Lockdown Networks enforces NAC at the switch without network interruption

Lockdown Networks

Cost: $24,995 per appliance, which support as many as 2,000 users

Score: 4.35

Lockdown Networks Enforcer functions in a similar fashion to Bradford Networks’ NAC Director in that it enforces access policy by physically controlling a standard network switch through SNMP and direct command-line connections. Through these connections, an IT administrator can drive decisions about network-access control on a per-switch port basis. The port is either not enforced (where the Enforcer does not perform any action) or enforced (where the Enforcer monitors and enforces NAC policies).

Providing NAC enforcement this way -- on a per-device basis -- works well in environments where there is a large, diverse population and where endpoint devices need to retain a specific security configuration, regardless of the user.

Enforcer also can function in a standard 802.1X environment, so that a company could start with the Lockdown switch-controlled NAC deployment and then migrate to 802.1X when the rest of its infrastructure is ready to make that jump.

For our testing, we deployed the Enforcer to manage a Cisco Catalyst 3750 with active and passive integration with Active Directory for authentication. To support remote-access clients, we also enabled enforcement on the switch port, which terminated a Cisco VPN connection. With passive authentication, the Enforcer is monitoring the Kerberos authentication processes already in place, which provides a single sign-on capability for employees.

With active authentication, guest users are required to enter a user name and password through a Web portal. The setup process for both active and passive Active Directory integration was simple and took just a few minutes – you enter the IP address of the domain controller and the base distinguished name search.

The agent used in conjunction with the Enforcer appliance, which can be persistent (for employees, typically) or dissolvable (for guests, typically) is strictly in place in the Lockdown NAC implementation for endpoint information-gathering purposes – it collects data on endpoint user, IP and MAC address, operating-system type and fingerprint and audit history. All enforcement is handled from the Lockdown appliance, providing a separation from the endpoint system. Managing devices for NAC is focused on device groups defined by IP addresses and virtual-LAN assignments, and does not take into account user structure.

Policy is defined by actions that should perform successfully, such as a proper authentication, a clean vulnerability assessment or a valid health check. You can then drill down to configure the specifics of each policy, such as what form of authentication should be performed, what vulnerability tests should run and what health checks should be performed. Overall, Lockdown’s policy-management scheme is complex and is difficult to understand in terms of how all the pieces fit together to achieve the desired goal.

Lockdown makes a distinction between endpoint checks and endpoint-security status, which is basically an audit. A check is defined as a series of items that need to pass, such as antivirus running or no critical security vulnerabilities. An audit is the process of assessing the endpoint for security vulnerabilities. Audits can be run independently of health checks.