Network access control vendors pass endpoint security testing

One of the main promises of NAC is that you can ensure that endpoint security tools are up to date and that non-compliant machines can be identified or blocked. As regulatory compliance has grown in importance, NAC vendors have reacted by building strong feature sets aimed at endpoint security and compliance. In our NAC testing, we had good, and sometimes great, results across the board when it came to endpoint security.

One of the main promises of network access control is that you can ensure that endpoint security tools are up to date and that non-compliant machines can be identified or blocked. As regulatory compliance has grown in importance, NAC vendors have reacted by building strong feature sets aimed at endpoint security and compliance. In our NAC testing, we had good, and sometimes great, results across the board when it came to endpoint security.

NAC: What went wrong?

We created a very basic endpoint security policy, and then checked to see if we could implement that policy in our NAC products. We also looked at a variation on endpoint security, the ability of NAC products to handle system misbehavior. For example, if a typical, compliant, desktop started to try and brute-force break into other systems by guessing passwords, that would be a misbehavior we'd like to detect. Whether the desktop is infected, or the user is acting maliciously, it's still misbehavior and NAC can help put a stop to it.

We discovered some products that handled our policy, and some that went far beyond what we asked. Alcatel-Lucent SafeNAC, Bradford Network Sentry, Enterasys NAC, ForeScout CounterACT and McAfee NAC are the ones to start with if you want to get very deep and very dirty in your endpoint posture assessment. The good news is that every NAC product passed the main part of this test. We were able to put in our policy, or a close approximation, and we were able to successfully detect Windows 7 systems that were not compliant. Not every product could match our policy exactly, but we were able to get very close in every case.

Macintosh support is spottier. Most products had some degree of Mac support, and we were able to find our installed Sophos anti-virus with every product, although not necessarily easily. For example, Alcatel-Lucent Safe NAC doesn't know about anti-virus tools, so we had to craft a policy based on other ways of detecting Sophos running in the client.

Overall, Macintosh OS X support is much weaker than Windows support in all products. This reflects both the compliance aspects of NAC endpoint posture assessment as well as the generally laissez-faire approach to end-point security tools common in the Macintosh community.

Beyond the basics

Beyond basic endpoint security posture assessment, though, we found lots of differences between products. The difficult part was trying to figure out which differences mattered and which did not. We started at the highest level and found two main approaches to endpoint security: using a client that runs on the endpoint, and using a scanning tool that tries to detect the status of endpoint security remotely.

A number of products, including Avenda eTIPS, Bradford Network Sentry, Cisco NAC Appliance, Enterasys NAC and ForeScout CounterACT, actually combine both techniques, although with a caveat: the combination can be farcical.

The problem with using both an endpoint client and endpoint scanner is that real vulnerability scanners are complex and expensive animals. For example, Nessus, the best-known vulnerability scanner, is built-in to several of the products we tested. Unfortunately, the licensing and charging model for Nessus changed in 2006 in such a way that it made updating Nessus impractical — leaving NAC vendors with a 4-year-old version of Nessus and an out-of-date set of scanning rules.

It's not just a Nessus problem, though; it's a question of whether the network manager taking care of the NAC management system also is ready to manage a vulnerability scanning system. For example, Cisco includes Nessus in their NAC Appliance, but a Cisco system engineer told us dismissively "nobody uses our Nessus." That's not surprising, and it's not Cisco's fault. The result is that products which include network scanners of all types are good at some things, such as detecting open ports and operating systems, but often not so good at actually doing vulnerability scans remotely.

When the scanning is very limited in the scope of what it is looking for, there's definitely useful information available to NAC products. One of our favorite examples was Trustwave NAC's scanning tool. In building NAC policy, you can define some endpoint security features such as "is not running an unauthorized mail server." If you set up that policy, Trustwave NAC will scan devices attaching to the network, looking specifically for mail servers.

Sometimes detecting ports and operating systems is useful outside of the context of endpoint posture assessment. For example, when a NAC deployment has to include embedded devices, such as printers or VoIP phones, it's useful to have an external scanner try and validate whether or not the device really is a printer or phone.

As a general rule, scanning externally is useful, but it's not as good an approach as an agent on the device.

Third party posture assessment

When we focused on clients, we found two more options: NAC products with their own security posture checkers, and those that let you plug in other vendor's checkers. We found a huge disconnect between the promise of standardized endpoint security checks and what vendors actually were offering. In our last NAC test, in 2007, each of the major vendors was happy to give us a TCG-compatible plug-in or a Cisco-compatible plug-in, or both. This year, those offerings dried up, for a couple of reasons.

The obvious reason is that major endpoint security vendors all have their own NAC product offerings, so they aren't that interested in helping out the competition. But that's not the only reason. Thanks to Microsoft's aggressive security program, there are cases where a NAC plug-in isn't required at all, especially when the end-point security policy is very simple.

The Windows Security Center, built-in to recent versions of Windows, helps out NAC vendors by removing the requirement for a NAC plug-in for end-point security products. With Windows NAP client — supported by Microsoft NAP, Juniper UAC, Avenda eTIPS, and HP NAC — endpoint security vendors don't have to be NAC-aware. They just have to feed information to Windows Security Center, which the Microsoft NAP client can use.

Common toolkits led to common problems

Our own security policy was simple enough for almost every product. Since we had chosen Sophos for our test anti-malware solution, our policy for compliant systems was that they had a personal firewall turned on and Sophos installed, enabled and up-to-date. We had a surprising number of problems making this policy work. The reason is that many of the NAC vendors don't actually write their own end-point security checkers. A single company, OPSWAT, has cornered the market on end-point security posture assessment software, and many NAC vendors use the OPSWAT toolkit.

