Trustwave NAC: Deployment is a snap

Vendor: Trustwave
Product: NAC v3.4
Price (1,000 users): $30,000
Strengths: Easy to deploy, doesn't require network changes
Weaknesses: Reactive, best suited for small offices, branches

Review: Trustwave NAC is the ultimate "zero touch" NAC product. It doesn't need to know anything about your infrastructure; it doesn't require that you implement 802.1X. To use Trustwave NAC, you put it in a position to monitor traffic on each of your network segments. Then, to enforce access controls, Trustwave NAC injects packets into the network which cause it to become a "man-in-the-middle," presenting a captive portal and providing endpoint security scanning software. When a workstation has passed both authentication and end-point security requirements, Trustwave NAC releases its hold on the device and traffic flows normally.

NAC: What went wrong?

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Vendor: Trustwave
Product: NAC v3.4
Price (1,000 users): $30,000
Strengths: Easy to deploy, doesn't require network changes
Weaknesses: Reactive, best suited for small offices, branches

Review: Trustwave NAC is the ultimate "zero touch" NAC product. It doesn't need to know anything about your infrastructure; it doesn't require that you implement 802.1X. To use Trustwave NAC, you put it in a position to monitor traffic on each of your network segments. Then, to enforce access controls, Trustwave NAC injects packets into the network which cause it to become a "man-in-the-middle," presenting a captive portal and providing endpoint security scanning software. When a workstation has passed both authentication and end-point security requirements, Trustwave NAC releases its hold on the device and traffic flows normally.

NAC: What went wrong?

Although the documentation on Trustwave NAC can best be described as "dismal to awful," the product is fairly easy to understand and to configure. For example, if your NAC policy says that someone must not be running an FTP server, then the Trustwave NAC appliance port scanner will look for FTP servers. If you don’t have FTP servers in your policy, then they won't bother to look for them.

Normally, LAN users authenticate indirectly in Trustwave NAC. If you have 802.1X, or if users log in via Active Directory, then Trustwave NAC can detect this and will assign credentials to the device. For guest users who do not log into a domain or use 802.1X, Trustwave NAC will redirect the user to a captive portal which can be used for both authentication and end-point security checking.

Trustwave NAC tries to be as unobtrusive as possible while still providing NAC protections. A combination of network monitoring and active network-based scanning (similar to what NMAP and Nessus do) are used to detect the status and state of each device on the network.

This makes it more of a reactive product than a proactive product, in the sense that it will detect bad behavior when it occurs but not necessarily help in managing compliance.

If this looks similar to what Forescout’s CounterACT does — it is. The products have many parallels and are closer to each other than to other NAC products.

Trustwave NAC does not require active changes to the network, a huge benefit. While this comes with some restrictions, such as a weaker endpoint security host checking model, it also will be attractive to many network managers, especially in smaller sites, where network changes are especially difficult.

However, Trustwave NAC's strategy of tricking the network by poisoning ARP caches and injecting TCP packets might send chills down the spine of a network manager. When you can't trust basic troubleshooting tools such as Ping and Traceroute or the predictability of the TCP state machine, you're opening up the potential for small network problems to become un-debuggable nightmares. On the other hand, for small, well-behaved networks such as at branch offices, this concern might be overstated.