NAC appliances enable identity and posture-based network access policy enforcement. In addition to keeping malware out, these appliances can help safely connect bring-your-own devices (BYOD). In this EnterpriseNetworkingPlanet’s buyer’s guide, we examine capabilities and features offered by Bradford Networks Network Sentry.
Technical Marketing Manager John Sheedy notes that when Bradford started back in 2003, NAC focus was on scanning to stop laptops from bringing in the worm of day. “Today, NAC has become more about gaining visibility into who and what is connecting to the network, then using automation to enable secure access.”
Shades of grey
Sheedy said that while Network Sentry can still block threats, NAC has matured to the point that decisions are no longer black or white. “It depends on who the user is, what the device is, what the business function is, etc.,” said Sheedy. “Incidents need to be put into context to find the right balance.” As a result, solutions must support a range of needs.
“Historically, NAC was one-size-fits-all. Customers would buy an appliance, purchased in increments of users or devices. But over time, our customers and channel partners had needs that were quite different or wanted a phased approach. So two years ago, we divided Network Sentry into a foundation, solutions and extensions,” explained Sheedy.
Bradford’s foundation is either a physical or virtual Network Sentry appliance:
· The NS500X is an integrated control+application server for up to 2,000 endpoints.
· The NS1200X is a pair of servers that together manage up to 10,000 endpoints.
· The NS2200RX offers twice that capacity, with redundant disks and power supplies.
Where multiple appliances are used, a NS550RX appliance offers central management. VM appliances (NS500VM, NS1200VM, NS2200VM, NS550VM) are also available. Network Sentry appliances sit out of band to avoid scalability and integration challenges.
“There’s only so much traffic you can push through a single in-line device, and [network embedded] approaches tend to be a bit homogeneous,” said Sheedy. “Our approach, whether appliance or virtual, can be deployed in literally anywhere in the network. We can deal with any vendor’s network elements, leveraging whatever the customer has already invested in to collect information and enforce policy controls.”
Specifically, when a Network Sentry appliance is deployed into a network, it uses SNMP and CLI commands to discover switches and controllers. Building this topology not only delivers visibility to the customer, but lets Network Sentry monitor that infrastructure to know when endpoints connect to a wired port or WLAN. As each endpoint connects, Network Sentry records the device’s MAC and IP and location.
Solution sets and extensions
Atop this foundation may run one or more solutions — software feature sets that are licensed on a per-user or per-endpoint basis to address specific NAC use cases. These are:
- Access Manager corresponds to traditional NAC functionality, providing visibility and control to enforce access policy for users and endpoint devices. This includes the ability to tie access policies to users with several devices.
- Guest Manager tackles security and provisioning challenges that organizations face in dealing with unmanaged users (contractors, visitors, etc.) and unmanaged devices including BYODs. “Without an automated guest manager, IT can chew up a lot of time just dealing with this,” said Sheedy.
- Shared Access Tracker manages role-based access from a given endpoint. “In enterprise environments, that might be a call center with multiple shifts, or workers sharing a workstation with different responsibilities. In healthcare, it might be devices in a nurse’s station,” he explained.
- Device Tracker limits access to specific devices. Typically, those not associated with users, such as cameras, medical equipment, manufacturing systems. This solution uses information registered about each device (for example, MAC address files loaded by administrators) to differentiate and apply policy.
“If a customer wants to do everything, we offer a bundled license for that,” said Sheedy. “But more often than not, they have some things that are top of list. We support a phased rollout and a phased budget to pay for [incremental solutions].”
In addition, Bradford offers a series of one-time add-ons. These extensions include Endpoint Compliance (the ability to scan what’s installed and running on devices), Device Profiler (the ability to fingerprint device types), and Integration Suite.
According to Sheedy, policy enforcement point integration is part of the foundation, but Integration Suite pulls in data from other security devices such as IDS/IPS and next-generation firewall (NGFW) systems.
“In organizations with security infrastructure closer to the core, we allow for custom integrations. For example, an in-line IPS share information about anomalies with Network Sentry. We can look into our database to associate an IP address with a device type and user to provide context. We can then apply policies to disable the switch port or disconnect a WLAN connection, and keep that device off if it shows up elsewhere,” he said.
As a standalone out-of-band (physical or virtual) NAC appliance, Network Sentry can be integrated into mixed wired + wireless networks. “We tell new customers that they probably already have 60 percent of their NAC solution in place: it’s their network. It’s very important that a NAC solution work well with whatever your network might be today and where you might choose to take it next year,” said Sheedy.
Even without any Solutions or Extensions, Bradford’s foundation offers visibility and continuous monitoring. “You need this before you move into automating any policy controls, and there’s a lot of value in monitoring, all by itself,” said Sheedy.
However, for customers that want to venture further, Bradford’s adaptive security architecture focuses on automation — from automated notifications to automated network provisioning — to satisfy the access needs and rights of many different users and devices including those that are shared, unusual, or BYO.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.