NetClarity is introducing a new generation of its NAC gear called Second Generation NAC which lets customers inventory and fingerprint network devices and using heuristics to identify possible malware activity.
IN PICTURES: Hot products from RSA 2011
One goal of the NACwall 2G gear is to identify and isolate rogue devices deployed on corporate networks, the company says.
The appliances are supplemented by online services that include updates for malware signatures, zero-day attacks and vulnerabilities, which cost 30% of the price of an appliance per year.
NACwall 2G identifies all devices connected to networks -- including smartphones, tablets, rogue wireless access points and the like -- and also identifies users via the RSA tokens and ActiveDirectory. Users and their machine IDs are linked using location data, VLAN and MAC addresses. The combination of this information creates fingerprints for devices that are then used to track them.
The devices also identify and remediate new threats and vulnerabilities, the company says, all without requiring software agents on end devices. For access control, NetClarity uses 802.1Q LVAN tagging, an old protocol supported by virtually any switch. The company says this can avoid upgrades to 802.1x port-based access control commonly used by other NAC vendors and which NetClarity says is readily hacked.
The first time an asset logs on to the network with NAC in place, it is automatically quarantined after 10 millisec access to the network. While quarantined in a VLAN, asset discovery is performed on it without its blocking engine turned on.
Devices can be monitored to establish baseline normal behavior so anomalies can be better detected. Then the device is assigned to an appropriate VLAN which has its own rules. The goal is to confirm the network topology before enforcement starts.
Anomalies in behavior can be flagged or blocked in an effort to identify an halt zero-day attacks for which there are no signatures yet.
Devices are fingerprinted via an automatic audit and their operating systems are probed for common vulnerabilities and exposures. Any problems that are discovered get reported. The audit runs a battery of attempts to connect with devices and analyzes how they respond to detect details about them and their configuration. After the initial audit, it runs a differential audit in the future to reduce the time the audit takes. The first one takes about five minutes.
Reports from the device can be used to support security audits by regulators.
The appliances support from 250 to 2,000 devices and 10 to 80 VLANs.