Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

In-Band NAC: Three Products You Should Know About: Page 2 of 5

Whether you just want to give guests limited access while allowing corporate users full run of the network or you want to grant restricted access to specific servers based on a user's group, policy development is where you'll spend much of your management time.

Hierarchal management, where rules applied to parent roles are inherited by child roles, simplifies policy making. ConSentry's manager uses hierarchal management, while Nevis' uses rule groups. Vernier depends on an outdated model requiring repetitive policy development. With Edgewall, computers need access to basic services like DHCP and DNS and to your authentication system, whether Active Directory or a Web portal, regardless of their status. Using hierarchal management, we could define a complex policy just once, and it would be available for reuse. Vernier's model, in contrast, had us repeating policy configuration tasks, leading to mistakes that cut users off the network and made troubleshooting difficult, even with our relatively simple test network and policy set. More complex policies would be unmanageable. This is a problem Vernier must address.

ASSESS YOURSELF

Host assessment--the value of which is hotly debated--comprises everything from checking for installed and running (or not running) software to patch configuration to monitoring network activity after a policy has been applied. Network monitoring is a unique strength available to in-band NAC products because the appliances see all the packets passing through it.

Both ConSentry's and Nevis' host assessment capabilities are sparse. ConSentry licenses Check Point's Integrity Clientless Security product, while Nevis wrote its own ActiveX agent but licenses Opswat's libraries for host assessment. One policy is applied globally to all hosts, which limits the conditions you can check for and access decisions you can make based on the assessment. Nevis' agent has the unique ability to determine when a user has logged off the computer, regardless of whether the user was logged in to a domain or locally.