StillSecure Steps Up

SafeAccess out-of-band NAC appliance performs host assessment and enforcement, but setup and management can be complex.

April 12, 2008

7 Min Read
Network Computing logo

THE UPSHOT

CLAIM: Out-of-band network access control systems ensure that authenticated and properly configured hosts are granted access, while all others are quarantined until they shape up. By leveraging existing network gear, out-of-band systems provide a greater coverage area versus alternative NAC technologies such as in-band and host-based.CONTEXT: Out-of-band NAC products attach to the network from a switch port and, unlike their in-band brethren, don't require recabling. They use various enforcement methods to effectively control host access while aiming to limit the load on networks and administrators. However, out-of-band NAC must overcome problems with integration, reliability, and visibility.CREDIBILITY: SafeAccess' basic architecture seems solid, but StillSecure needs to polish some rough patches, including cleaning up the management UI, adding better reporting and troubleshooting tools, and simplifying installation and modification.

The first entry in our out-of-band NAC Rolling Review, StillSecure SafeAccess, survived our Syracuse University Real-World Labs gauntlet with mixed results. Once configured, SafeAccess worked as advertised. We could define configuration policies, quarantine both Windows and Mac OS X hosts that failed assessments, and monitor activity. In addition, the product can integrate with Microsoft SMS to update Windows hosts and receive events from StillSecure's StrataGuard IDS/IPS.

However, reporting was limited, and we found troubleshooting host problems difficult. There's no way to remove individual hosts from the system short of deleting the entire database and starting over. Integrating switches can be time consuming. We also had some issues with the ActiveX client getting into what we can only describe as a bad state, requiring us to delete the ActiveX object from the browser and start anew.

We were unable to open or close an 802.1X-enabled port from within the UI--a basic feature for an access control product. And when using 802.1X enforcement, there's no way to handle guest machines that lack an 802.1X supplicant, other than configuring a default guest VLAN. The problem is, clients that end up in this guest VLAN won't be assessed by SafeAccess. Also, the assessment criteria that shipped with the product are a bit limited. StillSecure does create custom checks, but there's generally a two-week turnaround. On the plus side, SafeAccess supports centralized management, and we could separate management functions from enforcement duties.

TRIPLE THREATSafeAccess is primarily out-of-band network access control, but it does provide for a variety of enforcement methods: in-band, as in front of a VPN or remote-access concentrator; DHCP, enforcing access control through DHCP addressing assignment; and 802.1X, using a combination of 802.1X authentication and VLAN assignment. An enforcement point can use only one method at a time, though we could use multiple points simultaneously.

SafeAccess host assessment is via persistent agents, dissolvable agents using ActiveX, or agentless assessment using Windows Domain credentials to query a host. We tested all three methods. Unlike other NAC vendors that license Opswat's Endpoint Security Integration SDK, StillSecure writes its own assessment policies, giving it control over how application and configuration status is derived. While we could create checks for required and forbidden software and services, there is no way to check if a particular application is running. We used the 802.1X enforcement method because it's the most secure, and our infrastructure supports 802.1X.

DIG DEEPER

NEW TO NAC?

Our network access control primer can help you determine which architecture best fits your needs.

Download this InformationWeek Report

>> See all our Reports <<

Installation and ongoing modifications are rather hands-on affairs, requiring us to configure the product through both the command line and GUI, an odd mix. In addition, altering some configuration settings, like SafeAccess' ability to control a switch, required messing with scripts. Never fun.

As with other out-of-band NAC products, assessing against policy is a three-step process: compare the host's condition against a pre-defined policy, determine what action should be taken, then take the action. Our policy was fairly simple. If a host's condition was acceptable, the computer would be assigned to a VLAN. If the host failed and needed remediation, off to quarantine until it passed.Policies are grouped, and policy groups are assigned to SafeAccess enforcement points or clusters. Polices can be applied to hosts based on a limited set of criteria, such as operating system, Windows domain, IP address or range, and MAC address.

Policy assignment is missing some important functionality. For example, policy selection is based solely on identification of the computer, rather than on the user who is logged in. In a way, this makes sense because out-of-band NAC products like SafeAccess don't handle post-connection enforcement--hosts are either on or off the network. However, computers can be assigned to groups in Active Directory, yet SafeAccess doesn't use group membership to assign hosts to policies. And policies generally didn't offer us many configuration options.

Policies can be arranged in order, and the first match wins. A common tactic is to put specific host groups at the top of the list and set the default policy as the last policy in the list, for use by guests.

IN DETAIL

FEATURED PRODUCT:StillSecure SafeAccess V5; $20 per user at 2,500 seatsABOUT THIS ROLLING REVIEW:

We tested out-of-band NAC products using a basic access control policy on an existing network. We focused on policy development, enforcement features, host assessment, logging, and troubleshooting.NEXT UP:Hewlett-Packard NAC-800OTHER VENDORS INVITED:AEP Networks, Array Networks, Bradford, Cisco, Enterasys, FireEye, ForeScout Technologies, Hewlett-Packard, ImpulsePoint, InfoExpress, Juniper, Mirage, Nortel, Sophos, Symantec, Trend Micro, and TippingPoint Technologies

Once a user logs on via 802.1X, SafeAccess quarantines and assesses the host, either with a persistent agent or via an ActiveX client that the user must download and launch. Alternatively, SafeAccess can assess hosts using Windows remote procedure calls.Guests can download agents from SafeAccess and, with local administrator privileges, install them. Otherwise, when an agentless system opens Internet Explorer and attempts to access a Web site, the user will be redirected to SafeAccess and told to install the ActiveX component and have the host assessed. SafeAccess can allow hosts to access some Web sites, like Windows Update, without passing an assessment. However, be careful how you define allowable URLs: By default, Microsoft.com is defined as an accessible host. That means when IE starts up, if the home page is Microsoft.com, it will be granted access. The user won't be assessed until she goes elsewhere.

Note that once the ActiveX agent is running and the host passes the assessment and has been moved to the production network, the browser window must remain open to keep the ActiveX agent running. Agentless assessment uses either user-supplied credentials on the host or domain administrator credentials defined in SafeAccess. Multiple accounts may be added per domain, and multiple domains can be defined.

WATCH AND LEARN

SafeAccess' monitoring facilities are acceptable; however, report generation lacks important features, and troubleshooting is difficult at best. Endpoint activity is monitored and IT may generate a list of computers that are granted access, quarantined, or transitioning from one state to another. A variety of host data is available for real-time and historical reporting.

SafeAccess ships with some canned reports, but there's no facility to create new templates or schedule reports. We could, of course, use syslog to forward events, but that's cumbersome, requiring command line configuration. StillSecure does have an API that uses Java Message Service to respond to requests, and SafeAccess ships with sample scripts for using JMS. If you have developers, you may be able to roll your own reports--however, we'd really like to see custom reporting, report scheduling, and simpler event forwarding built into the product. Still, at $20 per user at 2,500 seats, pricing is on par with functionality.

InformationWeek's Rolling Reviews present a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings. See our out-of-band NAC kickoff and other NAC reviews at Rolling Reviews.

0

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights