NAC enforcement tools fall short

In complex networks, proprietary schemes are required

The “C” in NAC stands for Control: defining access to network resources based on the valid authentication and end-point security posture of the user. Up until this point in our testing, CNAC and TCG/TNC were friendly bedfellows, offering very similar functionality with many of the same high and low points in their results.

When we got to the control part of the picture we found that there’s not just white and yellow cheese out there: it’s more akin to there being 246 flavors from which to choose.

In this leg of our comparison, our use scenarios weren’t important, because once you get to the control part, everyone – employees, guests and agentless devices – are all the same. So here we honed in on the dizzying array of options each side gave us.

How we set up Cisco NAC

Even though Cisco offers a proprietary framework, it still is the world’s largest network hardware manufacturer. So the list of enforcement choices runs for pages. We started with LAN switches and 802.1X authentication, which gave us virtual LAN (VLAN)-based access controls. If you’re happy with VLANs, Cisco has about half-dozen families of current LAN switches, and two or three times that in recently retired hardware that’s still perfectly CNAC capable. Plus, all of the Cisco wireless equipment, from standalone access points to Airespace wireless switches, could be enforcement points as well.

Many Cisco switches also have packet filtering capabilities, and a CNAC deployment can also employ packet filters. Even when we added these packet filters, we weren’t stretching the limits of CNAC enforcement. Cisco has what it calls “Layer-2 IP” and “Layer-3 IP” NAC clients, which forgo authentication in favor of end-point security and enforcement measures. These NAC client modes work with switches as well as IOS routers for additional enforcement options. We did not test Layer-2 IP or Layer-3 IP client modes, because of the lack of authentication, but Cisco engineers told us that authenticating versions of those clients are under development but could not say when they would be released.

How we set up TCG-TNC NAC

Cisco’s ASA series of firewall/VPN appliances can also be NAC enforcement points. We configured an ASA5100 to be part of our CNAC deployment, which allowed us to require end-point security assessment before we’d let someone onto our network through an IPsec VPN tunnel.

Policy tools lacking

While there is no shortage of outstanding control points there is a shortage of policy tools to make use of all this power. Because CNAC requires Cisco ACS, we could only express the most primitive of policies because of its inherent limitations.

For example, users cannot be placed in multiple groups and have overlapping access to resources. Trying to define policy that might combine VLANs, packet filters, VPNs and end-point security would be nearly impossible for anything but the most basic of networks in the ACS user interface. And for every different security policy in our network, we had to make four to 10 additions in ACS.

The good news is that when we conducted tests of each advanced CNAC access control individually all were successful. When we added packet filters and other controls, they were pushed from the Cisco ACS server to the network enforcement point, and we were, indeed, locked down.

If anything will hold back advanced CNAC deployments, it’s the control features in ACS. It’s simply not up to the task of being a general network policy tool for control, and so there’s little or no point in doing any control in CNAC beyond a small set of VLANs at this juncture.

Of course, that might not be a problem. In many networks, a dozen VLANs may be all the partitioning and access control required for a very successful NAC deployment. And, if that fits your network, you’ll probably be perfectly happy with Cisco ACS and recent vintage (that is, any switch released in the last few years) Cisco hardware. In fact, if you are simply doing VLAN-based access controls, you may be able to use non-Cisco switches very successfully. That said, these have to be pretty well-designed switches to have the same feature set as Cisco’s Catalyst line, such as the Enterasys Matrix C2 we had in our test bed.

The power of Juniper

But what if you really do want very strong access controls? Juniper takes NAC to the next level with the integration between the UAC appliance and Juniper’s ScreenOS-based firewall product line but only inside the TCG/TNC NAC framework. Using Juniper’s access control model, you not only separate users based on VLANs, you also scatter firewalls inside your network to provide full stateful firewall rules for each user.

Defining policy for NAC is both easy and intuitive. We found that debugging the UAC appliance and ScreenOS firewalls was more complex and difficult than necessary, but once we did get the bugs worked out, everything worked as expected.

The Juniper approach is powerful, but depends on a Juniper client and Juniper UAC appliance working together with Juniper firewalls -- gaining all that additional access control functionality requires a fair amount of proprietary magic.

This point was hammered home when Vernier Networks came out to our lab with its EdgeWall 8800 enforcement point and the accompanying EdgeWall Control Server. As a standalone NAC vendor, Vernier has its own powerful story to tell (see story on Network World's upcoming test of those products), complete with stateful firewalls, multi-platform end-point posture assessment, and integrated intrusion-prevention system in a multi-gigabit chassis. Vernier joined the TCG/TNC camp in this test as an enforcement point, integrating with our UAC appliance for policy and end-point security.

As a pure TCG/TNC player, we were only able to use about 10% of the capabilities of the EdgeWall because all of the powerful policy controls are, as with the Juniper advanced access control solution, proprietary to Vernier’s own Control Server. By driving the EdgeWall from the UAC appliance, we couldn’t push policy down to the EdgeWall — we were only able to use it as a firewalling switch. Of course, we could have taken the policy out of the UAC appliance and put all of the controls in Vernier’s Control Server — a strategy that would work well in a network where EdgeWall appliances are being used as the primary control mechanism.

Lessons learned about NAC enforcement

If your access controls for NAC will be limited to VLAN assignment, you won’t be stressing either the CNAC or TCG/TNC frameworks very much nor will you find much to differentiate the frameworks.

However, if you want to add advanced access controls, such as packet filters or stateful firewalling to your NAC deployment, you’ll find significant differences. While Cisco certainly has the widest variety of hardware in the world, the CNAC framework is being held back by the required Cisco ACS policy engine, an unsuitable tool for any sort of complex network security policy definition. You can go down the proprietary path with TCG/TNC just as easily, but get a significantly better tool in Juniper’s UAC controller, along with a wide variety of low-end and high-end enforcement points.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

NW Lab Alliance

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

See other stories in this package:

Main story: What can NAC do for you now?

NAC authentication with XP clients is a snap

Cisco, TCG deliver on basic end point security

NAC management can be a headache

Learn more about this topic

Clear Choice Test: Largest public review of NAC products

Does a good SSL VPN provide good NAC?

Why Vista is missing from NAC landscape?

NAC all-in-one test on the horizon

Test methodology

NAC Buyer's Guide

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.