January 25, 2008

Symantec tops Juniper, Cisco and Check Point in test of 13 NAC point products

Clear Choice Tests  By Mandy Andress, Network World, 07/30/07

Network-access control is a buzzword of epic proportion. And as is the case with much of larger-than-life industry vernacular, products with even the slightest aspect of access control are being pitched by their makers as integral components of the NAC fray.

In April, we assessed the role that more than 30 NAC products play in the larger NAC schemes defined by Cisco 's Network Admission Control (CNAC) initiative or the Trusted Network Connect (TNC) working group of the Trusted Computing Group (see "What can NAC do for you now?").

We found that the basic functions of NAC can be carried out within CNAC or TNC, but not all IT shops have the time, inclination, network infrastructure or resources to deploy a full-blown NAC framework.

Enter the all-in-one approach to NAC -- single products that provide authentication and authorization, endpoint-security assessment, NAC policy enforcement and overall management.

We tested 13 products from Bradford Networks, Check Point Software, Cisco, ConSentry Networks, ForeScout Technologies, InfoExpress, Juniper Networks, Lockdown Networks, McAfee, StillSecure, Symantec, Trend Micro and Vernier Networks.

To ensure continuity between our previous assessment of NAC architectures and these all-in-one NAC products, our testing was based on the same methodology. Authentication and authorization testing homed in on the options available for connecting to the network physically, the authentication options supported and how each product handles authorization.

While deploying NAC in an environment with standard 802.1X authentication was a focal point of our NAC-architecture testing, in this round we deployed products using other authentication options -- for example, facilitating inline monitoring, controlling an installed network switch and acting as the access-layer switch itself -- because many organizations will want to deploy NAC before they can do so using the 802.1X standard. All the vendors tested offer at least one alternative approach, so the good news is that there is no shortage of options.

Our environmental-information evaluation -- sometimes referred to as an endpoint-security assessment -- looked at how effectively each product gathers pertinent information from endpoints. The details collected range from general machine information to specific security settings, and all are used to enforce policy decisions.

The enforcement piece of this test evaluated the options available for handling offending systems once assessment is complete and the applicable policy identified. The final management section looked at the tools available for keeping the whole NAC system running, including defining new policies, receiving alerts and reporting, all within an accessible and usable interface (see a full test-methodology guidance on testing these NAC products in your own environment).

The good news is that these products consistently functioned as advertised. Pretty much across the board, they identified, authorized (or blocked, as required) and helped remediate failed systems as their makers said they would. However, they carried out these measures in different ways and to varying degrees, so to help determine which product is the best fit for you, you'll need to have a clear understanding of which areas covered by these NAC products are the most critical for your own environment (see "6 tips for selecting the right all-in-one NAC product").

Symantec came out on top as the best-all-around all-in-one NAC product. Although other products performed better in single categories, we found that Symantec's Network Access Control provided the most solid NAC functions across the board. ForeScout, Lockdown and Juniper rounded out the top finishers.

Trends in NAC products

Our authentication and authorization tests showed that for the most part, these all-in-one NAC products slide pretty effectively into existing networks in a variety of ways. Authorizing access for known and guest users via general LAN links, remote-access connections and wireless LANs are all measures supported by most products. The technical implementation methods differ, but the goals of flexibility and pervasive coverage remain the same.

Common to the vast majority of products is integration with standard user directories, such as Microsoft 's Active Directory and other Lightweight Directory Access Protocol-based repositories, and authentication servers, such as a RADIUS server. A key difference is that some products provide authentication by monitoring authentication traffic (for example, Kerberos authentication packets) passively and making note of the event, while others require the user to enter credentials actively.

Another key difference among the products is the endpoint information used during the authorization and enforcement processes. Some products rely on user information to enforce policies, while others grant access based solely on device information. A few products provide support for both approaches.

Juniper, Symantec and Vernier performed the best in our authorization and authentication testing. These products provided well-integrated deployment scenarios for our four connection methods (LAN, remote access, guest and wireless). They also supported a variety of technologies for authentication and let us configure authorization parameters based on either user or device.

Endpoint-assessment tests evaluated out-of-the-box options for system compliance checks, focusing on antivirus software, Windows security patches, host firewall status, endpoint-vulnerability status and identification of actively infected systems. Most products provided basic coverage and functions on the fundamental items.

What differentiated these products was how broadly they covered these assessment mechanisms, how easily they configured checks, how they manipulated the timing of checks and whether they could implement more-detailed checks, such as when a product supports a general vulnerability-scanning engine. Products' ability to define custom security checks ranged from checking for certain registry keys and file properties to full scripting engines.

Symantec, ForeScout excel in assessment

Symantec excelled in endpoint assessment and the collection of environmental information by providing the best all-around assessment function. ForeScout also performed well, providing enhanced assessment functions, such as anomaly detection and a full vulnerability-assessment platform.

Enforcement capabilities generally depended on the product's implementation. For example, in products that approached NAC by controlling the access switch, primary enforcement mechanisms included virtual LAN and access-control list (ACL) changes. Inline deployments most frequently offered firewall rules to control network access, though some also provided VLAN changes by modifying 802.1Q tags.

