The first entry in our out-of-band NAC Rolling Review, StillSecure SafeAccess, survived our Syracuse University Real-World Labs gauntlet with mixed results. Once configured, SafeAccess worked as advertised. We could define configuration policies, quarantine both Windows and Mac OS X hosts that failed assessments, and monitor activity. In addition, the product can integrate with Microsoft SMS to update Windows hosts and receive events from StillSecure's StrataGuard IDS/IPS.

However, reporting was limited, and we found troubleshooting host problems difficult. There's no way to remove individual hosts from the system short of deleting the entire database and starting over. Integrating switches can be time consuming. We also had some issues with the ActiveX client getting into what we can only describe as a bad state, requiring us to delete the ActiveX object from the browser and start anew.

We were unable to open or close an 802.1X-enabled port from within the UI--a basic feature for an access control product. And when using 802.1X enforcement, there's no way to handle guest machines that lack an 802.1X supplicant, other than configuring a default guest VLAN. The problem is, clients that end up in this guest VLAN won't be assessed by SafeAccess. Also, the assessment criteria that shipped with the product are a bit limited. StillSecure does create custom checks, but there's generally a two-week turnaround. On the plus side, SafeAccess supports centralized management, and we could separate management functions from enforcement duties.

TRIPLE THREAT
SafeAccess is primarily out-of-band network access control, but it does provide for a variety of enforcement methods: in-band, as in front of a VPN or remote-access concentrator; DHCP, enforcing access control through DHCP addressing assignment; and 802.1X, using a combination of 802.1X authentication and VLAN assignment. An enforcement point can use only one method at a time, though we could use multiple points simultaneously.

SafeAccess host assessment is via persistent agents, dissolvable agents using ActiveX, or agentless assessment using Windows Domain credentials to query a host. We tested all three methods. Unlike other NAC vendors that license Opswat's Endpoint Security Integration SDK, StillSecure writes its own assessment policies, giving it control over how application and configuration status is derived. While we could create checks for required and forbidden software and services, there is no way to check if a particular application is running. We used the 802.1X enforcement method because it's the most secure, and our infrastructure supports 802.1X.

Installation and ongoing modifications are rather hands-on affairs, requiring us to configure the product through both the command line and GUI, an odd mix. In addition, altering some configuration settings, like SafeAccess' ability to control a switch, required messing with scripts. Never fun.

As with other out-of-band NAC products, assessing against policy is a three-step process: compare the host's condition against a pre-defined policy, determine what action should be taken, then take the action. Our policy was fairly simple. If a host's condition was acceptable, the computer would be assigned to a VLAN. If the host failed and needed remediation, off to quarantine until it passed.