McAfee NAC hits on endpoint assessment, but misses on other standard access-control measures

McAfee NAC has a strong foundation in the breadth of security checks it can render, and it’s got strong ties to McAfee’s mature endpoint-security management platform, but it lacks some standard NAC capabilities, such as a captive portal for guest users, the ability to authenticate users against external repositories and the option of creating custom endpoint checks.

McAfee

Cost: $20,370 for 1,000 users.

Score: 3.03

McAfee network-access control has a strong foundation in the breadth of security checks it can render, and it’s got strong ties to McAfee’s mature endpoint-security management platform, but it lacks some standard NAC capabilities, such as a captive portal for guest users, the ability to authenticate users against external repositories and the option of creating custom endpoint checks.

The product comprises a central server, a software agent called McAfee Policy Enforcer Agent and management hooks into McAfee’s ePolicy Orchestrator (ePO), which also is used to manage pretty much all of McAfee’s antivirus, antispam and host intrusion-prevention tools.

McAfee primarily provides self-enforcement for network access based on the posture of device in question. The Policy Enforcer Agent residing on the client machine routinely conducts policy checks (with no noticeable performance impact in our testing), and if it finds a problem, the agent on the device limits network connectivity as opposed to having a piece of the network infrastructure handle enforcement. Check Point also offers this level of self-enforcement.

You also can integrate McAfee NAC with leading VPN providers, such as Check Point and Juniper, to either allow or drop connections based on McAfee-driven system assessments or use SNMP to control your network switch in order to force virtual-LAN changes. 

The company asserts that future releases will provide further enforcement support through the McAfee IntruShield network IPS product, as well as 802.1X and DHCP ties.

For testing, we deployed McAfee NAC and ePO on a Windows 2003 server and used both the agent-based endpoint assessment and self-enforcement efforts as well as switch integration for network-based enforcement activities.

The McAfee NAC product does not support direct integration for external authentication, but instead relies on the authentication information on the endpoint accessed by the agent software. In McAfee’s scheme, policies are assigned based solely on the posture of device and not in any way on the user who might driving the device. Device-based access works well when you have a diverse population of users with the same endpoint-security requirements. Alternatively, user-based access works best when you have specific security requirements for a user’s role where they could be using different endpoint systems to access the network.

Enforcement zones, a McAfee term that is akin to access policies, are defined to specify what network resources can be accessed depending on the compliance state of the machine. You can shunt machines to a general quarantine zone, a missing patch zone, an active infection zone and an unwanted software zone.

McAfee provides network switch control to force VLAN changes only for guest endpoints that fail compliance assessments. McAfee does not provide the traditional captive-portal approach for guest access that most competing NAC products offer. Assessment for unmanaged (guest) systems can occur through a remote scan or through an Active X control accessed on a Web page (there is no authentication happening here, so it is not akin to a portal). The remote scan may be a problem if the unmanaged device is running a firewall that blocks access. But barring that condition, the product identifies rogue systems as a device without the ePO agent installed.

Some of the endpoints on the network running also can serve as policy-enforcer sensors. These endpoints are monitoring network traffic for the presence of a new device, such as looking for broadcast traffic and DHCP communications.

For endpoint assessment, McAfee includes good coverage for antivirus products beyond its own tools and Windows patch checks, but has minimal support for its own firewalls as well as those from Symantec and Microsoft.

Strong coverage for active system infection is available using the McAfee Avert Labs research team to create signatures. The McAfee endpoint agent functions like a host intrusion-detection and intrusion-prevention systems to monitor for malicious traffic, primarily for critical, high-risk issues. These issues are identified by standard signatures developed by McAfee based on research and work performed by the Avert Labs team.

McAfee also provides an extensive list of potentially unwanted software -- such as P2P, instant-messaging clients and remote-control software -- that can be included in endpoint-assessment checks. Neither the ability to create custom checks nor any integration with any general system vulnerability scanners is available at this time.

Patch, antivirus and worm infection tests all worked as expected.

Remediation is available through forcing VLAN changes, as noted above, using SNMPv1-based network switch control; sending the user to a Web portal to self-remediate or executing a command-line script on the endpoint system.

McAfee NAC gathers a good amount of information on endpoint systems and keeps a full log of its assessments, down to the specific check results. Reporting on all of this data is minimal, though. Six out-of-the box reports, such as top-10 noncompliant systems and daily compliance status reports are available. If you want to expand beyond the six reports, though, you must buy a separate enterprise reporting tool, such as Crystal Reports.

McAfee NAC, a relatively new player in this market, is off to a decent start, but needs additional functionality to really thrive in a large enterprise environment. In its current iteration, this product would be a good fit for a McAfee customer looking for an easy introduction to NAC.


< Previous story: Lockdown | Next story: StillSecure >

Learn more about this topic

Buyer's Guide: Network Access Control

McAfee unveils updated risk-management line

05/22/07

McAfee gives Cisco Total Protection

12/21/06

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT