Bradford Networks' NAC Director directly controls network-switch flow

Bradford Networks' NAC Director takes a slightly different approach than the majority of products tested. It provides port-based NAC functionality that does not require upgrading your entire network infrastructure to support 802.1X.

Bradford Networks NAC Director

Cost: $32,185 for 1,000 users

Score: 3.55

Bradford Networks' NAC Director is a contained, appliance-based product that takes a slightly different approach to network-access control than the majority of products tested. NAC Director provides port-based NAC functionality that does not require upgrading your entire network infrastructure to support 802.1X.

The NAC Director connects to a network-access switch (list of supported switches can be found here), monitors connection activity and takes control when necessary for enforcement measures. NAC Director also can function in a standard 802.1X environment, so that a company can start with a switch-controlled NAC deployment and then migrate to 802.1X once their infrastructure has been upgraded.

LockDown Networks’ Enforcer is the only other product that functions by directly controlling the switch in this fashion. Others either rely on self-enforcing agent software or place an in-line device on the network that changes virtual-LAN tags on the fly or applies firewall rules to block traffic.

By using an SNMP connection or using the switch’s command line interface to directly log into it, the NAC Director monitors new connections and state changes (such as link up or link down), assigns specific connections to VLANs and blocks access when necessary. All of these actions are carried out in accordance to how users’ roles and NAC policies are defined within NAC Director.

In testing, we received the expected network connections and access rejections at all times. That said, we did not run a large load of network traffic behind our NAC connections to test the device’s capabilities through the noise, so to speak. The bigger concern with this approach may be convincing network engineers to let a third-party product make direct configuration changes to gear under their purview.

Both monitoring and enforcement duties can be enabled on a per-switch port basis, so administrators can choose which ports on the switch are enabled for NAC connections and which ones are not. We configured several ports on our Cisco 3750 switch to enforce NAC policy and left the remaining ports as unenforced. NAC Director worked as expected, “ignoring” the unenforced ports, but properly identifying and enforcing any noncompliant systems -- such as a system not running our approved antivirus client -- connected to an enforced port.

Connecting the NAC Director to the test LAN environment was a very straightforward process. We configured the appliance to communicate with our Cisco switch by providing the SNMP community strings and command-line authentication information. The appliance then read all the necessary information from the switch, and we were ready to go. For testing, we used an SNMPv1 connection, but Bradford also supports SNMPv3 for encrypted and authenticated communications.

Setup for remote VPN connections is a bit more complex, requiring that we configure specific groups within the Cisco VPN Concentrator in the lab to enable the NAC enforcement for remote users. Wireless access points also can be managed, but, ideally, the NAC Director wants to control the wireless access point or wireless network switch. If the wireless-network infrastructure does not support this, Bradford has a workaround by placing the wireless traffic on a separate VLAN.

The major authentication sources are supported, such as Active Directory and Lightweight Directory Access Protocol for LAN connections, while RADIUS is tapped for authenticating guest users. Active Directory authentication was used for the test, and setup occurred quickly and without issue.

For authorization, all user roles are defined within the NAC Director appliance. These roles are then mapped to user groups. In our testing, we imported user groups from our Active Directory into the NAC Director and then mapped the employee role in NAC Director to the employee group in Active Directory. With this configuration, any employee who accessed the network was assigned to the employee VLAN and then forced to abide by the policies defined within the employee role in NAC Director.

This integration with Active Directory keeps an organization from having to replicate its organizational structure in NAC Director, which is why it earned kudos for its authentication and authorization capabilities.

NAC Director includes both dissolvable and persistent client software for endpoint assessment. In our testing, neither resulted in any noticeable impact on client-system performance. Distribution of the persistent client occurs through normal enterprise tools, such as Microsoft’s SMS.

Guest users access the network through a captive portal and automatically receive the dissolvable agent for assessment purposes. Known users can either logon through a Web portal, or administrators can use domain logon/logoff scripts to authenticate them to the Bradford appliance behind the scenes for a single sign-on capability.

For endpoint assessment, NAC Director provides an extensive list of monitored antivirus products, ranging from Avast to eTrust, so checking antivirus status is a simple task. We configured the Sophos AV check with the product, which ran as expected, and the client was allowed on the network. System patches, service packs and critical security patches can be checked by specifying that preference. We ran a check against a Windows XP system missing key security patches, and the machine was placed on a quarantine VLAN per our policy.

The Windows firewall is the only personal firewall that can be monitored by NAC Director out-of-the-box. However, Bradford does supply tools to build custom checks for registry keys, files, hotfixes and specific processes running on the client system. Vulnerability-assessment scans – such as those facilitated by Nessus, Qualys or custom scans – can be run against an endpoint system to identify vulnerabilities.”

Any of these checks can happen on initial connect, when some other type of network state changes, such as a downed link that is then reinstated, or be scheduled by date or at repetitive time intervals. In addition, the results for all systems can be cleared on a regular schedule so re-evaluation of device security is performed. Bradford also integrates with IDS/IPS solutions from Tipping Point, ISS, Nitro Security, Lancope and Stonesoft to automatically enforce post-connect policies at the edge of the network.

If any assessment check fails, the primary remediation method for Bradford is placing the offending user on a quarantine VLAN. A few direct actions can be forced upon the machine in question, such as starting the Windows firewall or forcing a Windows Update Services synchronization to occur for the purpose of applying missing patches. Most frequently, though, the user will see a Web page detailing information and links to the necessary sites provided by the administrators to remediate identified issues. Providing the ability to take more direct action, such as running a script, is common across other product sets.

NAC Director is managed through a Web-based Java GUI that requires the creation of a Java policy file on any administrator's machine. The GUI is not very intuitive and is difficult to navigate at times. Many of the functions are performed through Java applets were time-consuming, as they loaded separately, each taking a few minutes to come up. NAC Director does have a nice visual of switch port configurations, which can significantly ease the process of pushing a VLAN change. Just select the port and change the VLAN number assigned to it.

NAC Director collects a helpful amount of data about connected systems, including user, IP, operating system, NIC information and what policy checks were run against the system along with the check results. Reporting on this information and NAC actions taken is challenging, however, as minimal reporting functionality is available, and what is available is inconsistent.

When we attempted to run a report showing the level of registrations, the GUI locked up. We were able to successfully run a report on remediation actions. In this report, we could see information showing what policies a system failed, but could not see what remediation actions were then executed against the device.

Overall, we can conclude that Bradford’s product might be a good fit for large network environments that want both strong authentication functionality and a focus on VLAN changes for NAC-enforcement purposes.


Next story: CheckPoint >

Learn more about this topic

Buyer's Guide: Network Access Control

Bradford Networks launches NAC appliance

01/24/07

Open source swarms around NAC

03/29/07

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)