Review: Portnox, Extreme lead NAC pack

There is also a confusing array of menu choices for reporting formats and content, such as more graphical information geared at management, that could use some cleaning up.

Ironically, a better alternative to any of these reports is its logging section, where you can assemble reports for specific network activities, such as IP addresses that disappear or MAC addresses that have been spoofed. This is probably where you will spend more time understanding what is happening on your network. One of our test use cases, having a PC with dual NICs, was hard to find in either logs or reports, and, as we said earlier, NetBeat doesn’t do well with figuring out VMs.

At $5,500 plus another $600 a year for a support contract NetBeat was the least expensive unit we tested, half what the next pricier unit went for.

Impulse Point SafeConnect NAC

Impulse Point has several components, including a hardware management device that sits on your local network and a series of software tools that are accessed through a Web browser. There are four separate Web interfaces: one for the dashboard and device reporting, one for system and network configuration, one for support and documentation and one for policy setup and management. Finding the appropriate series of menu commands is initially confusing until you understand how Impulse Point has split its controls among these interfaces. They work with Firefox or Chrome browsers and IE from v9 onwards.

For our tests, the vendor sent us a managed wireless access point and login information to access their test network in its cloud of thousands of devices. Once we connected to their dashboard, we were able to add and manage our own Windows and Mac clients that resided in our test lab. In normal use, you would place their hardware on your on-premises network and connect it to various authentication servers and set up links to your managed network switches.

To discover your endpoints, they make use of a variety of tools, including Netflow, syslogs from DHCP servers, and RADIUS accounting information. They do not tap into WMI, and do not have agents on each endpoint. They can discover a wide range of routers and switches, but not VMware virtual ones. However, as part of the login process, they do install a piece of executable software that is the policy and crypto key for that endpoint. This key auto provisions and identifies the endpoint to the management console. They do a decent job of discovery, and are tied with Portnox in terms of figuring out what is running on each system.

When you first login, you have a choice to access your network from a new endpoint to install a 802.1X certificate to identify yourself, or login using a guest account. They support a wide variety of mobile and desktop devices, including Windows XP and Macintosh OS 10.5 and more recent desktops, and various mobile devices and even Kindle, Roku and Xbox. They do not support server OS versions. Impulse claims this is a feature because they don’t operate inline but enforce their policies across the entire network and don’t need to interfere with any server operations. You may or may not agree with this.

Once you have logged in and installed your certificate, your security posture is checked. If you don’t meet the policy requirements, you have to remediate. We had our enforcement policy set to “immediate quarantine,” which meant we had to self-remediate by downloading patches or bringing our antivirus up to date. Other choices are to send a stream of periodic warning messages, or to just audit the system and still allow network access.

The policy engine is the heart of SafeConnect and you can choose from a wide variety of policies on authentication, NAT, antivirus, OS patching, or create a custom policy. The policy creation process is somewhat dense and difficult and the company admitted it is working on several wizards to make things easier. Nonetheless, you can assemble a quite complex policy and workflow steps if you need one, with each policy having its own enforcement action and identity provider for example.

New to this version is a series of “End of Life” policies where you can set up blocks on devices running particular older OS versions. That could be handy, depending on what kind of legacy desktops you still have to deal with.

For our test use cases, we had mixed results. It was easy to figure out when we added new devices to the network through its canned reports, but not as easy as some of the other products tested. The dual NIC task was difficult to accomplish and hard to detect, and the company is working on a better reporting scheme for the future to handle this situation. And when we added a new wireless access point to our configuration, SafeConnect figured out what was happening within a few minutes, and flagged the situation accurately.

Searching for particular clients is easily and quickly accomplished with a search box on the left side of the interface, and there is also a strip down that side showing you real-time network statistics: which endpoints are compliant, which are still needing remediation, and so forth. That is handy but ultimately difficult to parse if you have a large complex network with lots of device movement.

SafeConnect has copious reports; the hard part is getting them setup to show you meaningful information. One option is to export historical information to either a syslog or MySQL server for some more advance reporting.

Impulse Point can be pricey at $24,000 per year to secure 500 users.

Juniper/Pulse Policy Secure

Pulse Secure sent us three devices: a Juniper SRX UTM box, a low-end managed Juniper switch, and its Pulse Policy Secure NAC device. Having all three was cumbersome but an illustration of how each works together to provide a fully featured protection solution that operates from Layer 2 outwards. Each has its own Web and command-line interfaces and in the usual tradition of Juniper you’ll need to use both methods on all three boxes to get started.

Pulse Secure, formerly known as Junos Pulse, was spun out of Juniper to the Siris Capital private equity firm last summer. It comes either as an appliance or a VM in a variety of sizes: we tested the smallest version called MAG-2600 which is about the size of a paperback book and can handle up to 250 users. Note this differs from Pulse Connect Secure products, which are SSL VPNs.

Pulse Secure can integrate with a variety of Juniper equipment, including managed switches and unified threat appliances, along with AirWatch and MobileIron mobile device management tools. You can connect Pulse Secure to a variety of authentication sources, including LDAP and RADIUS servers and SiteMinder, as well as Windows and Mac agents. That’s great, but like many of the other products here, getting things setup is a long process, hampered by the use of a variety of Web and command-line user configuration interfaces.

