In the products we tested for this Rolling Review--ConSentry Networks' LANShield Controller, Nevis Networks' LANenforcer, and Vernier Networks' Edgewall--access controls are applied when a computer starts to communicate on the network. The assumption is that all hosts require access to some services, such as DHCP for IP configuration, DNS for name resolution, and, in a Windows environment, access to a Domain Controller for login and registration. Broader access controls to other services are applied to users based on conditions such as user name or group membership, host condition, and time of day. Access controls are similar to conventional firewall rules, where source and destination IP addresses, services, and actions (such as allow, deny, or redirect) are defined. As a user's or computer's status changes, the system takes actions based on the best match (see diagram).
All of the appliances installed transparently, requiring only the plugging in of network cables. Vernier's Edgewall let us aggregate many host-facing links onto a single uplink. Authentication status and user names are detected through passive authentication snooping, and users' group memberships could be pulled from a directory. Enforcement capabilities let us control access to hosts and services and redirect users, in the event of a failed authentication or host assessment, to a Web portal.
The products diverged in policy development, host assessment capabilities, post-connection monitoring, and reporting and troubleshooting. NAC is complicated to implement, so management interfaces must make policies readily apparent and reduce repetition while enabling granular access control decisions. Products must also provide administrators with detailed information for troubleshooting as well as general reports for trending and analysis. MAKE THE RULES