NAC Appliances enable identity and posture-based network access policy enforcement. In addition to keeping malware out, these appliances can help to safely connect bring-your-own devices (BYODs). In this EnterpriseNetworkingPlanet’s buyer’s guide, we examine capabilities and features offered by Avenda Systems eTIPS.
According to Marketing Director Trent Fierro, Avenda strives to deliver comprehensive back-end functionality while making NAC easy to deploy and use. “We use a three-step model: simulate, monitor, enforce,” said Fierro. “We help you learn what’s on your network first, gradually rolling out policies to make sure that users who meet requirements get in while educating those who don’t.”
Creating a foundation
NAC Appliance deployments involve (at least) three players: endpoints requesting access, network elements enforcing decisions and centralized appliance(s) making decisions based on identity, posture and policy.
Every Avenda NAC deployment starts with at least one Enterprise Trust Identity Policy System (eTIPS) appliance. There are four eTIPS models, ranging from the ET-5005 (2500 endpoints) to the ET-5040 (30,000 endpoints). All four are sold on dual-GigE Intel hardware and as host-your-own VM appliances.
“With our 4.0 release, you can place eTIPS anywhere – in the same rack [as network elements], in another building or even in another country,” explained Fierro. Larger distributed networks are supported by clustering appliances, all of which enforce shared policy, managed from any unit’s web console. Appliances exchange policy updates but operate independently, creating no single point of failure.
Every eTIPS appliance delivers core capabilities, starting with user identity and role-based access control. Endpoints can request access via 802.1X, MAC, or web portal authentication. eTIPS responds by consulting an on-board RADIUS server or querying enterprise databases (e.g., ActiveDirectory, LDAP, SQL, Kerberos). Basic guest management is also included with every eTIPS appliance.
In addition, eTIPS provides back-end support for endpoint health assessment, 802.1X supplicant configuration, and delivering associated client software (see below). eTIPS policies can include more than identity and posture – for example, decisions may be influenced by access method or date/time. Policies can be simulated to evaluate results or enabled in monitor-only mode. When ready, policies can trigger enforcement methods that range from permit/deny or VLAN assignment to enabling access via RADIUS, RADIUS CoA, TACACS, SNMP or SSH.
For example, upon receipt of an access request, eTIPS might look up a user’s credentials in ActiveDirectory, query GPO attributes, search a SQL database for the endpoint’s (user or IT) registered MAC address, and then run an endpoint assessment. “As a result, I might install a dynamic ACL to allow or restrict server access,” explained Fierro. “Our enforcement is flexible to [integrate with] legacy equipment, like old switches. We can even use SSH to send results to external captive portals.”
Expanding beyond core capabilities
eTIPS appliances can support many use cases without additional components. However, customers can purchase add-ons to expand visibility or simplify deployment.
- GuestConnect is an optional eTIPS application that lets individuals sponsor guests, using custom captive portals for each sponsor. Users can also use GuestConnect to self-register themselves and their devices. GuestConnect portal pages can also perform agentless health assessments on Windows, Mac, and Linux endpoints.
- Insight is an optional advanced reporting module that complements basic eTIPS reports with another 20+ reporting templates, while extending the period during which archived data can be analyzed and viewed as though it were live data.
- Edge is an optional virtual appliance that delivers pass-through integration between eTIPS and VPN gateways. Edge can enable consistent location-independent policy enforcement, so that users experience the same access decisions when working remotely as they do when connected to an onsite LAN or WLAN.
Shoring up endpoints
Finally, endpoint diversity has been a thorn in NAC’s side for years. Avenda offers two optional products to ease that pain.
802.1X is a great way to enforce NAC decisions – except when it doesn’t exist or is not yet configured on unmanaged endpoints – including BYO phones and tablets. “Microsoft and Apple [endpoints] now have supplicants, so 802.1X is easier than it used to be,” said Fierro. “But configuration is still hard. Our Quick1X lets users [avoid configuration] by visiting our cloud server and entering a login/password. We then push 802.1X settings and any necessary client software to Windows, MacOS, iOS and Android endpoints.”
Another long-standing challenge has been striking a balance between persistent agents – capable of deeper endpoint health assessment – and dissolvable agents – usually more superficial, but a better fit for guests and other unmanaged endpoints. For customers that need endpoint health assessment, Avenda’s OnGuard offers both dissolvable and persistent agents for Windows, MacOS, and Linux endpoints. “On a Windows laptop, you can use Microsoft NAP to check whether [a device] is running firewall, anti-virus, anti-spam, etc. On Macbooks, you can use OnGuard to do the same thing, applying consistent policies to both, in 802.1X and non-1X environments,” explained Fierro.
OnGuard can also perform deeper-than-NAP assessments, such as checking for outdated client software, services like Skype, USB-connected peripherals or cloned endpoints running in VMware. “OnGuard is more granular and more powerful than NAP. It gives you the ability to remediate devices, message connected users, or bounce users off the network when needed to handle code of conduct violations,” said Fierro.
A related feature added in the 4.0 is mobility domain caching. “Travelers can maintain endpoint health status to avoid re-assessment so long as they stay in the same domain,” explained Fierro. “This helps to minimize data sent across WANs, especially important since users are now logging in with multiple devices per person.”
As a NAC Appliance, Avenda eTIPS is designed to drop into any network. “Our philosophy is to build products based on standards. We won’t force you to buy every [network element] from us to do NAC,” said Fierro. “We have strategic partners that sell network equipment (e.g., Meru, Xirrus, Aruba, Meraki). We give customers a NAC solution that can enforce policy consistently throughout multi-vendor networks.”
Options such as Quick1X and GuestConnect demonstrate how Avenda has moved to address operational pain points experienced by earlier NAC adopters. These capabilities create a springboard for enabling new BYOD endpoints, while new features like mobility domains and clustering help Avenda scale to meet even larger network needs.
To learn more about Avenda Systems NAC products, visit this link.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.