One good thing is that online help was nicely hyperlinked to specific sections in the manuals, which is a plus given that said manuals go for longer than 1,000 printed pages. If you don’t have a lot of Juniper network infrastructure you probably should hold off purchasing this product, although they are working with integrating their NAC with other networking vendors. We did test it with a Cisco low-end managed switch, and once we set up our RADIUS information, it was able to pass 801.X information back to the Pulse Secure.

Agents were optional and we tested the Windows ones to see how they worked. They will report on the security posture of your endpoint and via its host checker tool you can remediate to bring your device into compliance. This involves two steps: manual remediation for adding an anti-virus client (if needed), and automatic remediation for most other activities; these are set via NAC policies.

Pulse Secure accomplished some of our test cases, including the ability to see endpoints that didn’t meet our security policies. However, it fails to recognize VM sessions, and couldn’t determine when a dual network endpoint was attached, although if you run its Windows agent, you can disable the wireless NIC if the wired network is attached.

Reports could be more useful. There are six basic ones that show devices and users but they have the least amount of information of any of the vendors tested. You can download them in CSV format. The log files are so dense that you will quickly make use of the query box to try to find a specific issue, although there are a number of options to cut down on the log messages if you are trying to troubleshoot a specific problem.

The Pulse Secure solution for 500 user licenses lists at $26,000, but discounts can cut this to nearly half this price.

Portnox

The Portnox product consists of software that runs on a Microsoft Windows Server with both Web and native Windows interfaces to manage it. The software installs IIS and SQL Express along with .Net framework, so it is deeply Microsoft-based. We added it to our lab network; Portnox supplied an ESXi server running a series of VMs, both the Windows Server 2008 R2 that ran its own software and several Mac and Windows clients.

+ Portnox NAC offers complete control, including over BYOD and cloud +

We also used a Linksys access point that had been rooted into running PolarCloud’s Tomato firmware so that Portnox could obtain its logs, along with our own unmanaged switches in the lab network. Portnox supports both managed and unmanaged switches and wired and wireless networks and Windows and non-Windows clients (the latter with some limitations). The Israeli military has a million-plus endpoint deployment to protect their network.

We had problems with adding our flat, unmanaged network to the test bed, which mirrored a scenario where someone would bring in a small switch or consumer-grade router to work and plug it into the corporate network. Displaying our devices connected to this unmanaged network was less than satisfactory: if you don’t have a very high proportion of managed switches in your environment, this isn’t the product for you. However, Portnox also was one of the best products at figuring out what was on our network. One nice feature is being able to see inside VMware’s vSwitches and operate directly on the virtual ports that makeup that switch fabric. Only Extreme could best this particular feature with support for other hypervisors.

Another nice feature is to be able to search for particular text strings—this can come in handy in very large installations. The strings can be located anywhere, not just in the device name. It comes with two automated tasks, to turn off unused ports every day on a particular schedule and to close ports after they have been inactive for a period of time.

Once we got everything up and running, Portnox was able to figure out all of our use cases with ease, although Extreme had slightly more information about network posture.

There are no agents used, which is impressive given how much information it can collect about the various endpoints and network infrastructure. Instead, Portnox has an interesting “fingerprint” feature where you can build up a profile of particular endpoints, such as IP-connected cameras or printers, to aid in their future discovery and control. The fingerprints are composed of things such as ARP responses, IP address, Mac vendor ID, occupied IP ports, and other information that it figures out. It wasn’t completely flawless: it labeled my Virtual Box sessions as Cadmus Computers, and doesn’t have 10.9 Mac OS listed yet. It also had some bugs when we used Firefox v35 in how endpoint information was displayed. Other browsers worked fine.

Portnox’ user interface could be snappier and clearer. Menus are somewhat confusing, as the active menu choice is placed to the right side of the choices across the top, which is more of a design decision than anything functional. Speaking of design, another poor decision was to bury the view of your entire network in a submenu; other products have this as their default view.

Reports are less than illuminating and more akin to log files. There are about 10 pre-defined ones that come by default, and you can create others. A positive is that there are a variety of export formats including PDF, CSV or as a web page, along with a database interface specification where you can write your own if you are so inclined.

You can create different policies for each vLAN quite easily. The actions on each policy can be to disable a particular port, quarantine it (which Portnox calls “phasing”), run an NMAP scan, or DIY. The latter means you can set up particular workflows that kick off after a port exception pops up, which could be quite powerful if you can figure out the sequence of commands.

The product comes with multiple access roles and the ability to define your own role as well. That is a nice feature, particularly if the administrative duties will be split across different departments.

Portnox charges per port for its product, 500 ports is $13,500.

How we tested NAC products

While we would have liked to use the same network configuration to test all five products, but given their different packaging this wasn’t possible. We began with a small test network that mixed managed and unmanaged switches connecting various Windows and Mac desktops on both wired and wireless networks as a start.