How we did it

Building a large NAC deployment meant building a small enterprise network from scratch. Before any equipment hit the loading dock, though, we designed a test methodology and wrote a requirements document for NAC solutions which would prove to set the scope for this NAC architecture test as well as our upcoming all-in-one NAC product test (See NAC requirements document, DocFinder XXXX. Link is to Joel’s site at http://www.opus1.com/nac/requirementsfornacsolutions.pdf)

Building a large NAC deployment meant building a small enterprise network from scratch. Before any equipment hit the loading dock, though, we designed a test methodology and wrote a requirements document for NAC solutions that would prove to set the scope for this NAC architecture test as well as our upcoming all-in-one NAC product test (see NAC requirements document).

We started by creating a backbone, using our existing Enterasys Gigabit Ethernet and Aruba wireless infrastructure along with firewalls and routers from Cisco, Juniper and Nokia. We defined a number of virtual LANs (VLAN), including ones for management, remediation, guest access, printers, VoIP and several production networks. We then attached each of the enforcement points we wanted to test directly to the backbone using VLAN trunking so that they could switch users between networks based on security policy. In all, we connected 10 new wired enforcement points to our network, as well as a Cisco “fat” wireless access point.

Clear Choice Test: How we set up Cisco Nac

Next, we set up a series of management servers required to control the different tools we were testing. In some cases, such as with Qualys, Great Bay Software, Vernier and the Juniper UAC appliance, vendors provided these physical systems. We ran all other components -- including Trend Micro, PatchLink, LANDesk, Cisco with its CSA and Secure ACS, Juniper with its Steel Belted RADIUS server, BigFix, McAfee, Symantec, and Q1 Labs, as VMware guest instances on an eight-core Supermicro VMware server with 16GB of memory and a high-speed SCSI RAID array. To keep tabs on things, we used an Avocent AMX5000 KVM system. We tested the RADIUS servers against a Sun LDAP server with our authentication and authorization information in it.

Our testing also included several clients, including Session Initiation Protocol-based VoIP devices from Cisco and Grandstream and wireless devices from Palm (TX handheld) and Nokia (E61 smartphone), as well as an HP 8150DN printer and an APC SmartUPS UPS. We also used laptops from Dell and IBM/Lenovo as traditional Windows-based clients, plus two Mac Powerbook G4 laptops to represent guest and non-Windows clients. To keep the Windows laptops clean between tests, we use Symantec’s Ghost to re-image with a fresh copy of Windows XP SP2.

We designed nine “scenarios” a typical network would need to support in a NAC deployment, including employee access with managed and unmanaged Windows XP clients, employee access via Mac OS X laptops; guest and contractor access with Windows XP, Mac OS X, and PDAs or smartphones (such as the Palm and Nokia devices); and agentless device access, specifically the printer, VoIP phones and UPS.

Taking these scenarios, we developed three security policies. Our first policy was to test authentication, and simply sorted users into different VLANs based on the authorization information pulled from our Sun LDAP server. We also brought in guest user and agentless authentication at this point in the test.

Our second set of policies addressed end-point security and we applied these policies to both out employee and guest test scenarios.

Our third policy set was designed to test enforcement more closely. In this set, we changed from VLAN-based access controls to more sophisticated packet filters and firewall rules.

While running through these policies, we used our requirements document to measure how well each configuration worked according to our vision of an ideal NAC solution.

< Return to main story: What can NAC do for you now? >

Learn more about this topic

Clear Choice Test: Largest public review of NAC products

Does a good SSL VPN provide good NAC?

Why Vista is missing from NAC landscape?

NAC all-in-one test on the horizon

NAC Buyer's Guide

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)