Network Access Control Technologies and Symantec Compliance on Contact
NAC solutions require multiple enforcement methods and policy flexibility to cover the entire enterprise network. As an innovator in NAC solutions, Symantec provides the most comprehensive and flexible set of options for deploying NAC to best fit your enterprise needs. Read this paper to learn more about the theory behind Symantec’s technology.
Click here to download PDF

The Essential Elements of Comprehensive Endpoint Security
Description: For today’s computing environments, there is little question that endpoint security is a required component of an overall enterprise security strategy. Read this paper is to clarify the various aspects of the endpoint security problem and to identify the functional requirements of a comprehensive endpoint security solution.
Click here to download PDF

Internet Security Threat Report
The Highlights of this volume reveals the security threat environment continues to be populated by lower-profile, targeted attacks as cyber criminals identify new ways to steal information or provide remote access to user systems. This report offers analysis and discussion of threat activity, including: Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends.
Click here to download PDF

ConSentry edges out Nevis in in-line NAC appliance test

Pair offers increased access control with minimal impact on existing networks.

Start-ups ConSentry Networks and Nevis Networks have stepped into the network access control ring with in-line enforcement products that promise high levels of security with minimal impact on existing network infrastructures.

In this Clear Choice Test we found that ConSentry's LANShield CS2400 Controller coupled with its InSight Command Center management system comes closer to that mark with an enterprise-ready package that has only a few rough edges. Nevis' LANenforcer 2024 appliance coupled with its LANsight Security Manager trails in comparison because of overall design issues and more than its fair share of bugs.

At the core of LANShield and LANenforcer are very high-speed, high port-density, stateful firewall devices and intrusion-prevention systems (IPS). Both claim a maximum of 10Gbps throughput and a capacity of 1,000 users. They have many potential uses, such as traditional firewalls in a data center or as rate-limiting IPSs, but the buzz around NAC in the last 12 months has been deafening, and both products are being positioned -- at least this week -- as NAC solutions.

The use case goes like this: Enterprises want to implement NAC, but they want to minimize changes and upgrades to their installed LAN switching infrastructure. The LANShield and LANenforcer boxes we tested have 10 and 12 pairs, respectively, of Gigabit Ethernet ports. Install either device next to your core switch. For each uplink from a wiring closet, use a port pair to run the traffic through the device before passing it to the core switch. This gives you a control point -- both companies call their devices controllers rather than security switches -- to authenticate users, apply highly detailed per-user stateful firewall controls, and use as an internal IPS.

We looked at these products as NAC devices and focused on four areas critical for any NAC deployment: authentication and authorization, endpoint-security posture assessment, traffic enforcement, and system management (see "How we tested NAC products"). We are assessing the performance of these products in a separate test and will post those results when they are available.

Authentication and authorization

Authentication is a difficult piece of the NAC picture for LANShield and LANenforcer to master. Because they sit deeper in the network, there is no simple answer to how users will authenticate to the devices. The most obvious approach is to use a Web-based captive portal, and both products support this as an authentication method. With a captive portal, the user connects to the network, gets an IP address, then launches a Web browser and tries to open a Web page. LANShield and LANenforcer intercept this communication and redirect a user's browser to a page that lets him authenticate.

We found a major design flaw in LANenforcer's captive portal. The version we tested does not let you use your own certificate authority or a well-known trusted certificate authority to sign the SSL certificate. Without a trusted certificate authority, you're asking people to connect to your network and give their user name and password to an unauthenticated system they don't know, not the best idea under any circumstances. Nevis says it is adding the capability to use your own digital certificate and certificate authority in its next release.

Captive portals generally are fine for hotels and hot spots, but aren't a particularly user-friendly approach for authenticating to enterprise networks. For this reason, LANenforcer lets the network manager enable self-registration, in which LANenforcer remembers the media access control (MAC) address of an authenticated user for some configurable period of time (eight hours to one year) and doesn't require reauthentication.

Our tests show that while this feature works perfectly, it's not a universal remedy for the problems associated with captive portals. Because MAC-based authentication offers such poor security -- MAC addresses are easily stolen and spoofed -- the self-registration approach takes an intrusive authentication method and significantly weakens an overall security model.

