Network access control management: Pick your poison
In testing 12 NAC products, we discovered an incredible variety of management styles. To organize our results, we broke things up into three main categories: overall management, separation of control and high availability.
Related: NAC: What went wrong?
If we just awarded prizes based on simplicity, Cisco NAC Appliance, ForeScout CounterACT and HP NAC would immediately jump to the top of the list, because all of them have easy to use, easy to learn interfaces that get you up and running quickly and offer strong visibility into what is happening.
Other products were more complex, but more powerful, as well . For example, when we started learning to use Juniper UAC, we spent an entire hour one morning drawing a picture trying to put all the pieces together. It's a complicated set of products. There are central management tools, individual device management interfaces, intrusion-prevention systems, and on top of that, the UAC Web-based GUI itself. Bringing it all together is tough, but it doesn't seem fair to knock Juniper down because it's product has a lot of optional pieces.
Avenda eTIPS is another good example of a product that does a lot, and because of that, you end up with a complicated user interface. In Avenda's case, the management system is as simple as it could be — but still offer all the power that we needed.
In the end, we looked at products with two management criteria in mind: how hard it was to use, and how much visibility it gave us into the NAC status of our network.
Some disappointments
Some of the products have serious flaws. Alcatel-Lucent's SafeNAC is not really a single product; it's a bunch of features of their management system, their switches and InfoExpress' CyberGatekeeper that together act as a NAC solution. It certainly works well together, but the management is very un-integrated.
Bradford Network Sentry's management system is similarly disappointing. A few minutes into configuration, we found ourselves lost in pop-up windows, new tabs and sub-windows. Sometimes, we'd click on something and get a new page in the same window. Other times, we'd get a new tab in the same window, and other times we'd get an entirely different window. We expected better than that from one of the oldest NAC products in our test.
Are these issues that can be worked around? Certainly. A badly designed GUI is not a reason to throw out a good product. In the case of NAC, badly designed management systems are more the norm than the exception.
Visibility winners
A more significant issue in NAC management comes under the general term of "visibility": how much information is quickly and easily available to the network manager about what is happening, NAC-wise, on the network.
In this area, there are three clear winners: ForeScout CounterACT, HP NAC and Trustwave NAC, with a close second place from McAfee's Network Security Manager. All excel in giving great real-time information about users.
The question of visibility into current operations hits a key contradiction in the design of NAC products. In other parts of this test, we praised products which take a "hands off" approach, using standards such as 802.1X to push access control information to the edge devices. Those products, by their nature, have the least visibility into NAC operations because they are only loosely coupled to the edge devices.
In this part of the test, though, most of those products are losing points for their lack of visibility information. HP NAC, because it is tightly coupled to the HP switch management tool, does a good job of bridging the gap, as does Enterasys NAC, but these really are single-vendor exceptions.
Other bright spots
Avenda eTIPS is head-and-shoulders above the other products we tested when it comes to transaction logging. The ability to look at what happened, in detail, as someone tried to come onto the network was amazingly useful — and something we missed in other products.
Bradford Network Sentry and Cisco NAC Appliance gave us visibility into the network, but they were more switch-centric than user-centric. Having a lot of detail on devices and ports is a great asset. We feel, though, that a typical Help Desk call would be from a user who was having a problem getting logged in, not someone who knew what switch and port number they were on. This made the visibility we got from Bradford Network Sentry and Cisco NAC Appliance good if you're a network manager, but not quite as nice if you're working on the Help Desk.
McAfee and Symantec both had outstanding visibility into the end-point security posture of systems, another strong benefit. Where they fell down was in showing us how the total NAC system was working.
Who's in charge here?
We used the term "separation of control" to consider a difficult question about NAC products: how well do they integrate into real organizations? Consider what NAC does. It authenticates end users, which is usually a directory function. It changes the behavior of the network, which is something the network team is responsible for. It implements security policies, which are normally the province of the security team. And NAC often evaluates end-point security compliance, which the Windows or desktop team is responsible for.
