Nevis Networks' LAN enforcer is the most polished in-line network access control, or NAC, product we've tested in this Rolling Review, though there are still a few smudges for Nevis to address. On the plus side, the monitoring and troubleshooting tools in the LANsight One management platform are far and away the most complete and useful we've seen thus far. And Nevis' endpoint assessment agent, dubbed Clientless Endpoint Integrity, or CEI, offers such unique features as login tracking and messaging.

NLANenforcer 2024 supports 1,000 users

However, CEI requires scripting to auto-install and run at system startup, and policy options aren't as flexible as those in Vernier Networks' product. Nor are assessment policies tied to users or groups.

Nevis gave us a few interesting decisions in terms of installing LANenforcer and LANsight. The appliances may be managed in-band--meaning management traffic between LANsight and the LANenforcer mingles with log and network traffic--or out of band, where management, log, and network traffic can be separated. Nevis recommends out-of-band management, and that makes sense to us. If LANsight appliances are purchased in pairs and deployed in an active/passive configuration, system state is kept current. In the event of failure, the passive system picks up duties, and a default policy for new users may be defined on LANenforcers.

Policy processing, as with previously tested products, runs users through multiple passes of the policy as their statuses change. LANsight ships with a number of predefined policy templates for common activities, such as allowing authentication to unknown hosts or redirecting to a Web portal page. LANsight can detect and act on a very limited set of applications; broader app support, as well as the ability to define allowed or denied functions and methods within applications, would be useful. User groups can be mapped to group names in Windows Active Directory.

Policies use a hierarchal model, similar to that in ConSentry's LANShield, and so may be reused. Nevis attempts to clean up policy windows by presenting inbound and outbound access controls that have been defined for a given policy, as well as an effective policy list showing all entries from inherited policies. Bear in mind, however, that while that's efficient in terms of policy reuse, we found it can create unintended consequences, and conflicts are all too easy to set up.

Like other in-line NAC products, LANenforcer can't passively detect user logoffs. Nevis resolves that issue by using a host agent that maintains a heartbeat. When the heartbeat disappears, the user associated with a host is considered logged off. We found that logoffs were noted quickly and open ports closed promptly.

Host assessments in NAC run the gamut from a simple check for antivirus software to in-depth configuration analysis that duplicates work already done by other management tools, like desktop configuration and patch management systems. Nevis' CEI agent, which performs host assessment, is an ActiveX component that may be installed dynamically using Internet Explorer or via an MSI. Unlike most persistent agents, CEI needs to be launched through the browser or a login script, which means additional work for users or administrators. Nevis should clean up the persistent installation process to make it more streamlined.

CEI policies are global for LANsight with no way to define diverse requirements for different hosts. At best, you can enable or disable CEI scanning on a per-interface basis. Antivirus and anti-spyware inspections are also limited to checking for last update and system scan.

Once a host is on the network, it must be monitored, and that's where Nevis' Threat Control comes in, using a variety of techniques to detect malicious activity: network anomaly detection, protocol anomaly detection, and signatures to detect bad behavior associated with known malware, adware, or other potentially undesirable traffic. Anomaly settings can be tuned to reflect local network conditions, and signatures may be enabled or disabled.

Threat Control works on a simple scoring mechanism. "Good" actions, like a completed TCP connection, lower the score, while "bad" activity, such as network scanning, increases the score. If a host's score crosses a set threshold, the host may be notified through CEI messaging, quarantined, or blocked. We recommend setting traffic detection to alert-only during initial deployment and monitoring network activity for an average score before you set the system to block or quarantine.