Vernier's In-Band NAC Product Takes Work

Vernier Networks' Edgewall and Control Server combination, like other in-band NAC products, uses a passive in-band NAC enforcement point in conjunction with a controller to assess and enforce policies. Vernier's product assesses the state of the host for the duration of the connection. However, the EdgeWall appliance has two gaping problems we could drive a couple of trucks through. Just as we found with ConSentry Networks' LANShield Controller, we could inherit the rights of a logged-in user by logging off and back in using local credentials. The second truck rumbled in when we discovered that even when logging in against our active directory, EdgeWall still didn't detect the new user. After this article went to print, Vernier engineers finally found that it was a configuration issue, which we corrected and tested successfully. Part of the blame lies with a poorly designed management platform, where key policy elements are buried several layers deep.

On top of these security holes, we found the administration interface confusing, with new policies often failing to take effect when first defined. We sometimes had to apply changes several times before they took. Vernier also commits the cardinal sin of making policy development tedious and nonintuitive in an effort to make it powerful.

A further weakness: The Control Server and EdgeWall need to be in constant communication. Unlike other NAC products such as ConSentry's, which maintains the last configured policy, Vernier makes all access decisions on the Control Server. You can set up a secondary controller that will take over in the event the primary one fails.

On the upside, EdgeWall has some unique features that aid network integration. The 8800, which we tested, sports 24 SFP ports split across four card slots. Unlike products from ConSentry and Nevis Networks, where ingress and egress port pairings are one to one, EdgeWall's port assignment is flexible, letting us aggregate multiple host-facing ports onto a single uplink port. Bridge groups and VLAN assignment determine which frames are passed through EdgeWall. In addition, we could create bridge rules that let specific traffic bypass EdgeWall security processing.

THE SAUSAGE FACTORYSausage is one of those foods that's messy to make but satisfying in the end. Vernier's management interface is like that. Similar to other NAC products, users move from policy to policy as their condition changes (from boot-up to assessment to domain login). Vernier's policies are made up of an identity profile that combines host and user data; a connection profile, which considers the EdgeWall's location; an integrity profile; and the access policies that define where a host can go in the network.Vernier has abstracted the policy list by combining features within features, but it chose not to abstract some parts, and herein lies the problem. There are a lot of buttons to push just to assign a moderately strict policy. For instance, the system defines 160 different combinations of status, and each requires its own policy. In our test, we wanted to grant access to guests but only if they would submit to a policy scan; otherwise, we would deny them access. That took four different policy entries: one for when the scan status was unknown, which occurs when hosts first connect to the network; one for a pending scan; one for when the host was compliant; and one if the host was noncompliant. Detailed? You bet. Potentially unwieldy? You bet. We would like to see better rule grouping that reduces repetitive tasks.

ASSESSMENT ANY WAY YOU LIKE ITVernier's host scanning uses network- or agent-based scans to assess a host. Scans can be performed at login and periodically thereafter. If a host's condition changes, the corresponding policy is applied. Similar to other in-band NAC appliances, new policies are applied as the policy is set, but hosts aren't immediately reassessed.

EdgeWall uses the Nessus scanner engine for network policy scans or a dissolvable agent. Policy scans focus on host configuration, while vulnerability scans look for known vulnerabilities in hosts. Keeping the two scans separate makes sense because there may be times when a policy scan can't be made but a vulnerability scan can.

EdgeWall not only suffers from the similar hole found with ConSentry, where users could log on locally to a computer and get the last user's network access rights, but we also found that EdgeWall didn't detect when different domain users logged on to the same computer. After the article was published, Vernier contacted us with a solution. Because of how policy rules are laid out, we had overlooked setting the appropriate authentication policy for each rule that a usercould fall into. Vernier's management platform added to the mistake by having policy settings laid out in multiple tabs, forcing us to repeat steps for each setting. We did test the new settings, however, and subsequent user logins were properly detected. This is a serious flaw in Vernier's system.

Once the host is on the network, EdgeWall monitors for malicious activity using network intrusion prevention, protocol anomaly detection, and network anomaly detection. The IDS functionality is standard signature-based matching. Protocol anomalies are typical malformed or malicious traffic. Finally, the network anomaly detection looks for malicious traffic patterns such as high connection rates and flooding--common characteristics indicating scanning, denial-of-service attacks, or worm activity.

LOGGING AND TROUBLESHOOTINGWhile we weren't wowed with ConSentry's log visualization graphs, Vernier's are even less useful. Client data isn't viewable for as long we like, and each time the client session's page is updated, the most recent stats are displayed and earlier stats disappear in the management station.Two tools were invaluable when they worked. The Simulate User Rights tool shows the rights a user would get based on a number of conditions such as user name, policy assessment, MAC address, and other items. The Trace Transaction tool validates that users are authenticating correctly and displays the data returned from the authentication server. Unfortunately, the Simulate User Rights tool expects the user to authenticate and apparently doesn't handle the case where the user fails to do so. That said, the complexity of policy creation on Vernier's system makes simulation tools a necessity.

You will need to take some time learning how to configure and manage EdgeWall's quirks and foibles. The product's flexibility eases integration and will help you tailor the installation to your needs--if you're patient. Vernier needs to work on the management UI, iron out the spurious errors, and develop a tolerant Control Server failure process.

Rolling Reviews present a comprehensive look at a hot technology category, including market analysis, product reviews, and wrapping up with a synopsis of our findings. See other reviews in this in-band NAC series at Rolling Reviews.