Rolling Review wraps up assessment of ConSentry's LANShield Controller, Nevis' LANenforcer, and Vernier's Edgewall.
The only must-have for a successful attack? Access. Any security expert or penetration tester will tell you that once she gets in a network, subverting IT systems is just a matter of time. This is one reason wireless is such a boon to attackers--network access is no longer confined to the physical building. Security methods such as wireless encryption keep private data private, but the most critical measure is authenticating systems and users before granting access to the wireless LAN. The same holds for wired networks. While companies stressed over WEP's weaknesses, they were letting contractors, consultants, and other guests onto their wired networks with nary a passing thought.
Enter in-band network access control. Installed between access layer switches and distribution or core switches, in-band NAC creates a choke point in the network; only systems that pass muster can enter. This is more than a binary decision of grant access/deny access. In-band NAC appliances granularly regulate access to network servers and services. That's a powerful tool for mitigating the problems of wide-open entry rights that plague authentication-only access control systems.
In the products we tested for this Rolling Review--ConSentry Networks' LANShield Controller, Nevis Networks' LANenforcer, and Vernier Networks' Edgewall--access controls are applied when a computer starts to communicate on the network. The assumption is that all hosts require access to some services, such as DHCP for IP configuration, DNS for name resolution, and, in a Windows environment, access to a Domain Controller for login and registration. Broader access controls to other services are applied to users based on conditions such as user name or group membership, host condition, and time of day. Access controls are similar to conventional firewall rules, where source and destination IP addresses, services, and actions (such as allow, deny, or redirect) are defined. As a user's or computer's status changes, the system takes actions based on the best match (see diagram).
All of the appliances installed transparently, requiring only the plugging in of network cables. Vernier's Edgewall let us aggregate many host-facing links onto a single uplink. Authentication status and user names are detected through passive authentication snooping, and users' group memberships could be pulled from a directory. Enforcement capabilities let us control access to hosts and services and redirect users, in the event of a failed authentication or host assessment, to a Web portal.
The products diverged in policy development, host assessment capabilities, post-connection monitoring, and reporting and troubleshooting. NAC is complicated to implement, so management interfaces must make policies readily apparent and reduce repetition while enabling granular access control decisions. Products must also provide administrators with detailed information for troubleshooting as well as general reports for trending and analysis.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.