A general guide for testing NAC products

A summary of recommendations for testing NAC products.

Lab Alliance member Joel Snyder has written a step-by-step guide for testing network access-control products in the four critical areas of authentication, endpoint assessment, enforcement and management. We summarize those recommendations here. For a full rundown of the network environment we used for this test, see >>.

NAC products typically employ 802.1X authentication at the edge; Web-based authentication via a captive portal, proprietary client or protocol authentication; passive authentication; using 802.1X-, RADIUS- or other protocol-sniffing; or static, media-access-control-based or port-based authentication. The key to evaluating a NAC product's authentication capabilities is determining whether its mechanisms are broad enough to work in your environment.

Larger NAC deployments depend on tight integration with corporate authentication databases, such as Active Directory or some other Lightweight Directory Access Protocol server. These links must be tested for authentication purposes and their ability to retrieve authorization information from the authentication database.

In evaluating a NAC product's endpoint-assessment features, it's important to concentrate on the information that each assessment can provide. Each NAC offering must be tested for:

* Whether it can evaluate the compliance level of a user's system.

* Whether it considers the security status of the user's system.

* How well it handles multiple user communities (managed, unmanaged, guests) and how it accommodates varied user platforms.

* How detailed the results of the endpoint-security assessment can be.

* How well the endpoint-security assessment integrates with possible remediation strategies.

NAC enforcement can be viewed along two axes: level of detail and location. To evaluate level of detail, you must test how the four main types of enforcement -- go/no-go network, virtual-LAN-based access restrictions, simple packet filters and stateful firewalling -- will fit into your NAC plans.

To evaluate location, you should assess how the three options for locating NAC enforcement -- at the point of network access, behind the point of network access and at the core of the network -- map into your network.

Management of any NAC deployment brings in network, security and desktop staff. Therefore, questions should be asked of every NAC product on each level.

The standard management-evaluation questions apply to a NAC solution:

* Are the GUIs well designed, and do they facilitate (or hinder) operations?

* Is the installation process understandable, particularly in the case of client tools that will be installed repeatedly by technical and nontechnical staff?

* Are there reporting functions available for technical and management staff?

* Is an alerting function present and sufficiently configurable?

* Does the product support the operations companies normally require, including disaster recovery, scalability and high availability?

Specific questions related to client management are relevant:

* Does client management include being able to combine network-access functions (authentication or authorization) easily with endpoint-security assessment?

* If client software is installed, does client management include being able to easily deploy and update all components needed for NAC?

Enforcement-point management requires the following evaluation criteria:

* When the NAC product provides its own enforcement point, can that mechanism integrate with normal enterprise-management tools and generate logging information?

* How is NAC enforcement-management integrated with the existing infrastructure's enforcement and change-control processes?

Key factors to consider in evaluating policy-server management include:

* How well integrated is the policy server with the company's client-security products and consoles?

* How well integrated is the policy server with existing company directories?

* How does the policy server facilitate policy description and deployment?

* How well are delegated and distributed management functions delivered?

< Previous story: 6 tips for selecting the right all-in-one NAC product | Next story: How we tested NAC appliances >

Learn more about this topic

Buyer's Guide: Network Access Control

NAC test package is a must read


Why can't we all play NAC nicely? 04/19/07



Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022