In many organizations, these teams are not only completely different; they may report to different parts of the organization and be in different ZIP codes or even different time zones. Just as often, they may be fiercely protective of their responsibilities. In small networks, or ones with exceptionally well-integrated teams, products that bundle everything into a single interface (such as Forescout CounterACT, Microsoft NAP, Symantec NAC or Trustwave NAC) may work best.
When the organizational structure is messy or the politics fierce, a successful NAC deployment may require a product that widely separates security, network management and end-point security checking, such as Alcatel-Lucent SafeNAC, Avenda eTIPS or Enterasys NAC.
Evaluating the ability of a product to carve up management into different pieces depends a great deal on how you plan to deploy the product, and what level of trust you find between groups in your organization.
A good example is McAfee NAC's combination of ePolicy Orchestrator and the N-450 appliance. These are two completely separate tools, although they work well together, so this is an appropriate solution when the desktop team is completely disconnected from the network and security teams. However, the N-450 is intrusive to the network; it's an in-line device during user authentication and requires the ability to change switch configurations. As long as the network team is happy to have that box jacked into their switches, then everyone will get along.
But compare the McAfee approach with Cisco's NAC Appliance. The NAC Appliance can sit in-line or run out-of-band. While Cisco's end-point posture checking is primitive at best compared with McAfee, most Cisco deployments will want to break control up so that the desktop team's preferred product actually renders the verdict on compliance/non-compliance.
Some products allow you to separate control if you want, but keep it within a single product if you don't. For example, Avenda eTIPS, Enterasys NAC, and Juniper UAC can all use Microsoft NAP client for end-point security checking, effectively pushing control of end-point security out of the product. But they also have their own end-point security compliance tools, if you don't want to make the separation.
Juniper UAC also let us divide up the security control and configuration from the network configuration, by allowing us to configure security policy either in the Juniper UAC product itself, or in the end devices receiving instruction from the UAC server. This ability to break the product up across different organizational lines, is one of the reasons that Juniper UAC, along with Enterasys NAC, should be on your short list if separation of control across every part of the product is important.
Examining the issue of separation of control as honestly as you can in the context of your own organization will be critical to ensuring the success of your NAC project, and may dominate the decision on what product to select.
Scalable and available
We didn't have an opportunity to test the performance, scalability or high availability of NAC products. Instead, we grilled each of the vendors about how they would scale up to large networks and ensure high availability.
The stories were convincing and well thought out. Although in-line enforcement for NAC is still a popular option in some cases, such as guest wireless networks and some VPN environments, all of the products we tested had a non-inline mode of operation.
Obviously, if you put an appliance in-line, there's the potential for some types of serious work-interrupting failure. The failure is less of an issue when it's a true networking device in the path. For example, if you used switches from Alcatel-Lucent or Enterasys or Juniper firewalls as in-line enforcers, you could rely on their clustering or failover technology to reduce the possibility of a serious interruption.
The only system that had a vulnerability we couldn't work around was McAfee's N-450 appliance. The N-450 does VLAN tag swapping and is in-line only when a new device comes on the network, so the window of vulnerability is small — if the N-450 were to fail, only new connections would be affected.
Scalability of enforcement was not really a concern either, although the ForeScout CounterACT and Trustwave NAC requirements for mirroring of all traffic and the ability to inject packets kept us uncomfortable throughout this test. Both worked fine in our small network. However, we have seen many network topologies, especially highly redundant ones with embedded firewalls, where you'd end up buying a lot of appliance to make this work — if you could make it work at all.
If you heard some of the early arguments from NAC nay-sayers, based on a requirement for in-line enforcement, we think you'll find plenty of options that both support high availability and a high level of scalability.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Network access control management: Pick your poison" was originally published by Network World.
Copyright © 2010 IDG Communications, Inc.