Jumping into open-source NAC with PacketFence ZEN

It provides a good introduction to virtualization and network access control

In a previous article, I discussed some of the basic features of network access control (NAC) systems. While there are many commercial vendors of NAC systems, turning to an open-source product can often be a cost-effective functional alternative.

However, without a solid Linux systems administration background, properly installing and configuring open-source NAC applications can be extremely frustrating. One can get lost in getting separate dependent packages to work before even starting the NAC application.

At least that's how it was. The developers of one Linux-based open-source NAC application, PacketFence, have used another hot area in IT -- virtualization -- with their release of PacketFence Zen (PF ZEN). PF ZEN is a precompiled and configured VMware Inc. version of PacketFence built on Fedora Core 6.

The result is a Linux-based NAC system running on Windows that is almost too easy to install and doesn't require complex Linux administration skills. In fact, that was the primary motivator for developing the ZEN distribution of PacketFence, which stands for "Zero Effort NAC." PF ZEN was produced to "allow users to bring up a NAC solution with minimal effort and little to no Linux expertise", explains PacketFence developer David LaPorte.

Because installing PF ZEN involves NAC and virtual machine technologies, it provides an excellent introductory experience to both. The best part is that you don't have to spend hours on installing an operating system, loading dependent packages and configurating a basic NAC setup. The VMware appliance does it all, and not only with near zero effort, but also near zero cost.

Virtualization as an evaluation tool

Virtualization involves inserting an abstraction layer into the client/server path. Load balancers are a common form of virtualization to an extent; what the user sees as one server may in fact be one of several dozen machines, each performing the same delivery task.

A virtual machine can be looked at as load balancing in reverse. Instead of using multiple machines to deliver one application, one machine can host several virtualized machines. A client may access a company's Web page from one server, mail from another and calendar from a third, when in reality all three servers may be virtualized instances on a single hardware platform.

VMplayer is a free product from VMware to run virtualized machine packages called appliances. The concept is simple: Load the VMware player, download a virtual appliance file, and play it. VMplayer opens a window to the virtualized machine, and from there the virtualized machine acts like a stand-alone server.

A properly built appliance loads a separate precompiled and configured operating system on the existing computer's operating system. This allows for testing of operating systems and applications without dedicating hardware to it. Several appliances are available on the VMplayer Web site, including PF ZEN.

Virtualization is not without its trade-offs, of course. The host machine shares its resources with the appliance, so running multiple appliances on a standard desktop will probably result in machine meltdown. But as a testing platform, it's a powerful tool.


PacketFence was originally developed as a possible commercial NAC offering but has since established itself as a decent open-source NAC package. Its purpose is to provide a method for mapping a user to a machine's network identification, examine machine posture and provide for self remediation.

PacketFence relies on Linux-specific features, so a direct port for Windows isn't available. While PacketFence should work on most current flavors of Linux, an RPM (Red Hat Package Manager) for Fedora Core 4 is available to simplify the process for those wishing to flex their Linux administration skills.

PacketFence operates in either in-line or out-of-band mode. It inserts itself into the normal client/server communication by manipulating either the client Address Resolution Protocol table or its network settings via Dynamic Host Configuration Protocol. A virtual LAN method is planned for Release 1.6.5 and is to be vendor-agnostic.

Whether installing PacketFence as a virtual appliance or on a stand-alone Linux box, resource availability is important. My original attempt at running PacketFence was on older PC with limited memory and processing power. While it worked well as a simple Network Address Translation router using ipchains, loading PacketFence pushed the memory usage into the stratosphere. The lesson is that open source doesn't grant a license to go cheap on the hardware.

The user interface is simple and functional. As with many NAC implementations, registration is accomplished via a Web browser redirect to a sign-on screen. Credentials can be checked against a variety of systems, including Lightweight Directory Access Protocol, Remote Authentication Dial-In User Service and a local user database.

While PacketFence doesn't employ client software to check machine posture, it does support external Nessus scanning and Snort detection. It also provides for administrative quarantine, whereby an administrator can prevent specific devices from having network access. In other words, while not as feature-rich as its commercial counterparts, the product does provide for some powerful NAC functionality.

To load and run PacketFence, a properly configured base operating system with the correct dependent packages must be created. This can take time and cause frustration if one of the dependent packages was not installed or configured correctly. This is where PF ZEN excels; it eliminates these problems.

PacketFence ZEN

PF ZEN, as noted, is a VMware appliance that requires very little initial configuration. Releasing PacketFence as a virtual machine image allows it to "operate in a known good environment, [and] other than its large size, it is a great way to release," explains PacketFence developer Kevin Amorin. With the exception of the time to download the virtual appliance image, the entire installation process should take less than 10 minutes.

To install, download the appliance file and unpack it. This produces a virtual machine appliance image ready for playing. When the VMplayer starts the PF ZEN image, the player's window shows the boot process. All components are preconfigured, from networking to dependent packages.

After booting, use the root credentials given in the release documentation to log in. Change this password first using the passwd command. You will also want to do an ifconfig command to see what IP address was assigned to your machine's virtual interface. These are the only Linux administration actions required for installing PF ZEN.

PF ZEN doesn't automatically start, but the instructions to start it are clear. Once all processes have started, open a Web browser to the IP address obtained from the ifconfig command and append the port number 1443. Use the administrative credentials given to log in, and then change the administrative password using PF ZEN's Web interface.

PF ZEN package only performs local authorization and registration out of the box, but it supports the other authentication methods available in PacketFence. Also, the first release is considered a beta and isn't as feature-rich as its traditional release counterpart. While Snort detection is included, for example, it's disabled in PF ZEN. However, Amorin notes that "we will try to keep PF ZEN at feature parity with our source RPM".

While PF ZEN was created to provide an easy path for NAC installation and has its limitations, that doesn't mean that it can't be run in this method as a basic NAC solution. PF ZEN "allows someone to 'try before they buy', so to speak" explains LaPorte. "We believe that PF ZEN can absolutely function in a production environment."

Even for an open-source product, future PacketFence development plans include support for some sophisticated features. In addition to the VLAN isolation, enhancements either under consideration or in development include mapping Session Initiation Protocol phone numbers to Media Access Control addresses and to utilize supported session-based authentication. Input from the user community may dictate further product enhancements.

Certainly PacketFence is not the only open-source NAC option out there, nor is it the most feature-rich. However, the PF ZEN version provides a direct and easy path to dabble in the NAC area while also providing a taste of virtualization methods. Although evaluating open-source applications can involve a significant time investment, its painless setup makes PF ZEN worth the try.

Greg Schaffer is a freelance writer based in Tennessee. He has over 15 years of experience in networking, primarily in higher education. He can be reached at newtnoise@comcast.net.

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon