Review: Portnox, Extreme lead NAC pack

Remember when network access control (NAC) was all the rage? Remember the competing standards from Microsoft, Cisco, and the Trusted Computing Group? Back around 2006, there were dozens of NAC products, many of which turned out to be buggy and difficult to implement.

Over time, other network-based security products -- mobile device management (MDM), intrusion prevention systems (IPS) and next-generation firewalls -- came along and squeezed NAC into a narrower part of the market.

But NAC hasn’t disappeared. In fact, NAC products have evolved and improved as well. For this review, we were able to bring the following five vendors together: Enterasys/Extreme Networks Mobile IAM, Hexis Cyber Solutions NetBeat NAC, Impulse Point SafeConnect NAC, Pulse Policy Secure and Portnox NAC. (Cisco, ForeScout, Auconet and Aruba declined our invitation.)

+ ALSO ON NETWORK WORLD: Next-gen NAC designed to facilitate +

Overall Portnox was the best NAC unit we tested, with Extreme coming in a close second. Portnox had better reporting than Extreme, while Extreme had better device detection capabilities. (Watch a slideshow version of this review.)

In general, we found that today’s NAC products are better constructed, easier to install and easier to manage. But NAC still isn’t a complete cakewalk either. The challenge is being able to understand your network in ways that complement your knowledge about exploits, so you can identify problem areas quickly and still keep false positives and frustrated users to a minimum. That isn’t easy, even with the best NAC products.

In addition, deploying NAC across a large and complex network infrastructure can be a challenge. For NAC to work, it has to cover a wide range of endpoints, servers and switches. We found, however, that some NAC products look more closely at switch ports, some look at endpoint devices and some look at users.

In the early days of NAC, most of their magic was accomplished by installing agents on your endpoints. But agentless operation is more the norm today, and some products now work with both. Also, today’s NAC tools use a combination of probes including NMAP, Windows Management Instrumentation (WMI), Radius authentication, remote access to log files via SSH and SNMP queries.

We were amazed at how much information these tools could suss out from the mixed bag of endpoints that we assembled on our test network. Perhaps that is the biggest story of the progress of these NAC tools, and how their detection prowess has improved.

Where NAC fits In

Since their inception, NAC products promised to do four things to protect your network:

1. Coherent policy definition. You should be able to set and maintain a variety of security policies for different user populations, locations and network equipment, and be able to easily modify them from a central management console. Typical security policies would include looking for new endpoints that are added to a network, or when an endpoint has multiple network interfaces, or when a device is moved from a wired to a wireless network.

2. Security posture detection and assessment. Your NAC system should be able to scan the endpoint and determine compliance with your policies. The system should be able to assess what isn’t up to snuff, and why, and report on this in near-real time.

3. Enforcement. Once you detect something amiss, your policies should determine how they are enforced. Should you quarantine or refuse network access entirely? Or just flag the violation and send appropriate notification to a network administrator?

4. Remediation. Finally, the ideal NAC system should indicate what is broken or non-compliant or missing from a particular device.
   

General impressions

All five of the products could benefit from hiring UX designers and scrapping their aging interfaces, and in some cases consolidating multiple screens and interface methods to something more modern. All came up short in some capacity and this is perhaps NAC’s biggest frustration. Think of how firewalls were managed 10 years ago and you know what to expect with these products. None of the products did very well on reporting, which is another challenge for NAC.

Also, none of the products caught every possible test case, although Extreme came the closest at figuring out what was on our small test network. We realize that is somewhat of a testing construct: in the real world, you will deploy these products across very busy networks that are living entities with endpoints coming and going.

This is why reporting and auditing is so critical; sadly, all of these products could do a far better job with these features. This is perhaps one of the reasons why you don’t hear of NAC as often as you once did back in their heyday.

If you have a large portion of your infrastructure virtualized, you will want to take a closer look at either Portnox or Extreme, which is another reason why they are both top-rated. Both handled VMware virtual switch fabrics as well as they did with physical switches; and Extreme can also cover Hyper-V and Xen hypervisors. The others don’t really understand VMs and in some cases misreport their particular situations.

And if you use an MDM tool, you will want to look at either Extreme or Pulse Secure for their integration with leading MDM vendors. The combination can be a potent one if you want to track what is happening with mobile devices when not connected to your network and have a unified set of policies to cover what its posture should be when these mobile devices return to your office.

NetBeat and SafeConnect lagged behind the others in terms of their detection abilities.

Here are the individual reviews:

Extreme Networks Mobile IAM

Extreme Networks has a complex NAC solution and ended up sending us three pieces of hardware: a ESX server containing several VMs, including their NAC software and VMs of their management tools, one of their managed SSA-130 class switches, and a WS-AP3750 wireless access point.

+ 6 tips for selecting the right all-in-one NAC product +

Extreme depends on RADIUS to discover and control network access and can manage large networks with ease: they currently have several customers with more than 100,000 nodes on their networks. The company incorporated technology it purchased from Enterasys into its product line.

Extreme’s management tool is called NetSight; we ran it from a VM. It handles one or more NAC appliances that can run on either dedicated hardware or inside other VMs. And its wireless access points also makes use of a controller that runs on a hardware appliance, a separate VM or can be placed in the cloud.

