Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vernier's In-Band NAC Product Takes Work

THE UPSHOT
CLAIM: 
In-band NAC products are superior to out-of-band NAC offerings because they can monitor and filter all traffic passing through the appliance; implementation requires no network changes other than recabling. Since all traffic passes through in-band products, they can act on malicious traffic such as worms, scans, and DoS attacks.
CONTEXT: 
The argument over the best NAC deployment style is based on two questions: When does an assessment occur, and how is access control enforced? Out-of-band NAC products grant network access based on the host's condition, while in-band NAC products restrict access to network resources based on a variety of criteria, one of which is host condition.
CREDIBILITY: 
EdgeWall is a mixed bag of granular, repetitious configuration; flexible policy development and network integration; thorough host assessment; intrusion detection; and network anomaly detection. Tedious configuration combined with spurious management issues, lackluster logging, and the inability to detect subsequent user logins without numerous configuration changes all left us concerned. Vernier has work to do to get this product right for the enterprise.

Vernier Networks' Edgewall and Control Server combination, like other in-band NAC products, uses a passive in-band NAC enforcement point in conjunction with a controller to assess and enforce policies. Vernier's product assesses the state of the host for the duration of the connection. However, the EdgeWall appliance has two gaping problems we could drive a couple of trucks through. Just as we found with ConSentry Networks' LANShield Controller, we could inherit the rights of a logged-in user by logging off and back in using local credentials. The second truck rumbled in when we discovered that even when logging in against our active directory, EdgeWall still didn't detect the new user. After this article went to print, Vernier engineers finally found that it was a configuration issue, which we corrected and tested successfully. Part of the blame lies with a poorly designed management platform, where key policy elements are buried several layers deep.

On top of these security holes, we found the administration interface confusing, with new policies often failing to take effect when first defined. We sometimes had to apply changes several times before they took. Vernier also commits the cardinal sin of making policy development tedious and nonintuitive in an effort to make it powerful.

A further weakness: The Control Server and EdgeWall need to be in constant communication. Unlike other NAC products such as ConSentry's, which maintains the last configured policy, Vernier makes all access decisions on the Control Server. You can set up a secondary controller that will take over in the event the primary one fails.

On the upside, EdgeWall has some unique features that aid network integration. The 8800, which we tested, sports 24 SFP ports split across four card slots. Unlike products from ConSentry and Nevis Networks, where ingress and egress port pairings are one to one, EdgeWall's port assignment is flexible, letting us aggregate multiple host-facing ports onto a single uplink port. Bridge groups and VLAN assignment determine which frames are passed through EdgeWall. In addition, we could create bridge rules that let specific traffic bypass EdgeWall security processing.

THE SAUSAGE FACTORY
Sausage is one of those foods that's messy to make but satisfying in the end. Vernier's management interface is like that. Similar to other NAC products, users move from policy to policy as their condition changes (from boot-up to assessment to domain login). Vernier's policies are made up of an identity profile that combines host and user data; a connection profile, which considers the EdgeWall's location; an integrity profile; and the access policies that define where a host can go in the network.

  • 1