Symantec tops the NAC ticket with its breadth of coverage

Symantec Network Access Control

Cost: $18,009 for 1,000 users

Score: 4.48

Symantec Network Access Control (SNAC) is the product that has evolved from endpoint-security technology the company picked up from its 2005 acquisition of Sygate. In our evaluation, there was no silver bullet that put Symantec on the top of the heap. Rather it edged out the competition for its breadth of coverage in the areas of deployment options, endpoint assessments and flexible policy creation.

SNAC comprises two primary components – Policy Manager and Enforcers. The Policy Manager is the central management server that executes all policy settings. The Enforcers are the distributed devices that perform the endpoint assessments and enforcements. Enforcers can be deployed in three ways: LAN (802.1X), Gateway (in-line) and DHCP integration (delivered as either an appliance or as a Microsoft DHCP plug-in). An appliance can function as any enforcer type, but it cannot function as multiple enforcer types at the same time. For example, it is either deployed as an in-line gateway or used within an 802.1X-enabled LAN, but not both simultaneously. Multiple enforcers can be deployed to provide high availability and redundancy.

For testing, we deployed a Gateway Enforcer 1U appliance sitting between the access and distribution layer of the test be network.

A captive Web portal – dubbed OnDemand by Symantec – supports guest users and is where they pick up a browser-based disposable agent used for both authentication and assessment purposes. Remote access can be supported by either placing a gateway Enforcer in-line behind the remote-access termination point, or Symantec provides API integration with some SSL and IPSec VPN products -- such as Aventail, Check Point, Cisco, Juniper and Nortel -- that provides the ability to assess the endpoint as a condition of the remote-access system granting network access. Both of these scenarios require Symantec’s agent software to be running on the remote machines.

For testing, we also deployed a gateway Enforcer in-line behind the Cisco VPN Concentrator and set up Symantec’s On-Demand component to provide the captive portal, which is a scenario you would use for remote devices that do not have the NAC agent installed.

User authentication can occur through user accounts local to the SNAC Policy Manager or via integration with an Active Directory, Lightweight Directory Access Protocol or RADIUS back end. Likewise, user groups are defined internally to SNAC or are imported along with the user information pulled from the existing repository. For testing, we configured SNAC to tap into our Active Directory user and group information without issue, and for the Windows clients in our test bed, this integration allowed for single sign-on capability and NAC-protected network connections.

Devices that do not need to be assessed, such as printers and UPSes, can be excluded by taking their IP address range out of the assessments.

Endpoint assessment is performed by a persistent (as deployed by standard software-distribution tools) or on-demand agent (run as needed through the captive portal described above). Assessment timing can be set on a per-policy basis, ranging from occurring minutes to days apart.