Network Access Control Technologies and Symantec Compliance on Contact
NAC solutions require multiple enforcement methods and policy flexibility to cover the entire enterprise network. As an innovator in NAC solutions, Symantec provides the most comprehensive and flexible set of options for deploying NAC to best fit your enterprise needs. Read this paper to learn more about the theory behind Symantec’s technology.
Click here to download PDF

The Essential Elements of Comprehensive Endpoint Security
Description: For today’s computing environments, there is little question that endpoint security is a required component of an overall enterprise security strategy. Read this paper is to clarify the various aspects of the endpoint security problem and to identify the functional requirements of a comprehensive endpoint security solution.
Click here to download PDF

Internet Security Threat Report
The Highlights of this volume reveals the security threat environment continues to be populated by lower-profile, targeted attacks as cyber criminals identify new ways to steal information or provide remote access to user systems. This report offers analysis and discussion of threat activity, including: Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends.
Click here to download PDF

continued from page 2

NAC appliances reveal who's rapping at your network door

As comprehensive as this appliance is, it does have one flaw: Instead of a Java or ActiveX scan engine, Vernier uses SMB credentials to gain access to the client. The scan engine needs a user name and password with rights to the local device in order to perform a thorough policy compliance check. This requirement also means that Mac and UNIX hosts cannot be scanned to the same level as Windows hosts. The end point compliance service, however, can scan a host for open ports or other vulnerabilities that don't require local access to the system. I like that I could scan a host during authentication and also rescan the host on a recurring interval. This feature helps prevent users from disabling their anti-virus software after logging in. If this should happen, the EdgeWall would move the client into the appropriate policy until it was back in compliance.

Reporting is one weak area in EdgeWall. Admins can send log file information to a Syslog server or directly to a Network Intelligence system. Raw log files are available on the appliance, and you can apply some basic filters such as time period and severity, but graphical reports or user statistics are not available.

All of the NAC appliances I reviewed need some improvement, but Caymas and Vernier are clearly on the right track. When Nevis releases its host assessment service, and if the company works on its UI, its solution will be worth consideration. Lockdown is interesting because it doesn't require IT to rip and replace a closetful of switches (a la Cisco); it works with what is already in place. Its use of VLANs is unique but does cause us to worry about scalability and flexibility. When deployed with some foresight, however, it will work well.

Caymas 525 Identity-Driven Access Gateway Caymas Systems, caymassystems.com Very Good  8.1 criteria score weight Manageability 8 20% Policy Enforcement 8 20% Scalability 9 20% Reporting 8 15% Setup 8 15% Value 7 10% Cost: $70,000 for 5,000 users with all features enabled Bottom Line: The 525 Identity-Driven Access Gateway blurs the line between SSL VPN and NAC device. The policy enforcement is good and doesn’t have any gaping holes, although it does have the feel of an SSL VPN appliance. End point assessment works well, with only minor shortcomings. A decent array of reporting choices makes reporting very good. About our Reviews and Scoring Methodology

Lockdown Networks Enforcer Lockdown Networks, lockdownnetworks.com Good  7.9 criteria score weight Manageability 7 20% Policy Enforcement 8 20% Scalability 8 20% Reporting 9 15% Setup 8 15% Value 7 10% Cost: 1U model, $24,995; 2U model, $39,995; Commander, $9,995; Sentry, $1,495 Bottom Line: The Enforcer takes a different approach on providing network security. Instead of inspecting packets and applying policy, it places traffic in a VLAN on a per-port basis on a managed Ethernet switch. Scalability for large enterprises is a question, but for smaller networks, creating the VLAN-base security scheme shouldn’t be a problem. End point assessment is well rounded. About our Reviews and Scoring Methodology

Nevis LANenforcer Nevis Networks, nevisnetworks.com Good  7.2 criteria score weight Manageability 7 20% Policy Enforcement 7 20% Scalability 7 20% Reporting 8 15% Setup 7 15% Value 7 10% Cost: LANenforcer, $19,995; LANsight management software, $2,000 Bottom Line: The LANenforcer is on the cusp of being a major player in the NAC space. Security policy is rich but difficult to manage, largely because of a clumsy UI. Host assessment is missing in this release, but the forthcoming Client Integrity Checking will fill this gap very well. Historical reporting is weak, but real-time monitoring is strong. About our Reviews and Scoring Methodology

Vernier Networks EdgeWall 7000 Vernier Networks, verniernetworks.com Very Good  8.0 criteria score weight Manageability 8 20% Policy Enforcement 8 20% Scalability 8 20% Reporting 7 15% Setup 8 15% Value 9 10% Cost: Price ranges from $9,000 to $31,000 Bottom Line: Vernier’s EdgeWall 7000 proved to be a good all-around solution to the NAC problem. Policy enforcement is rock steady, and end point assessment is a good mix of compliance and vulnerability checking. On-device reporting is the one area where EdgeWall could use some work, but it can communicate with Network Intelligence for off-box analysis. About our Reviews and Scoring Methodology

Back to top

Click here to submit a story for consideration by Cram Session Editor, stories@cramsessionnac.com