Bradford Networks' NAC Director directly controls network-switch flow

Bradford Networks NAC Director

Cost: $32,185 for 1,000 users

Score: 3.55

Bradford Networks' NAC Director is a contained, appliance-based product that takes a slightly different approach to network-access control than the majority of products tested. NAC Director provides port-based NAC functionality that does not require upgrading your entire network infrastructure to support 802.1X.

The NAC Director connects to a network-access switch (list of supported switches can be found here), monitors connection activity and takes control when necessary for enforcement measures. NAC Director also can function in a standard 802.1X environment, so that a company can start with a switch-controlled NAC deployment and then migrate to 802.1X once their infrastructure has been upgraded.

LockDown Networks’ Enforcer is the only other product that functions by directly controlling the switch in this fashion. Others either rely on self-enforcing agent software or place an in-line device on the network that changes virtual-LAN tags on the fly or applies firewall rules to block traffic.

By using an SNMP connection or using the switch’s command line interface to directly log into it, the NAC Director monitors new connections and state changes (such as link up or link down), assigns specific connections to VLANs and blocks access when necessary. All of these actions are carried out in accordance to how users’ roles and NAC policies are defined within NAC Director.

In testing, we received the expected network connections and access rejections at all times. That said, we did not run a large load of network traffic behind our NAC connections to test the device’s capabilities through the noise, so to speak. The bigger concern with this approach may be convincing network engineers to let a third-party product make direct configuration changes to gear under their purview.

Both monitoring and enforcement duties can be enabled on a per-switch port basis, so administrators can choose which ports on the switch are enabled for NAC connections and which ones are not. We configured several ports on our Cisco 3750 switch to enforce NAC policy and left the remaining ports as unenforced. NAC Director worked as expected, “ignoring” the unenforced ports, but properly identifying and enforcing any noncompliant systems -- such as a system not running our approved antivirus client -- connected to an enforced port.

Connecting the NAC Director to the test LAN environment was a very straightforward process. We configured the appliance to communicate with our Cisco switch by providing the SNMP community strings and command-line authentication information. The appliance then read all the necessary information from the switch, and we were ready to go. For testing, we used an SNMPv1 connection, but Bradford also supports SNMPv3 for encrypted and authenticated communications.

Setup for remote VPN connections is a bit more complex, requiring that we configure specific groups within the Cisco VPN Concentrator in the lab to enable the NAC enforcement for remote users. Wireless access points also can be managed, but, ideally, the NAC Director wants to control the wireless access point or wireless network switch. If the wireless-network infrastructure does not support this, Bradford has a workaround by placing the wireless traffic on a separate VLAN.