Nortel unveils its network access control box

Nortel put on display for the first time at RSA Conference 2006 its answer to network access control, an appliance that directs switches to enforce security policies.

Secure Network Access Switch (SNAS) can enforce whether Nortel switch ports allow, restrict or deny traffic from individual hosts based on a scan of the end machine as well as preset authorization for users.

The device is Nortel's bid in network access control, advancing a design that requires no permanent agent on remote machines that are trying to gain access to the network. This is in contrast with Cisco's Network Admission Control (NAC), which requires the Cisco Trust Agent on each machine, or Microsoft's Network Access Protection (NAP), which requires Microsoft Vista clients.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Nortel put on display for the first time at RSA Conference 2006 its answer to network access control, an appliance that directs switches to enforce security policies.

Secure Network Access Switch (SNAS) can enforce whether Nortel switch ports allow, restrict or deny traffic from individual hosts based on a scan of the end machine as well as preset authorization for users.

The device is Nortel's bid in network access control, advancing a design that requires no permanent agent on remote machines that are trying to gain access to the network. This is in contrast with Cisco's Network Admission Control (NAC), which requires the Cisco Trust Agent on each machine, or Microsoft's Network Access Protection (NAP), which requires Microsoft Vista clients.

But the Nortel gear also integrates with NAP to create what it calls Network Assured NAP. SNAS’ can talk to Microsoft NAP clients and policy servers and enforce policy decisions they make. The Nortel device can also communicate with endpoint agents made by Trend Micro, McAfee and Check Point's Zone Labs.

As remote machines log in, the device scans whether they have appropriate security profiles to be admitted to the network. Depending on what it finds, the device can configure Nortel Ethernet switch ports to allow or deny access, but also to impose restrictions based on higher-level parameters. So a port could be set to allow only certain applications, for example. Or it could filter URLs.

The device continues to monitor and re-evaluate the device while it is connected to the network, so if its state changes, its access privileges can be altered in accordance to policies. So if a Trojan horse kicks in during a session, the device could be isolated in a quarantine virtual LAN.

SNAS uses a Java applet to scan the registry of the device accessing the network and is similar to the scanning done by Nortel SSL VPN gear before it allows remote computers to access SSL VPNs.

SNAS integrates Symantec's WholeSecurity behavior analysis software that can discover the activity of worms and viruses without use of signatures.

The road map for SNAS calls for having the device work with other vendors’ switches, but the instructions it gives will be limited to allowing, denying or diverting to specific VLANs. It won't be able to order Layer 7 restrictions. The roadmap calls for integrating SNAS software into Nortel Ethernet switches via the switches’ Service Delivery Modules that already support a firewall and intrusion prevention software.

Each SNAS supports up to 1,000 end users, and they can be clustered to accommodate more. The entry price is $18,000 and comes with a 200-user license.