Out-of-band network access control systems ensure that authenticated and properly configured hosts are granted access, while all others are quarantined until they shape up. By leveraging existing network gear, out-of-band systems provide a greater coverage area versus alternative NAC technologies such as in-band and host-based.
Out-of-band NAC products attach to the network from a switch port and, unlike their in-band brethren, don't require recabling. They use various enforcement methods to effectively control host access while aiming to limit the load on networks and administrators. However, out-of-band NAC must overcome problems with integration, reliability, and visibility.
SafeAccess' basic architecture seems solid, but StillSecure needs to polish some rough patches, including cleaning up the management UI, adding better reporting and troubleshooting tools, and simplifying installation and modification.
The first entry in our out-of-band NAC Rolling Review, StillSecure SafeAccess, survived our Syracuse University Real-World Labs gauntlet with mixed results. Once configured, SafeAccess worked as advertised. We could define configuration policies, quarantine both Windows and Mac OS X hosts that failed assessments, and monitor activity. In addition, the product can integrate with Microsoft SMS to update Windows hosts and receive events from StillSecure's StrataGuard IDS/IPS.
However, reporting was limited, and we found troubleshooting host problems difficult. There's no way to remove individual hosts from the system short of deleting the entire database and starting over. Integrating switches can be time consuming. We also had some issues with the ActiveX client getting into what we can only describe as a bad state, requiring us to delete the ActiveX object from the browser and start anew.
We were unable to open or close an 802.1X-enabled port from within the UI--a basic feature for an access control product. And when using 802.1X enforcement, there's no way to handle guest machines that lack an 802.1X supplicant, other than configuring a default guest VLAN. The problem is, clients that end up in this guest VLAN won't be assessed by SafeAccess. Also, the assessment criteria that shipped with the product are a bit limited. StillSecure does create custom checks, but there's generally a two-week turnaround. On the plus side, SafeAccess supports centralized management, and we could separate management functions from enforcement duties.
SafeAccess is primarily out-of-band network access control, but it does provide for a variety of enforcement methods: in-band, as in front of a VPN or remote-access concentrator; DHCP, enforcing access control through DHCP addressing assignment; and 802.1X, using a combination of 802.1X authentication and VLAN assignment. An enforcement point can use only one method at a time, though we could use multiple points simultaneously.
SafeAccess host assessment is via persistent agents, dissolvable agents using ActiveX, or agentless assessment using Windows Domain credentials to query a host. We tested all three methods. Unlike other NAC vendors that license Opswat's Endpoint Security Integration SDK, StillSecure writes its own assessment policies, giving it control over how application and configuration status is derived. While we could create checks for required and forbidden software and services, there is no way to check if a particular application is running. We used the 802.1X enforcement method because it's the most secure, and our infrastructure supports 802.1X.