Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

In-Band NAC: Three Products You Should Know About

The only must-have for a successful attack? Access. Any security expert or penetration tester will tell you that once she gets in a network, subverting IT systems is just a matter of time. This is one reason wireless is such a boon to attackers--network access is no longer confined to the physical building. Security methods such as wireless encryption keep private data private, but the most critical measure is authenticating systems and users before granting access to the wireless LAN. The same holds for wired networks. While companies stressed over WEP's weaknesses, they were letting contractors, consultants, and other guests onto their wired networks with nary a passing thought.

chart: Strength in Software

Enter in-band network access control. Installed between access layer switches and distribution or core switches, in-band NAC creates a choke point in the network; only systems that pass muster can enter. This is more than a binary decision of grant access/deny access. In-band NAC appliances granularly regulate access to network servers and services. That's a powerful tool for mitigating the problems of wide-open entry rights that plague authentication-only access control systems.

In the products we tested for this Rolling Review--ConSentry Networks' LANShield Controller, Nevis Networks' LANenforcer, and Vernier Networks' Edgewall--access controls are applied when a computer starts to communicate on the network. The assumption is that all hosts require access to some services, such as DHCP for IP configuration, DNS for name resolution, and, in a Windows environment, access to a Domain Controller for login and registration. Broader access controls to other services are applied to users based on conditions such as user name or group membership, host condition, and time of day. Access controls are similar to conventional firewall rules, where source and destination IP addresses, services, and actions (such as allow, deny, or redirect) are defined. As a user's or computer's status changes, the system takes actions based on the best match (see diagram).

All of the appliances installed transparently, requiring only the plugging in of network cables. Vernier's Edgewall let us aggregate many host-facing links onto a single uplink. Authentication status and user names are detected through passive authentication snooping, and users' group memberships could be pulled from a directory. Enforcement capabilities let us control access to hosts and services and redirect users, in the event of a failed authentication or host assessment, to a Web portal.

The products diverged in policy development, host assessment capabilities, post-connection monitoring, and reporting and troubleshooting. NAC is complicated to implement, so management interfaces must make policies readily apparent and reduce repetition while enabling granular access control decisions. Products must also provide administrators with detailed information for troubleshooting as well as general reports for trending and analysis.


  • 1