InfoExpress attempts a sort of peer-to-peer NAC enforcement

InfoExpress

Cost: $40 per user

Score: 3.15

InfoExpress approaches network-access control with a product that requires zero network-infrastructure changes. With the InfoExpress Dynamic NAC for Windows product, policies are controlled from a central policy management server, but enforcement is handled by distributed agents residing on trusted systems, called Enforcers.

These agents are not special systems, but rather could be any trusted device running the InfoExpress DNAC agent. For example, on a network segment of trusted corporate laptops, several of those devices will be acting as enforcers to help manage unauthorized traffic coming from new, unauthorized users or authorized users that happen to be out of compliance with policy.

Think peer-to-peer NAC where a militia of Enforcers work collectively to protect your LAN.

Together, these distributed Enforcers watch network traffic (the company doesn’t disclose its secrete sauce, but our educated guess is that they are looking for address-resolution-protocol requests and broadcasts). With this reconnaissance, the Enforcers identify systems without the appropriate agent in place and respond to directions from the central management server about how to treat endpoints after compliance assessments have been performed. The Enforcers then handle the quarantine measures for noncompliant machines by blocking the endpoint’s network access except for traffic allowed by policy.

Enforcers also can handle guests and other unmanaged devices by redirecting them to a captive portal where they can pick up compliant agent software.

This product has the potential to scale efficiently, because the more systems you add to the network, more Enforcers you can designate.

In addition to the agent software, DNAC has three other major components. The Policy Server communicates with all agents – both those serving as Enforcers and those not serving in that capacity – to see whether they are in compliance. The Policy Manager is a separate application used just for policy development. The Reporting Server collects information from the Policy Server for reporting purposes, which is easily accessible from a separate Web interface.

For testing, we installed the server components on a central Windows 2003 server and installed agents on our several of our Windows' systems.

InfoExpress can also function in an 802.1X environment. That requires the company’s 802.1X appliance called the CyberGatekeeper Server, which InfoExpress did not submit for testing.

Active Directory authentication is supported, but setting it up was short of seamless. The process requires setting up a Web site where authentication verification occurs behind the scenes via communication with an InfoExpress-provided program placed on the site that then passes authentication information to Active Directory.

In a DNAC deployment, policies are applied to IP address groups only, which may not provide all the flexibility some organizations require depending on the granularity of policy requirements. Creating policies within the product is cumbersome where you have to create them in the separate policy-manager application and then push the policies to the policy server for deployment. The policy-manager application itself is not intuitive to use, and it is challenging to set up more complex policy checks using the interface.

For endpoint assessment, DNAC supports some of the major vendors for both antivirus software and desktop firewalls out of the box. System patch-status checks are available, but are cumbersome and complex to configure, as you have to go through all released Microsoft patches and check the ones you want to be included in the policy. If new patches are released, you need to go change your policy to include them in your next system check. We would prefer a “current with patches” check to ease setup and administrative overhead.

We ran through our standard set of tests for required antivirus, registry key checks and patches. Everything worked as expected.

In terms of detecting already infected systems, DNAC includes a small number of checks for viruses and spyware that may be running systems seeking access. It was able to spot out infected test system.

InfoExpress does not tap into any vulnerability scanners that check for potential holes across an endpoint. But you can build custom checks for certain file attributes, registry keys, system IP address and INI file settings.

The agent software is continually monitoring the status of its endpoint system. Significant differences, such as a network-location change, will trigger a reassessment of the system against policy.

A standard group of remediation options are available, which include sending offending users messages, providing URL links, or forcing downloading and executing programs.

The ability to push a user to a quarantine virtual LAN is available only with the 802.1X component mentioned above.

Overall, configuration is a little confusing. Some configuration options, such as the URL to the authentication script, are set on the policy server, while others are performed through the reporting-server Web GUI.

Completely Web-based reporting functionality is available and is focused on filters that search against the data served up by the agents, including user name, IP address, assessment status and details of the assessment results to generate the reports. The resulting reports are not exportable, though, and cannot be scheduled.

InfoExpress peer-to-peer NAC may be the best entry point into a NAC solution for many organizations, because it does not require network-infrastructure changes, but a confusing management system and challenging policy-creation process may increase deployment difficulty.

< Previous story: ForeScout | Next story: Juniper>