ConSentry has a better approach to the authentication problem: passive authentication as an alternative to a captive portal. If users are logging into a Windows domain or are using 802.1X authentication for wireless or wired LAN access, LANShield watches that authentication pass through and infers the identity of users (in the case of Windows logons) or the groups they belong to (in the case of 802.1X authentication).

In our authentication testing, we found problems in both products. LANShield initially wouldn't work with our Funk (Juniper) RADIUS server (the problem was fixed with a newer version of the software), and LANenforcer has design issues and bugs related to the assignment of groups from RADIUS and Lightweight Directory Access Protocol (LDAP) servers. If you are using a Windows Active Directory server for authentication, you should be fine with LANenforcer, but our tests show you may not be able to assign group membership from LDAP or RADIUS even with common, off-the-shelf configurations.

We also were disappointed to see that when Nevis' LANsight Security Manager is used to configure devices, all authentications are proxied by the LANsight server. This makes for a frightening single point of failure, because the management server is simply a Linux server. We discovered this issue when our LANsight server lost communications with LANenforcer, losing most configuration information and requiring a reinstallation and reconfiguration of LANenforcer.

Once a user is authenticated, the ConSentry and Nevis boxes need a way to assign the right security-enforcement policies. ConSentry maps each user to a single role using a flexible system that includes the authentication group, time of day and access method. Nevis has a less-flexible system, assigning roles based on the group returned from the authentication server.

However, if you are using LDAP for authentication and a user is in multiple groups, Nevis has a well-designed system for merging different security policies. This capability will be extremely attractive to network managers who want to have very fine-grained security enforcement scaled to a large number of groups, because Nevis lets each group have a more precise policy.

Endpoint security-posture assessment

A key driver for NAC in many enterprises is endpoint security: evaluating the posture of devices connecting to the network and restricting access to devices that are not in compliance with corporate policies. ConSentry and Nevis address this requirement, but not to a satisfactory degree.

Nevis' approach to endpoint security with the LANenforcer is to use an ActiveX control pushed down to the user's PC (assuming Windows and Internet Explorer are running, and there are administrator privileges) that checks for operating-system patch levels and the presence of antivirus and antispyware software. Because the principal Nevis authentication method is a captive portal, endpoint-security evaluation happens during the logon sequence as the Web page is loaded. Failure to pass these checks can land you in a quarantine state for user-directed remediation; LANenforcer also can be configured to require periodic reevaluation while the user is logged in.

Unfortunately, using LANenforcer's self-registration facility to avoid going through the captive portal for authentication means there's no opportunity for LANenforcer to push down the endpoint-security posture-assessment tool. In our testing, we ran into a problem: The Nevis endpoint-security tool insisted that we needed a particular patch for our Windows XP laptop, while Microsoft Windows Update Service didn't agree or offer that particular patch. This wasn't as big a problem as were the Nevis interface's opacity and lack of configuration controls. Once we discovered the problem, there was nothing we could do about it, because LANsight can't see the required patch list or manually update or override it.

ConSentry's approach in its LANShield is almost identical to Nevis', with similar limitations. ConSentry has teamed with Check Point, selling Check Point Integrity Clientless Security as the integrated endpoint security-posture assessment tool. Check Point's Integrity tool is more sophisticated than the Nevis endpoint security tool. For example, it checks for spyware, not just the presence of antispyware software. And you can use it to add other types of checks to your policy. This ConSentry-Check Point combination also supports a wider variety of client platforms, including older versions of Windows and both Java and ActiveX versions of the endpoint-security tool.

Even with a more sophisticated client-posture assessment tool, ConSentry and Nevis have the same issue: The user has to go to a Web page to download the tool. With a captive portal, the interface is as clean as Nevis', but when you are using one of the ConSentry LANShield passive authentication methods (such as watching a Windows domain logon), there's no Web page involved. In that case, LANShield can intercept the next Web connection the client makes and push down the endpoint security tool, but there's no guarantee users will use their Web browser.

continued on page 2

Back to top

Click here to submit a story for consideration by Cram Session Editor, stories@cramsessionnac.com