| Clear Choice Test: NAC | |||||||||
|
|||||||||
Cost: $30,000 for 1,000 users
Score: 4.18
Unified Access Control (UAC) is Juniper’s overall architectural answer to NAC. The company’s Infranet Controller server software lies at the center of the architecture, providing overall management and policy control for access and enforcement standards. Within the Juniper UAC deployment, NAC enforcement can occur through a generic 802.1X-configured network or through integration with Juniper’s security devices (a more complete discussion of Juniper’s 802.1X authentication success is here).
For testing, we used the Infranet Controller server in conjunction with a Juniper Secure Services Gateway (SSG) device to provide the NAC policy enforcement. Although Juniper obviously wants to sell firewalls to provide enforcement, the Infranet Controller can provide enforcement using VLANs when users authenticate with 802.1X switches or wireless controllers.
Management is handled through a Web GUI to the Infranet Controller, which is overall pretty intuitive and easy to navigate. We configured authentication against our Active Directory for testing, which was easy to set up. We just defined the account to use and the base search settings. Juniper also provides extensive support for different authentication platforms, including Lightweight Directory Authentication Protocol, RADIUS, ACE (SecurID) and NIS.
User access is permitted through a combination of the machine’s location, user identification, integrity-assessment results and requested resources. Combined, this information determines what role a user is assigned, how each is authenticated, what security posture a user needs to follow to gain access, and in the end, what resources each is able to tap into.
Within this association, endpoint-security requirements are defined to provide additional requirements. For example, a user may be required to have an up-to-date antivirus installation running on a system. If this is in place, a user is assigned an employee role and granted full access to employee resources. If this is not in place, users could be assigned to different roles as determined by the administrator, and that may allow them to remediate the deficiency in their antivirus software or just provide limited resource access.
Juniper’s endpoint assessment covered some of the checks we were looking for during this test. Extensive product support is included for antivirus, antispyware, and host firewall products. Patch-checking functionality out of the box is minimal, however, covering only minimum service pack levels. Full patch-checking functionality can be achieved by deploying any patch-management product supporting the TCG/TNC framework, such as PatchLink, or by creating custom registry or file checks. Custom checks can also be defined for items such as registry keys, file properties, system processes and service ports. Ties to any general vulnerability scanners or active infection checking mechanisms are not available at this time.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment