RSA '07: TippingPoint gets into NAC

A blend of existing and new gear adds up to access control.

3Com's TippingPoint division is announcing at RSA Conference 2007 this week that its security platform now supports network access control by scanning end devices before they are allowed on the network and making sure they behave well once they are on.

The new capability is an extension of the company’s existing intrusion prevention software that cleans up traffic on networks by monitoring flows and blocking those that violate security policies. It can also be used to control the rate of traffic and limit certain types.

RSA '07 HQ: Click here for complete coverage

While health of a machine can be gauged to some degree by a scan before it gets on the network, these checks do not look at whether the machine is actually infected with malicious code. These scans tell whether operating systems are patched, anti-virus software is updated, whether personal firewalls are turned on and the like.

The post-admission protection of TippingPoint’s NAC can identify and stop attacks that come from machines that have legitimately gained network access. “Comprehensive network security requires both access control and attack control,” says Jon Oltsik, senior analyst for Enterprise Strategy Group.

TippingPoint is blending its IPS technology with security policies that are linked to users and machines. So rather than apply policies to types of traffic as IPS does, the post-admission NAC applies policies defined based on who has accessed the network and how.

TippingPoint is adding a device, the NAC Services Policy Server, to its product line in order to support NAC. The company says eventually it may integrate the policy server in with its IPS device and its management platform.

Separate software also within the policy server device and called NAC Enforcer, sits in-line with traffic to block flows that violate NAC policies. It can oversee 50 to 1,000 users, so depending on the size and configuration of its network, a business may need more than one.

This arrangement makes it unnecessary for TippingPoint’s NAC scheme to interact with existing network infrastructure to enforce NAC rules.

Initially, the TippingPoint’s NAC will use a software agent to scan machines before they gain access, but later this year the company plans to release a persistent client that is downloaded once and remains. This client will also be able to perform a more thorough scan than the agent that dissolves after each session.

The scheme requires the TippingPoint client scanner. It does not work yet with other vendors’ NAC clients, such as Microsoft’s Vista NAP agent, but the company says it plans to expand the clients it supports.

TippingPoint’s NAC falls into the category of overlay appliances such as those from ConSentry and Nevis and to some degree Cisco with its NAC appliance.

A policy server with Enforcer costs about $15,000 plus licenses for end users that can cost as little as $13 each, depending on how many a customer buys.

Learn more about this topic

NAC: hot, but not fully baked

NAC: Proceed with caution

Pricey TippingPoint pushes to head of IPS pack

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.