Network Access Control Appliance Buying Guide - Page 2

In this network hardware buying guide, we pose questions that every organization should ask when selecting a NAC Appliance.

 By Lisa Phifer
Page 2 of 2   |  Back to Page 1
Print Article

Evaluation criteria

Given use cases, it’s time to map your own requirements onto available NAC Appliance capabilities and features.

·         Network Integration: Unlike network-embedded or software-only NAC products, NAC Appliances are self-contained hardware or VM solutions. Most sit out-of-band, using packet injection or CLI commands or 802.1X to enforce access decisions. Consider how the appliance fits into your network, making sure it will play nicely with existing network elements to be used for enforcement (e.g., edge switches, WLAN access points or controllers, routers, firewalls). As a rule, NAC Appliances should adapt to your network and should not require network upgrades.

·         Form Factor and Scalability: NAC Appliances are often sold as hardware, sized for a given number of endpoints. Recently, virtual appliances have grown popular, letting companies choose their own platforms. Either way, when multiple appliances are required for capacity or geographic distribution, look for centralized appliance and policy management. Out-of-band appliances avoid most bottleneck concerns, but beware of dependencies that can impact network availability.

·         User Authentication and Endpoint Identification: NAC Appliances often authenticate registered users/groups and recognize known endpoints by integrating with ActiveDirectory or another existing database. However, NAC Appliances have grown more adept at handling changing populations. Look for Guest Management capabilities which admins or sponsors can use to create temporary user accounts. Look for Endpoint Profiling capabilities which can auto-discover and classify devices, based on OS, MAC and fingerprinted properties that confirm device type.

·         Endpoint Assessment: NAC Appliances support “friend or foe” checks like block all Androids or allow iPhones running iOS4+ or laptops with certificates. Consider how well each NAC Appliance supports your desired posture and health assessments. For example, can it check that your firewall and anti-malware are correctly installed and running? Can it check for patches, processes, blacklisted applications or signs of infection? Some appliances rely on probes or login scripts or traffic sniffing for assessment, while others use dissolvable or installed agents. Identify supported OS’s and scan limitations; ask how endpoints that cannot be assessed are handled.

·         Policy Enforcement: NAC Appliances combine authentication and assessment results with defined policies to make network access decisions. Depending on the appliance and use case, results may be coarse or granular, intrusive or transparent. For example, managed endpoints that authenticate with 802.1X may be transparently moved to the right VLAN, while BYOD users may be required to log into a portal before ACLs let them send traffic on ports 80 and 443. Consider supported methods and ability to enforce both short-term and long-term access policies.

·         Remediation Methods: For partiallycompliant or noncompliant endpoints, NAC Appliances support various actions, ranging from permit/deny to audit only. Between these extremes may lie alternatives like informing users, placing endpoints on probation, rate-limiting or prioritizing traffic, quarantining endpoints, redirecting endpoints to a remediation page or server, or attempting auto-remediation. Desired approaches can vary by organization and device/user/ownership – look for flexibility and consider external system integration needs.

·         Cost and Licensing: This is an important characteristic for any product. Factors like purchase price, maintenance fees, installation effort, policy creation and tuning, and routine maintenance all impact total cost of ownership. For NAC Appliances, pay attention to a la carte licensing. Some vendors throw in everything – even capabilities you don’t plan to use – while others package and price specific capabilities – for example, endpoint assessment or guest management.

NAC Appliances products

These are just some of the many features and capabilities found in contemporary NAC Appliances. Vendors in this market include Avenda, Bradford, Cisco, Enterasys, Extreme, ForeScout, Fortinet, HP, Juniper, McAfee, Nevis, StillSecure, TippingPoint and Trend Micro. To more fully illustrate this category, EnterpriseNetworkingPlanet will profile several product lines, including Avenda Systems eTIPS, ForeScout CounterACT, and Bradford Networks Network Sentry. Stay tuned…

 Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.

This article was originally published on Nov 2, 2011
Get the Latest Scoop with Networking Update Newsletter