In-Band NAC: Three Products You Should Know About - InformationWeek
IoT
IoT
Feature
News
1/16/2008
03:00 PM
Mike Fratto
Mike Fratto
Features
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

In-Band NAC: Three Products You Should Know About

Rolling Review wraps up assessment of ConSentry's LANShield Controller, Nevis' LANenforcer, and Vernier's Edgewall.

The only must-have for a successful attack? Access. Any security expert or penetration tester will tell you that once she gets in a network, subverting IT systems is just a matter of time. This is one reason wireless is such a boon to attackers--network access is no longer confined to the physical building. Security methods such as wireless encryption keep private data private, but the most critical measure is authenticating systems and users before granting access to the wireless LAN. The same holds for wired networks. While companies stressed over WEP's weaknesses, they were letting contractors, consultants, and other guests onto their wired networks with nary a passing thought.

chart: Strength in Software
Enter in-band network access control. Installed between access layer switches and distribution or core switches, in-band NAC creates a choke point in the network; only systems that pass muster can enter. This is more than a binary decision of grant access/deny access. In-band NAC appliances granularly regulate access to network servers and services. That's a powerful tool for mitigating the problems of wide-open entry rights that plague authentication-only access control systems.

In the products we tested for this Rolling Review--ConSentry Networks' LANShield Controller, Nevis Networks' LANenforcer, and Vernier Networks' Edgewall--access controls are applied when a computer starts to communicate on the network. The assumption is that all hosts require access to some services, such as DHCP for IP configuration, DNS for name resolution, and, in a Windows environment, access to a Domain Controller for login and registration. Broader access controls to other services are applied to users based on conditions such as user name or group membership, host condition, and time of day. Access controls are similar to conventional firewall rules, where source and destination IP addresses, services, and actions (such as allow, deny, or redirect) are defined. As a user's or computer's status changes, the system takes actions based on the best match (see diagram).

All of the appliances installed transparently, requiring only the plugging in of network cables. Vernier's Edgewall let us aggregate many host-facing links onto a single uplink. Authentication status and user names are detected through passive authentication snooping, and users' group memberships could be pulled from a directory. Enforcement capabilities let us control access to hosts and services and redirect users, in the event of a failed authentication or host assessment, to a Web portal.

The products diverged in policy development, host assessment capabilities, post-connection monitoring, and reporting and troubleshooting. NAC is complicated to implement, so management interfaces must make policies readily apparent and reduce repetition while enabling granular access control decisions. Products must also provide administrators with detailed information for troubleshooting as well as general reports for trending and analysis.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
News
Don't Collect Biometric Data Without Providing Notice
Lisa Morgan, Freelance Writer,  2/1/2019
Commentary
AI and the Next Recession
Guest Commentary, Guest Commentary,  1/24/2019
Commentary
The Title Machine Learning Engineer Will Start to Disappear
Guest Commentary, Guest Commentary,  2/7/2019
Register for InformationWeek Newsletters
Video
Current Issue
Security and Privacy vs. Innovation: The Great Balancing Act
This InformationWeek IT Trend Report will help you better understand and address the growing challenge of balancing the need for innovation with the real-world threats and regulations.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll