Vernier’s EdgeWall offers NAC plus security

Vernier’s EdgeWall

Cost: $45,000 for chassis, support for 1,000 users and one Control Server management appliance.

Score: 3.55

With little network integration required, Vernier provides standard assessment functionality for network-access-control with its EdgeWall product. But it also joins competitor’s ConSentry and ForeScout in the class of NAC products that includes an intrusion-detection system to monitor for malicious traffic flow at all times. Vernier's policy-development process offers an extreme level of flexibility. While that flexibility is necessary for large deployments, it can become overwhelming for the administrator.

In Vernier Networks’ NAC scheme, its EdgeWall appliance provides in-line assessment and enforcement functionality, while policy creation and overall management capabilities are driven by the Control Server, which sits elsewhere on network.

For testing, we deployed an EdgeWall appliance between the access and distribution layer of the test network to provide general LAN-based NAC. For remote access and wireless access, a similar in-line deployment would work, and the company claims support for 802.1X environments as well.

Vernier includes a captive portal for guest users that offers similar functionality to most other products tested. The portal is a standard Web page requesting user authentication and registration information. If an issue is identified on the endpoint, a page displays the assessment results, while a predefined message from the administrator typically provides information about how to clear up the issues at hand.

The management GUI has a clean presentation overall. Policy definition allows for a lot of flexibility but can get complicated to manage quickly. Vernier access policies comprise a series of profiles outlined as identity, connection and integrity profiles.

Say you want employees in the finance group to access only a specific group of servers. To achieve this, you would create an access policy to define what network resources the finance group can have access to. Next, you would create an identity profile for the existing finance Active Directory group that associates a security policy defining the types of assessments must run against the endpoint system.

The next step is to define the connection profile, which defines how to handle network access based on endpoint-assessment status. Profiles include out of compliance, compliance scan in progress and device scanned. For this example, we would use the default “Any” rule, because we are looking just at access for a compliant finance group user. As part of the connection profile setting, you define where the user authenticates. Next, you set up an integrity profile to define what patch compliance, vulnerability assessment and intrusion-prevention protections need to be performed. The last step is to add the entry to the rights table that creates the rule to associate the identity profile, connection profile, integrity profile and access policy with each other to create the full finance group policy.

Understanding and configuring these policies is very challenging, mainly because of the myriad of possible combinations. Adding a wizard approach to policy creation would make this process much easier. One helpful tool that Vernier does include with its products is a “simulate user rights” functionality. This tool helps an administrator understand where a user would fall in the configured policies.

Taking our finance group example, we could use this tool to test the finance group policy by entering a username/password and selecting a simulation of a successful compliance scan. The resulting display shows the access policy that would be applied to the user based on the selected simulated compliance status. In our example, if all works as expected, the access policy defined for the finance group should be what is displayed as a result of the simulated user test.

Vernier offers three levels of management access -- super admin, network admin and policy admin. However, administrative users are able to authenticate only locally to the Vernier switch and not against a deployed enterprise directory.

Vernier supports standard enterprise directory services for authentication, including Lightweight Directory Authentication Protocol, Active Directory and RADIUS and includes a built-in user repository. Authorization is available based on either user or device information, which allows from some flexibility.

Vernier’s endpoint assessment covers the core all-in-one NAC components we expect to see without a lot of extra bells and whistles. Support for antivirus, patch and vulnerability identification is strong. Antivirus coverage is available for the market leaders and some of the more popular second-tier products are covered, but out-of-the box support for firewalls is limited to McAfee, Symantec, Check Point and Microsoft.

Scans are available to determine security vulnerabilities beyond missing patches as part of the assessment process. Custom checks are not available in any form. However, the EdgeWAll includes an intrusion-protection engine for identifying systems that are actively infected. We tested Windows patches, antivirus, vulnerability scans and worm-infection identification. All results were as expected.

Endpoint assessment occurs when the machine enters the network and time of post-NAC assessment can be set to occur on a periodic basis thereafter.

Remediation functionality includes changing virtual-LAN assignments and providing a URL with information and links to guide the user through the process of bringing their device back in line with policy. What’s missing is the ability to take any direct action on the endpoint, such as kill a process or launch a program.

Vernier gathers standard information about a system, such as user, IP address and MAC address which could help identify physical system location on the network or allow a help-desk person to know which system to investigate a problem. The system also maintains a history of endpoint assessments performed. But beyond presenting this information inside the Web-based management GUI, no reporting capability is available within the product.

Vernier provides a NAC product designed for a network engineer, which may be able to help sway the network engineers holding out on the network-infrastructure changes required for the deployment. They have put a lot of effort into the network components of the product, but they still need to improve overall manageability and reporting.


< Previous story: Trend Micro | Return: Bradford Networks >

Learn more about this topic

Buyer's Guide: Network Access Control

NAC for the branch

05/17/07

Vernier sets sights beyond WLANs

01/31/05

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.