Lockdown Networks enforces NAC at the switch without network interruption

Lockdown Networks

Cost: $24,995 per appliance, which support as many as 2,000 users

Score: 4.35

Lockdown Networks Enforcer functions in a similar fashion to Bradford Networks’ NAC Director in that it enforces access policy by physically controlling a standard network switch through SNMP and direct command-line connections. Through these connections, an IT administrator can drive decisions about network-access control on a per-switch port basis. The port is either not enforced (where the Enforcer does not perform any action) or enforced (where the Enforcer monitors and enforces NAC policies).

Providing NAC enforcement this way -- on a per-device basis -- works well in environments where there is a large, diverse population and where endpoint devices need to retain a specific security configuration, regardless of the user.

Enforcer also can function in a standard 802.1X environment, so that a company could start with the Lockdown switch-controlled NAC deployment and then migrate to 802.1X when the rest of its infrastructure is ready to make that jump.

For our testing, we deployed the Enforcer to manage a Cisco Catalyst 3750 with active and passive integration with Active Directory for authentication. To support remote-access clients, we also enabled enforcement on the switch port, which terminated a Cisco VPN connection. With passive authentication, the Enforcer is monitoring the Kerberos authentication processes already in place, which provides a single sign-on capability for employees.

With active authentication, guest users are required to enter a user name and password through a Web portal. The setup process for both active and passive Active Directory integration was simple and took just a few minutes – you enter the IP address of the domain controller and the base distinguished name search.

The agent used in conjunction with the Enforcer appliance, which can be persistent (for employees, typically) or dissolvable (for guests, typically) is strictly in place in the Lockdown NAC implementation for endpoint information-gathering purposes – it collects data on endpoint user, IP and MAC address, operating-system type and fingerprint and audit history. All enforcement is handled from the Lockdown appliance, providing a separation from the endpoint system. Managing devices for NAC is focused on device groups defined by IP addresses and virtual-LAN assignments, and does not take into account user structure.

Policy is defined by actions that should perform successfully, such as a proper authentication, a clean vulnerability assessment or a valid health check. You can then drill down to configure the specifics of each policy, such as what form of authentication should be performed, what vulnerability tests should run and what health checks should be performed. Overall, Lockdown’s policy-management scheme is complex and is difficult to understand in terms of how all the pieces fit together to achieve the desired goal.

Lockdown makes a distinction between endpoint checks and endpoint-security status, which is basically an audit. A check is defined as a series of items that need to pass, such as antivirus running or no critical security vulnerabilities. An audit is the process of assessing the endpoint for security vulnerabilities. Audits can be run independently of health checks.

Endpoint-assessment capabilities include strong native coverage for antivirus and firewall products. Windows' patch status is checked using Windows Update as the foundation. That is a good approach, because you always have the most up-to-date information checked with no administrator intervention. The ability to check vulnerability status is very strong, as Lockdown has incorporated its own scanning engine into Enforcer. You can build some basic custom checks -- such as those for open ports, system services and registry keys. But you can build checks for file properties or for specific processes.

We ran our standard antivirus, patch and registry check tests, as well as performing several vulnerability scans. Everything worked as expected.

Checks are performed any time a network event occurs, such as an IP address change, or when a scheduled audit (such as a vulnerability assessment) occurs. Audits also can be scheduled to be performed at any frequency, while this process will result in a reassessment of the endpoints.

The ability to identify systems actively infected is not available.

In terms of setting incompliant systems on the straight and narrow, a device can be moved to a quarantine zone or to a different device group -- which could result in a virtual-LAN change, depending on environment setup -- based on the results of the endpoint assessment.

For remediation-separation purposes, Lockdown prefers to enable multiple quarantined VLANs and place one incompliant system in each VLAN to protect them from each other as well as the rest of the network. This worked as advertised in our testing. This is a good approach, because a quarantined VLAN may include an infected system attempting to propagate across the network. Multiple systems on one VLAN may allow the infected system to spread to others on that network.

You can display a customizable Web page with remediation information or advised links. Lockdown does offer the ability to execute a script, but the name of the script must be an exact file name and must reside in the installation directory of the Lockdown agent. While this provides some execution functionality, it is not as flexible as we would like to see.

The Web-management interface that controls all aspects of the Lockdown product is excellent. Its default first view lands an administrator into the reports section, which contains a detailed, graphical dashboard on the network’s current risk status. Its intuitive GUI is generally easy to use.

Lockdown provides some of the best reporting functionality of all the NAC products we tested. Reports are well designed and very detailed. Lockdown also has the best information reporting to the user, providing detailed discussions on vulnerabilities identified on the endpoint systems and other system-integrity issues that need to be addressed.

Reports can be run against user and device information, which is a nice change as most products focus on either one population or the other. Lockdown also provides a complete history of activity on a device as well as a history of a user’s access across all devices.

Lockdown provides a flexible NAC product that requires minimal network infrastructure changes to deploy. It provides strong functionality in all of the major NAC categories, but excels in reporting. This product is a contender for almost any environment.


< Previous story: Juniper | Next story: McAfee >

Learn more about this topic

Buyer's Guide: Network Access Control

Lockdown upgrades software for its NAC appliances

05/15/07

Lockdown taps other security gear to check malware attacks

02/28/07

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.