That is a lot of moving parts, and we were glad that we didn’t have to configure each one, but had an Extreme engineer at our side to handle issues. All of this gear was connected to our lab network, where we had Juniper, Cisco, and Linksys switches. It correctly identified each of these devices.

NetSight has two different management interfaces: a Web UI (called OneView) and a series of Java modules, each with a different and somewhat confusing series of functions. If you stick to the Web UI you can accomplish most of what you need to do for the reporting and monitoring functions; the Java client is more for setting up policies and adding NAC controls.

+ ALSO:  Extreme Networks CEO touts open SDN strategy, robust wireless as key assets in changing net market +

Extreme was the only vendor that could handle self-remediation and it comes with lots of options, as you would expect with a NAC product with several years’ worth of history. To set this up you need to be running the Java client. The product is very flexible, for example, each assessment rule can kick off different profiles and actions. You can also have guest networks that make use of Facebook login credentials, for example.

Extreme, along with Juniper, also integrates with a number of MDM vendors, so you can share policy and control information with AirWatch, MobileIron Fiberlink and several others.

Extreme was also the most widely integrated in handling a virtual switch fabric of VMware, Hyper-V and Citrix Xen hypervisors: you can pull up information on all of these environments and understand how which VMs are connected to the switch and assign vLANs and policies to them. We did find a small bug where it didn’t correctly report a Windows VM running on our Mac connecting over a wireless network, but no one else figured this out either.

Extreme has Windows and Mac agents that are optional: it will operate without agents too. The agents can be setup to dissolve after a reboot or persist. Before you decide whether you want to install them you need to check out its “fingerprint” screen that shows you how it discovers what is going on across the network. It correctly figured out a dual-NIC Mac and identified both of its interfaces properly with the same host name. It also figured out that we had switches attached to the test network and could find PCs hiding behind them.

Extreme’s biggest weakness is its reports, which are scattered among various tabs within the Web UI. There is the ability to create custom dashboards, and reports can be exported as PDFs too. Clearly this is still a work in progress. It does a better job of summary dashboards than some of the other products, but again, these need to be tied together in a consistent manner and made easier to execute.

Extreme costs $10,000 for 500 devices that appear over any 24-hour period, which is in the middle of the pack.

Hexis NetBeat (formerly NetClarity)

Hexis sent us a 1U hardware box that is managed with a Web browser that we connected to our test network. NetBeat is based on technology Hexis acquired from Netclarity last summer. NetBeat comes with two built-in Ethernet ports: the first one is used to connect to a switch access port; the second is used to monitor vLANs. It excels at understanding Layer 2 traffic across your network.

The Web screens had some minor display errors in Firefox or Chrome, but ran fine with Safari. There are no agents to install on the endpoints with one exception noted below. The appliance has a series of menus on the left side that are somewhat haphazardly organized.

+ RELATED: Hawkeye G battles malware so you don’t have to +

When you first connect to the device from your browser, you are presented with an overall risk profile with three dials that show threats, vulnerabilities, and assets. At the top of the Web-based console is a thermometer showing “overall network risk profile” in a line from 0 to 100. It is hard to understand what this means, and watching the needle move across this gauge is probably not something most network administrators will find very useful. You can adjust what is shown in these charts with various weighting factors that can emphasize rogue virtual LANs over spoofed IP addresses, for example, but again that seems like more trouble than the effort is worth.

Once the appliance is connected to your network, it will attempt to discover network resources. Untrusted devices are highlighted in yellow bars, making them easy to spot. NetBeat had a harder time than its competitors figuring out our unmanaged switches and VMs running on our test network. But it does support managed switches from Extreme, Cisco, 3Com and HP.

For example, it misidentified a Mac running OS X 10.9 as a mobile device running iOS, and couldn’t identify an HP laptop other than it was running some version of Windows (it was using Windows 8). It uses NMAP to scan your network and SSH to communicate with your managed switches. It also listed our Mac’s wired and wireless interfaces separately and couldn’t identify them as coming from the same computer.

The one agent-based piece of software available is for Windows Servers 2003 or 2008 (but not 2012). This sends Active Directory information to NetBeat to get better user information. You can obtain this information by sending Active Directory log information from your server without installing any agent; it is a matter of preference.

There are also two different user interfaces for asset discovery, one called “classic” that is somewhat terser than the other. On either list you can mark particular endpoints as trusted, move them to particular vLANs, or edit their descriptions if you recognize them.

NetBeat also wants to perform frequent signature updates, and because of a bug we had to go through a few steps to get these started on our test box. You also have to sequentially install its service packs, so you don’t want to miss any of them. This was somewhat annoying.

When NetBeat finds a vulnerability, it can generate a support ticket, and this ticket can be routed to a network administrator to escalate and resolve. It comes with three different pre-set access right levels: manager, IT staffer, or ordinary NAC user.

It has a very interesting assembly of 26 pre-set best practice compliance documents. You can use these as starting points to compose your own documents, which is a nice reminder that NAC can help define compliance (although the documents don’t have any effect on overall NAC operations).

Reports are this product’s biggest weakness. Reports can be scheduled to run periodically, and can be exported in PDF format. But they contain far too much information to be useful to security managers: a relatively healthy Mac running OS 10.9.5 produced a series of warnings about vulnerabilities that weren’t relevant, such as one for Windows XP’s IP stack.