How we tested NAC

To test NAC products, we built a small network that we hoped would represent a snapshot of a typical, slightly chaotic, enterprise network. We created a user network using typical edge switches from Cisco, Enterasys and Juniper. Each switch represented a different building, so users on each switch were normally in different VLANs, with each VLAN being a different subnet. We also set up an Aruba wireless controller as part of the user side of the network, and a SonicWall SSL VPN device for remote access. On one of the ports attached to the HP switch we also connected to an unmanaged hub.

We connected a variety of devices to the user side of the network, including Windows 7 and Macintosh OS X 10.6 clients, Polycom VoIP phones, HP printers, and mobile wireless devices from Apple and Nokia.

On the other side of our test network was a "data center" based on HP switches. Between the user and server side of the network was a Check Point Firewall-1 running on Check Point (formerly Nokia) hardware (which also connected us to the Internet). We set up Sourcefire IPS appliances to inspect traffic. We also created a separate out-of-band network for management purposes.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

To test NAC products, we built a small network that we hoped would represent a snapshot of a typical, slightly chaotic, enterprise network. We created a user network using typical edge switches from Cisco, Enterasys and Juniper. Each switch represented a different building, so users on each switch were normally in different VLANs, with each VLAN being a different subnet. We also set up an Aruba wireless controller as part of the user side of the network, and a SonicWall SSL VPN device for remote access. On one of the ports attached to the HP switch we also connected to an unmanaged hub.

We connected a variety of devices to the user side of the network, including Windows 7 and Macintosh OS X 10.6 clients, Polycom VoIP phones, HP printers, and mobile wireless devices from Apple and Nokia.

On the other side of our test network was a "data center" based on HP switches. Between the user and server side of the network was a Check Point Firewall-1 running on Check Point (formerly Nokia) hardware (which also connected us to the Internet). We set up Sourcefire IPS appliances to inspect traffic. We also created a separate out-of-band network for management purposes.

In the data center, we installed Windows 2008 R2 servers running Active Directory, a Windows 2003 server running Steel Belted RADIUS, and a Linux server running RSA's SecurID authentication server. We installed SYSLOG, DHCP, DNS and NTP servers as well. Most of the data center servers were running on VMware vSphere 4 ESX servers.

For end-point security, we selected Sophos and installed the current version of their enterprise console and client software.

In picking products for our network, we tried to select vendors who were not participating in our test, such as Sourcefire, Sophos and Check Point. We hoped that this would give a more level playing field. Although these are all top-tier vendors, we found very different levels of support for each. Sophos was a particular problem for many of the products we tested, as many of the NAC vendors had not updated their products to handle the 6-month-old version of Sophos that we were using.

In some cases, vendors brought in their own security and networking products. For example, Juniper wouldn't work with the Check Point firewall or Sourcefire IPS devices, but provided its own firewall and intrusion-prevention system products. Alcatel-Lucent, HP and Enterasys also provided switches beyond our initial configuration.

Once our network was set up, we also designed a basic security policy. We divided the staff world into three categories of users with three access levels to different parts of the data center. We also had policies for VoIP and printer devices, as well as one for guest users. We defined a very simple end-point security compliance policy (a pass/fail policy), along with an access policy for staff users who failed the end-point compliance check.

With our network in place, we looked at each NAC product and asked: "How can this product be used to add security to this network and implement our security policy?" In some cases, vendors visited our lab to help install their products, and we put the question to them and let them take the lead in deployment (Alcatel-Lucent, Avenda, Forescout, Juniper and McAfee sent people to our lab). In other cases, we used the documentation provided by the product vendor, as well as their technical support staff, to install and configure their product.