smarter user containment and other NAC policy decisions. By using real-time information sources, Lockdown aims to eliminate the blind spot that occurs in the time between traditional host assessments. NAC systems from Consentry, Enterasys and Nevis networks use IDS events to monitor host activity and could take action on malicious behavior. However, Lockdown is the first to accept syslog events, which opens it to information feeds from a wider variety of sources than its competition.Carrier-centric solutions such as Embarq's Smart Connect don't offer the control over voice services that the PBX provides. This version is a good start, but has limited utility. It lacks several key features, including the ability to parse syslog event strings, suppress event processing, or rate syslog sources on a scale of credibility. Customers will have to carefully evaluate and adjust their syslog event severities to extract real value from the system. Lockdown agrees that it needs to do more. Lockdown Networks Enforcer 4.2.7

In most NAC systems, once a host is granted access, it's allowed onto the network until a host reassessment takes place. In the meantime, the NAC system is typically unaware of malicious activity.

Lockdown Networks' latest version of its network access control product, Enforcer 4.2.7, wants to address this weakness by accepting RFC 3164-formatted syslog events and Web services events for use in policy decisions. Enforcer policies can use syslog's severity field and the source IP to react to events by, for example, kicking a device off the network, quarantining it or alerting an administrator.

Products from other NAC vendors, including Consentry Networks, Enterasys Networks and Nevis Networks, can use IDS events to help make policy decisions. Lockdown's Enforcer is the first to accept syslog events, which means it can accept information feeds from IDSs and other network devices.

Although configuring Enforcer to accept syslog events and incorporate them into its policies is easy, Lockdown hasn't provided sufficient event-management capabilities to extract the full value of that information. Also, event severity and source IP aren't really enough to make good policy enforcement decisions. Finally, administrators must assign meaningful severity to syslog events being used by Enforcer at the source, while ensuring that the severity ratings don't affect other event-processing systems that consume the same events.