A general guide for testing NAC products

Lab Alliance member Joel Snyder has written a step-by-step guide for testing network access-control products in the four critical areas of authentication, endpoint assessment, enforcement and management. We summarize those recommendations here. For a full rundown of the network environment we used for this test, see >>.

NAC products typically employ 802.1X authentication at the edge; Web-based authentication via a captive portal, proprietary client or protocol authentication; passive authentication; using 802.1X-, RADIUS- or other protocol-sniffing; or static, media-access-control-based or port-based authentication. The key to evaluating a NAC product's authentication capabilities is determining whether its mechanisms are broad enough to work in your environment.

Larger NAC deployments depend on tight integration with corporate authentication databases, such as Active Directory or some other Lightweight Directory Access Protocol server. These links must be tested for authentication purposes and their ability to retrieve authorization information from the authentication database.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Lab Alliance member Joel Snyder has written a step-by-step guide for testing network access-control products in the four critical areas of authentication, endpoint assessment, enforcement and management. We summarize those recommendations here. For a full rundown of the network environment we used for this test, see >>.

NAC products typically employ 802.1X authentication at the edge; Web-based authentication via a captive portal, proprietary client or protocol authentication; passive authentication; using 802.1X-, RADIUS- or other protocol-sniffing; or static, media-access-control-based or port-based authentication. The key to evaluating a NAC product's authentication capabilities is determining whether its mechanisms are broad enough to work in your environment.

Larger NAC deployments depend on tight integration with corporate authentication databases, such as Active Directory or some other Lightweight Directory Access Protocol server. These links must be tested for authentication purposes and their ability to retrieve authorization information from the authentication database.

In evaluating a NAC product's endpoint-assessment features, it's important to concentrate on the information that each assessment can provide. Each NAC offering must be tested for:

* Whether it can evaluate the compliance level of a user's system.

* Whether it considers the security status of the user's system.

* How well it handles multiple user communities (managed, unmanaged, guests) and how it accommodates varied user platforms.

* How detailed the results of the endpoint-security assessment can be.

* How well the endpoint-security assessment integrates with possible remediation strategies.

NAC enforcement can be viewed along two axes: level of detail and location. To evaluate level of detail, you must test how the four main types of enforcement -- go/no-go network, virtual-LAN-based access restrictions, simple packet filters and stateful firewalling -- will fit into your NAC plans.

To evaluate location, you should assess how the three options for locating NAC enforcement -- at the point of network access, behind the point of network access and at the core of the network -- map into your network.

Management of any NAC deployment brings in network, security and desktop staff. Therefore, questions should be asked of every NAC product on each level.

The standard management-evaluation questions apply to a NAC solution:

* Are the GUIs well designed, and do they facilitate (or hinder) operations?

* Is the installation process understandable, particularly in the case of client tools that will be installed repeatedly by technical and nontechnical staff?

* Are there reporting functions available for technical and management staff?

* Is an alerting function present and sufficiently configurable?

* Does the product support the operations companies normally require, including disaster recovery, scalability and high availability?

Specific questions related to client management are relevant: