Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

A guide to Network Access Control endpoint security

Alcatel-Lucent, Bradford, Enterasys, ForeScout, McAfee go above and beyond

Article comments

One of the main promises of network access control is that you can ensure that endpoint security tools are up to date and that non-compliant machines can be identified or blocked. As regulatory compliance has grown in importance, NAC vendors have reacted by building strong feature sets aimed at endpoint security and compliance. In our NAC testing, we had good, and sometimes great, results across the board when it came to endpoint security.

We created a very basic endpoint security policy, and then checked to see if we could implement that policy in our NAC products. We also looked at a variation on endpoint security, the ability of NAC products to handle system misbehaviour. For example, if a typical, compliant, desktop started to try and brute-force break into other systems by guessing passwords, that would be a misbehaviour we'd like to detect. Whether the desktop is infected, or the user is acting maliciously, it's still misbehaviour and NAC can help put a stop to it.

We discovered some products that handled our policy, and some that went far beyond what we asked. Alcatel-Lucent SafeNAC, Bradford Network Sentry, Enterasys NAC, ForeScout CounterACT and McAfee NAC are the ones to start with if you want to get very deep and very dirty in your endpoint posture assessment. The good news is that every NAC product passed the main part of this test. We were able to put in our policy, or a close approximation, and we were able to successfully detect Windows 7 systems that were not compliant. Not every product could match our policy exactly, but we were able to get very close in every case.

Macintosh support is spottier. Most products had some degree of Mac support, and we were able to find our installed Sophos antivirus with every product, although not necessarily easily. For example, Alcatel-Lucent Safe NAC doesn't know about antivirus tools, so we had to craft a policy based on other ways of detecting Sophos running in the client.

Overall, Macintosh OS X support is much weaker than Windows support in all products. This reflects both the compliance aspects of NAC endpoint posture assessment as well as the generally laissez-faire approach to end-point security tools common in the Macintosh community.

Beyond the basics

Beyond basic endpoint security posture assessment, though, we found lots of differences between products. The difficult part was trying to figure out which differences mattered and which did not. We started at the highest level and found two main approaches to endpoint security: using a client that runs on the endpoint, and using a scanning tool that tries to detect the status of endpoint security remotely.

A number of products, including Avenda eTIPS, Bradford Network Sentry, Cisco NAC Appliance, Enterasys NAC and ForeScout CounterACT, actually combine both techniques, although with a caveat: the combination can be farcical.

The problem with using both an endpoint client and endpoint scanner is that real vulnerability scanners are complex and expensive animals. For example, Nessus, the best-known vulnerability scanner, is built-in to several of the products we tested. Unfortunately, the licensing and charging model for Nessus changed in 2006 in such a way that it made updating Nessus impractical — leaving NAC vendors with a 4-year-old version of Nessus and an out-of-date set of scanning rules.

It's not just a Nessus problem, though; it's a question of whether the network manager taking care of the NAC management system also is ready to manage a vulnerability scanning system. For example, Cisco includes Nessus in their NAC Appliance, but a Cisco system engineer told us dismissively "nobody uses our Nessus." That's not surprising, and it's not Cisco's fault. The result is that products which include network scanners of all types are good at some things, such as detecting open ports and operating systems, but often not so good at actually doing vulnerability scans remotely.

When the scanning is very limited in the scope of what it is looking for, there's definitely useful information available to NAC products. One of our favorite examples was Trustwave NAC's scanning tool. In building NAC policy, you can define some endpoint security features such as "is not running an unauthorized mail server." If you set up that policy, Trustwave NAC will scan devices attaching to the network, looking specifically for mail servers.

Sometimes detecting ports and operating systems is useful outside of the context of endpoint posture assessment. For example, when a NAC deployment has to include embedded devices, such as printers or VoIP phones, it's useful to have an external scanner try and validate whether or not the device really is a printer or phone.

As a general rule, scanning externally is useful, but it's not as good an approach as an agent on the device.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *