Skip Links

Network World

  • Social Web 
  • Email 
  • Close
073007-nac-test-banner.html
Clear Choice Test: NAC
NAC alternatives hit the mark | NetResults | Test archive
Inside this test package
13 product summaries
Main story links

Lockdown Networks enforces NAC at the switch without network interruption

By Mandy Andress , Network World , 07/30/2007
Newsletter Signup
  • Share/Email
  • Tweet This
  • Comment
  • Print

Lockdown Networks

Cost: $24,995 per appliance, which support as many as 2,000 users

Score: 4.35

Lockdown Networks Enforcer functions in a similar fashion to Bradford Networks’ NAC Director in that it enforces access policy by physically controlling a standard network switch through SNMP and direct command-line connections. Through these connections, an IT administrator can drive decisions about network-access control on a per-switch port basis. The port is either not enforced (where the Enforcer does not perform any action) or enforced (where the Enforcer monitors and enforces NAC policies).

Providing NAC enforcement this way -- on a per-device basis -- works well in environments where there is a large, diverse population and where endpoint devices need to retain a specific security configuration, regardless of the user.

Enforcer also can function in a standard 802.1X environment, so that a company could start with the Lockdown switch-controlled NAC deployment and then migrate to 802.1X when the rest of its infrastructure is ready to make that jump.

For our testing, we deployed the Enforcer to manage a Cisco Catalyst 3750 with active and passive integration with Active Directory for authentication. To support remote-access clients, we also enabled enforcement on the switch port, which terminated a Cisco VPN connection. With passive authentication, the Enforcer is monitoring the Kerberos authentication processes already in place, which provides a single sign-on capability for employees.

With active authentication, guest users are required to enter a user name and password through a Web portal. The setup process for both active and passive Active Directory integration was simple and took just a few minutes – you enter the IP address of the domain controller and the base distinguished name search.

The agent used in conjunction with the Enforcer appliance, which can be persistent (for employees, typically) or dissolvable (for guests, typically) is strictly in place in the Lockdown NAC implementation for endpoint information-gathering purposes – it collects data on endpoint user, IP and MAC address, operating-system type and fingerprint and audit history. All enforcement is handled from the Lockdown appliance, providing a separation from the endpoint system. Managing devices for NAC is focused on device groups defined by IP addresses and virtual-LAN assignments, and does not take into account user structure.

  • Share/Email
  • Tweet This
  • Comment
  • Print
Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed