How we tested NAC products

We tested network-access-control products Nevis and ConSentry by focusing on authentication, end-point security, enforcement and management.

We tested Nevis and ConSentry products by focusing on authentication, endpoint security, enforcement and management.

To test authentication, we used two RADIUS servers, our custom-written one and Juniper's RADIUS server (from its Funk acquisition). For LDAP, we used Sun's LDAP server and the LDAP server included in Windows 2003 Active Directory. Because ConSentry allows for passive authentication, we also tested with Windows XP and Win 2000 logging into a Windows Domain, and with 802.1X using Enterasys switches.

In testing endpoint security, we focused on the most common cases: Win 2000 and XP. Neither product claims to support other platforms, such as Macintosh, Palm or Symbian. With Windows, we tried each product four ways on each platform: once each with Firefox and Internet Explorer browsers logged in as a normal user, and then again logged in as an administrator. Because best practices for security call for users to be given least privileges possible, we focused on the normal user case.

With enforcement, we tried to differentiate between intrusion-prevention system (IPS)-style enforcement and the built-in firewalls. To test firewall functionality, we used a variety of applications (including Web clients, FTP and VoIP tools) to see how strong enforcement was and how well the firewalls could handle more complex protocols. We did not try and slip packets through the firewalls.

On the IPS side, we used a system infected with SQL Slammer to see how well worm detection worked, and a system controlled by the NetRaider Trojan horse to check on backdoor detection.

Finally, we looked at management by using our own network and firewall configuration as a model to see how well we could translate a real-world security policy using the tools and management systems that both vendors provided.

Network World would like to thank Enterasys, Juniper, Microsoft and Avocent for loaning us hardware and software to complete this test. An anonymous hacker helped by infecting our system with NetRaider and demonstrating control; thanks, and you know who you are.


Return to main NAC test story

Learn more about this topic

Cisco, Microsoft effort called a small step for NAC

09/18/06

InteropLabs hits on NAC, VoIP and open source

05/01/06

End-to-end NAC remains difficult

05/01/06

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

IT Salary Survey: The results are in