While VLAN changes are easy to implement, the bigger issue for users is the network infrastructure's overall VLAN design and management, compared with how detailed their NAC policies will be. Having different access policies for different corporate functions -- and even different access policies if endpoint systems are not in compliance -- could quickly become a VLAN management nightmare.

Another common enforcement mechanism is self-enforcement, facilitated by heavy-handed client software in which an agent controls network access. Self-enforcement is beneficial in that it helps ensure compliance when a user isn't connected to the corporate network, but you've got to factor in that the endpoint could be compromised. We recommend using self-enforcement along with a network-based enforcement mechanism, such as pushing a firewall rule, making a VLAN change or facilitating an ACL change on a switch.

Remediation efforts tended to guide users through the process of bringing their own machines up to NAC snuff. The measures provided generally included displaying a message containing a URL leading users to information or software that will let them self-remediate. Some products provided more proactive remediation functions, such as killing a process or automatically executing a program -- for instance, launching a patch-management agent such as PatchLink, pushing an enterprise-software upgrade via Microsoft's SMS or running a custom script.

ForeScout, Juniper, Lockdown and Symantec all performed well in our remediation tests, with ForeScout the remediation leader based on its flexible and extensive options, from VLAN changes to killing a rogue process.

The big area of disappointment generally across the board was the general lack of information these products provided about a user's or device's history. If a device was placed in quarantine, what check failed? What was the response? What user was logged in at the time? What action was taken? What other devices had the user connected to? What is the historical information about this device or user? Very few products were capable of this level of detail, which is required for any useful NAC deployment.

The tools to manage a NAC deployment adequately -- the general interface for policy creation and day-to-day administration, help and documentation, and alerting and reporting capabilities -- generally were the weakest components of the products tested.

GUI interfaces were cluttered and not intuitive to use or navigate. Often the tools for defining NAC policies -- a critical part of NAC administration -- were buried deep within the system and required multiple clicks just to get to the starting point. Very few products launched administrators into a dashboard of useful information. Lockdown's Enforcer had the best: A full-summary dashboard appeared when the administrator initially logged on that gave a clear picture of the system's risk posture and high-level details of its current state.

Policy creation generally was overly complex. While NAC vendors generally provide a lot of flexibility and detail with their NAC policy development engines, most have fallen short in making those engines easy to drive with the supplied management applications. Vernier's EdgeWall had the most challenging NAC methodology, but in the end, it was the most flexible and detailed of the products tested.

Another area we focused on was support-account administration, to see the level of detail supported for access control and role definition. We also looked at whether a product managed administrator accounts within an enterprise-user repository instead of maintaining a local database of administrative users. Most products supported a multiple-role structure, but some products provided more detail than others.

Reporting was the most problematic area. Some products contained no reporting function, and others provided only very basic searches. While it's important to identify and enforce network access based on endpoint integrity and defined policies, it is almost more important in today's environment to show the historical results of assessments and what action was taken concerning systems that did not adhere to defined policy.

While all the products we tested can use improvement in overall management, Check Point, ForeScout and Lockdown have the strongest showing in this area of evaluation. Their products provided the reporting and enterprise-management functions we expected to see, such as multiple alerting options to tie into enterprise-management tools, delegated administrative functions, and adequate help and product documentation.

NAC futures

Postadmission control is where most vendors are spending their development resources, and that's only natural. Once a system is admitted to the network, it needs to stay in compliance. Most products achieve this now by performing assessment checks on a schedule, such as every 15 minutes.

Some vendors, such as McAfee and StillSecure, are starting to take postadmission control a step further, integrating intrusion-detection/prevention systems that trigger an enforcement action if an alert is received about an endpoint device. This information also can be combined with a vulnerability scan to determine whether the alert is a false-positive.

Although some products do vulnerability scans now, this false-positive correlation still is a goal for vendors to reach. The next logical step is integration with security-information and security-incident and event-management products, which should provide the most complete picture to help a NAC product make the best decision on how to provide access to an endpoint device continuously.

Another future integration point for NAC should be the growing number of outbound-content-compliance and data-leakage-protection products. With this combination, companies could block network access if unauthorized data transfers were attempted or observed.

In its basic form, NAC is ready for prime time. Companies can buy a multitude of products that check the integrity of known endpoints and control access accordingly. And judging from the industry buzz about NAC, vendors are investing R&D dollars that will help facilitate enhanced features and further integration with any organization's network infrastructure. The secret to deploying an effective all-in-one NAC product is aligning yourself with a vendor that has developed its product with the same NAC priorities you've set for your own network.

NW Lab Alliance

Andress is a member of the Network World Lab Alliance, a cooperative of the premier testers in the network industry, each bringing to bear years of practical experience on every test. For more Lab Alliance information, including what it takes to become a partner, go to www.networkworld.com/alliance.


All contents copyright 1995-2008 Network World, Inc. http://www.networkworld.com

1 comment:

Anonymous said...

Can anyone recommend the top performing Remote Management & Monitoring program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central desktop management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!