However, CEI requires scripting to auto-install and run at system startup, and policy options aren't as flexible as those found in Vernier's product. Nor are assessment policies tied to users or groups; rather, one policy is enabled globally and enabled on individual interfaces.
Nevis gave us a few interesting decisions in terms of installing LANenforcer and LANsight in our test network. The appliances may be managed in-band—meaning management traffic between LANsight and the LANenforcers mingles with log and network traffic—or out of band, where management, log and network traffic can be separated completely. Nevis recommends using out-of-band management, and that makes sense to us because it ensures that management traffic won't be impacted by network or log traffic.
If LANsight appliances are purchased in pairs and deployed in an active/passive configuration, system state is kept current. In the event of failure, the passive system picks up duties. A default policy for new users may be defined on LANenforcers, in the event they lose contact with the LANsight.
Policy processing, as with previously tested products, runs users through multiple passes of the policy as their statuses change. Policy access controls are similar to firewall rules, and LANsight ships with a number of predefined policy templates for common activities, such as allowing authentication to unknown hosts or redirecting to a Web portal page. LANsight can detect and act on a very limited set of applications, including Microsoft and Sun RPC, SIP, FTP and TFTP. A broader set of application support, as well as the ability to define allowed or denied functions and methods within applications, would be useful. Fortunately, because LANsight uses objects to define reusable items, all we needed to modify in default polices were host-object IP addresses. Default usernames and policies are assigned to the interface as a way to bootstrap the network connection process. User groups are then added to LANsight and can be mapped to group names in Windows Active Directory.
Policies use a hierarchal model, similar to that in ConSentry's LANShield, and so may be reused in other policies. Nevis attempts to clean up policy windows by presenting inbound and outbound access controls that have been defined for a given policy, as well as an effective policy list showing all entries from inherited policies. Bear in mind, however, that the effective policy is not necessarily a summation of all access controls a user may be subject to. For example, say user Jane Smith is in multiple groups, such as the Domain Users group and the Sales group, simultaneously. When JSmith logs in successfully, LANsight finds all policies that apply to her; if she's a member of any Active Directory groups mapped in LANsight, policies are merged. While that's efficient in terms of policy reuse, creating conflicting policies is all too easy to do. While testing, we applied a fairly strict policy, but users were still able to access services that should not have been available. The effective policy for the Sales group showed that "deny all," what we wanted, was the last rule. Luckily, the post-login policy evaluator, which simulates a user or group login and presents the resulting access controls based on merged policies, showed problem.
Like other in-line NAC products, LANenforcer can't passively detect user log-offs. But Nevis resolves that issue by using a host agent that maintains a heartbeat. When the heartbeat disappears, the user associated with a host is considered logged off. Agent technology is not always the most palatable solution, but we did find that log-offs were noted quickly and open ports closed promptly.
Host assessments in NAC run the gamut from a simple check for AV to in-depth configuration analysis that duplicates work already done by other management tools, like desktop configuration and patch management systems. Nevis' CEI agent, which performs host assessment, is an ActiveX component that may be installed dynamically using Internet Explorer or via an MSI. If the CEI agent has never been installed, a user must have local Power User rights to download and launch the ActiveX component.
Alternatively, CEI may be installed by an administrator, and then any user can access it. Unlike most persistent agents, CEI needs to be launched through the browser or a log-in script, meaning additional work for users or administrators. Nevis should clean up the persistent install process to make it more streamlined.
CEI policies are global for LANsight with no way to define diverse requirements for different hosts. At best, you can enable or disable CEI scanning on a per-interface basis. General host assessments that may be performed include service pack and patch levels and running processes. Antivirus and anti-spyware inspections are also limited to checking for last update and system scan. Many organizations' AV policies will be more lenient, especially for mobile computers, and Nevis' options just aren't that flexible.
Once a host is on the network, it must be monitored, and that's where Nevis' Threat Control comes in. We were able to configure detection capabilities and define which actions require enforcement. Threat Control uses a variety of techniques to detect possible malicious activity: Network anomaly detection looks for anomalous traffic patterns, like rapid connection attempts, high connection rates and connection failures, to detect worm activity; protocol anomaly detection looks for bad header or protocol behavior; and signatures detect bad behavior associated with known malware, adware or other potentially undesirable traffic such as P2P file sharing and IM. Traffic anomaly settings can be tuned to reflect local network conditions, and signatures may be enabled or disabled as needed. Threat Control works on a simple scoring mechanism. "Good" actions, like a completed TCP connection, lower the score, while "bad" activity, such as network scanning, increases the score. If a host's score crosses a set threshold, the host may be notified through CEI messaging, or quarantined or blocked. In practice, a host's score will vary based on which traffic the LANenforcer sees, but you'll need to determine a threshold that shouldn't be crossed during normal use. We recommend setting traffic detection to alert-only during initial deployment and monitoring network activity for an average score before you set the system to block or quarantine.
Monitoring and reporting are important features for any network device, but for security boxes tasked with blocking or allowing traffic, the ability to quickly drill down to a particular user or computer and see its status is critical for troubleshooting. LANsight's monitoring features are top-notch, giving informative high-level and detailed views quickly. While all NAC appliances log events, we found Nevis' presentation of event data easily accessible and useful. What's lacking is the capability to generate custom reports natively, though the product does support exporting data to Crystal Reports.
Detail reports, such as user activity, give a clear breakdown of what a user or host has been up to. For example, the User Activity Details report presents network activity and serves as a jumping off point for dynamically created event filters, such as ongoing and completed connections, attacks sent and received, or dropped access control instances.
Important tabs include Active Policies and Access Control Drops; both help determine why users aren't able to connect to network resources. The Events tab provides an expandable list of event fields, and customized searches can be built—if you know what you're looking for.
Bottom line, LANsight and LANenforcer have a few rough edges that could be cleaned up; in particular, improving the configurability of CEI, adding the ability to generate custom reports, and fixing the few imperfections in event searching would greatly ease ongoing management. But overall, Nevis has a done a good job adding features in a well-thought-out manner. We think the company's next steps should be focusing on more in-depth application support, a path ConSentry is already heading down, and/or deeper host assessment, one of Vernier's strengths.
Mike Fratto is Lead Analyst of the Network Access Control Immersion Center.