What we discovered was that there was a disconnect between the release cycle of Sophos, which delivered a new version of their anti-virus to us in October 2009, and the speed with which NAC vendors supported the software. Our testing occurred in January through April. About half of the products we tested weren't compatible with the October 2009 version of Sophos anti-virus, generally because they were behind the curve when it came to incorporating new OPSWAT technology into their products.

Juniper, which we tested in January, uses OPSWAT and supported Sophos v9, so this wasn't OPSWAT's fault. However, it brought to light one of the vulnerabilities in using a third-party scanner built-in to a third-party tool to look at your endpoint security compliance: you could be held back in your upgrade or updating plans if either of those companies drags its feet at the wrong time.

We didn't ask Symantec and McAfee to look for Sophos (although McAfee volunteered to do so) because that didn't make any sense: if you're a Symantec or McAfee NAC customer, you're doing it because you're also a Symantec or McAfee end-point security customer. Of course, both of those companies were great at detecting their own products. Although this wasn't an endpoint security review, if it was, McAfee ePolicy Orchestrator would have won for the massive breadth of its endpoint compliance checking and management tools.

Together, though, the products we tested formed a nice spectrum of endpoint security checkers, from the fairly simple tools offered by Microsoft NAP up to the more comprehensive rules in Alcatel-Lucent's Safe NAC, Enterasys NAC and McAfee ePolicy Orchestrator.

Another aspect of endpoint posture checking is the difference between installed and un-installed (usually called "dissolvable") posture checking clients. Most of the products have both available, with the installed posture checker reserved for staff and the Web-based dissolvable one used by guests or transient users. We focused our testing on installed clients, because we don't see most enterprise NAC deployments making heavy use of the dissolvable client.

We did do some testing of dissolvable clients, and got disappointing results. For example, we tried using Trustwave's dissolvable client on our Windows 7 system. Well, Trustwave uses OPSWAT, and their OPSWAT implementation required Java, but Java isn't installed by default on Windows 7. This means we had to download Java, install it on our Windows 7 system, and only then could we be scanned. But don't think Trustwave or Windows 7 was unique.

With McAfee's dissolvable client for Macintosh, we had to download a 17MB shell script, go into a terminal session to set it to executable, run the shell script, double-click on the virtual disk it created, double-click on the application within the virtual disk, ignore an ominous-sounding error message, and let it install 80MB worth of endpoint scanner — temporarily, since it self-de-installs. The idea that guest users can be scanned is great on paper, but the logistics of doing a good job of it have never worked very well in our testing.

Ain't misbehavin'

Our last test looked at detecting endpoint misbehavior, such as port scans or password guessing attacks, and reacting to it. A surprisingly number of products, including Alcatel-Lucent Safe NAC, Bradford Network Sentry, Enterasys NAC, ForeScout CounterACT, HP Network Immunity Manager, Juniper UAC and Trustwave NAC, had some features that let us include system misbehavior in our policy. Cisco NAC Appliance didn't have direct support for this, but does expose an API that would have let us write some code to link up an IPS to the NAC Appliance.

Since ForeScout CounterACT and Trustwave NAC both include traffic monitoring facilities, their system misbehavior detection is built-in. Both products focus on behavior anomalies more so than specific IDS signatures. What was surprising to us was that McAfee N-450 didn't have this feature, since the McAfee N-450 hardware is also used in McAfee's IPS appliance. But apparently the only thing they have in common is the hardware — there's no McAfee IPS feature in the NAC version of the N-450 … yet.

Juniper UAC supports external inputs for behavior anomalies and IDS using either their own IPS, which is what we tested, or the IF-MAP standard for communicating between security devices. As with Juniper, Enterasys supports its own IDS for behavior misdetection. Alcatel-Lucent and Bradford can receive alerts from IPS devices, but the tools required to make those alerts into active NAC reactive operations are onerous.

The most comprehensive set of third-party IDS support came from HP, with their Network Immunity Manager add-on to the NAC and switch management tools. We tested it with a SonicWall NSA security appliance and verified the ability of Network Immunity Manager to turn IPS alerts into NAC actions.

Hard to evaluate

Another feature of end-point security posture assessment, continuous policy enforcement, we found difficult to evaluate. The idea behind continuous enforcement is that posture assessment isn't a one-time event, but should be continuously checked and enforced whenever an endpoint is attached to the network.

We had a difficult time testing continuous enforcement, because it was so dependent on other factors, such as how authentication was handled, and whether a client was installed on the end-point. For that reason we could not draw any conclusions about how well continuous posture assessment was supported, or which products did a better job of it than others.

We ended up with two wishy-washy conclusions regarding continuous enforcement: every product included some capability to do continuous policy enforcement, but every product also had significant use cases where continuous policy enforcement was impossible or impractical.

From a network manager's point of view, we suggest you start by looking at whether you want continuous enforcement or not. If you do, then select a NAC product that supports your decision. However, you'll have to decide almost every other factor in your NAC deployment before you can get to that point. It's a tough position to be in, but the variables we ran into in our testing were so wild that we can't make any general or even specific statements. You'll have to test this one for yourself.

Conclusions

Although NAC is often promoted as part of an endpoint security compliance strategy, there are some gaps network managers need to be aware of. When your posture compliance policy is simple, and you're willing to install a client, you'll have good success as our testing showed. If you have a complex policy, it might be better to depend on tools such as BigFix, Lumension or Microsoft's WSUS, which can integrate into many NAC products, rather than trying to roll your own compliance checker.

Return to main test.