Lockdown Networks

Cost: $24,995 per appliance, which support as many as 2,000 users

Score: 4.35

Lockdown Networks Enforcer functions in a similar fashion to Bradford Networks’ NAC Director in that it enforces access policy by physically controlling a standard network switch through SNMP and direct command-line connections. Through these connections, an IT administrator can drive decisions about network-access control on a per-switch port basis. The port is either not enforced (where the Enforcer does not perform any action) or enforced (where the Enforcer monitors and enforces NAC policies).

Providing NAC enforcement this way -- on a per-device basis -- works well in environments where there is a large, diverse population and where endpoint devices need to retain a specific security configuration, regardless of the user.

Enforcer also can function in a standard 802.1X environment, so that a company could start with the Lockdown switch-controlled NAC deployment and then migrate to 802.1X when the rest of its infrastructure is ready to make that jump.

For our testing, we deployed the Enforcer to manage a Cisco Catalyst 3750 with active and passive integration with Active Directory for authentication. To support remote-access clients, we also enabled enforcement on the switch port, which terminated a Cisco VPN connection. With passive authentication, the Enforcer is monitoring the Kerberos authentication processes already in place, which provides a single sign-on capability for employees.

With active authentication, guest users are required to enter a user name and password through a Web portal. The setup process for both active and passive Active Directory integration was simple and took just a few minutes – you enter the IP address of the domain controller and the base distinguished name search.

The agent used in conjunction with the Enforcer appliance, which can be persistent (for employees, typically) or dissolvable (for guests, typically) is strictly in place in the Lockdown NAC implementation for endpoint information-gathering purposes – it collects data on endpoint user, IP and MAC address, operating-system type and fingerprint and audit history. All enforcement is handled from the Lockdown appliance, providing a separation from the endpoint system. Managing devices for NAC is focused on device groups defined by IP addresses and virtual-LAN assignments, and does not take into account user structure.