We´ve covered Cisco´s network access control (NAC), Microsoft´s Network Access Protection (NAP) and the Trusted Computing Group´s Trusted Network Connect (TNC) security architectures. All of the above are infrastructure based network access control architectures with differing enforcement models and client requirements. The complexity, high cost and lack of availability of these access control approaches has given way to the rise of NAC appliances, which we explored in Lippis Report 64 ?¬¢‚Äö?ᬮ??¨The Road to Network Admission Control,?¬¢‚Äö?ᬮ¬¨?? and Lippis Report podcast, ?¬¢‚Äö?ᬮ??¨Network Admission Control Simplified.?¬¢‚Äö?ᬮ¬¨?? Many Lippis Report readers and podcast listeners told us that what is important to them is how their chosen infrastructure company is deploying access control. Most Network/IT executives see network access control from an infrastructure investment protection point of view. That is, there is little interest in switching major infrastructure vendors solely on network security. So in this edition of the Lippis Report, we asked Cisco Systems, ProCurve Networking by HP, Foundry Networks, Extreme Networks, Nortel, Juniper and 3Com to tell us about their network access control solutions.

The network access control market is by no means commoditized. There are significant differences between vendor offerings. There are client and/or clientless based approaches to network access control. Some integrate a policy manager into their offering, while others either provide a separate policy manager or rely upon a third party policy manager. Vendors differ on their support of endpoint operating systems and devices. Some vendors offer support for PCs, non-interactive devices such as printers and gaming consoles, IP phones, etc., while others only support specific Windows environments. Some provide the same solution for wired and wireless access, while others support only wired. There is also differentiation based upon existing network infrastructure. Some vendors offer an overlay security approach, which is independent of installed network switches, while others are highly dependent upon their switches being deployed to deliver security enforcement services. The breath and depth of partnering to deliver on remediation is also a differentiator.

We´ve asked all suppliers to address client requirements, access control enforcement, post access control, their unique differentiation and provide budget guidelines. We ask them to address all of this in just two paragraphs. Some went a little over, and we afforded them that leeway. I provide a cross-vendor assessment at the end. So without further ado, here are network access control solutions from Cisco Systems, ProCurve Networking by HP, Foundry Networks, Extreme Networks, Nortel, and Juniper.

Cisco Systems

In Cisco´s view, an effective NAC solution must be able to do at least four things:

• Authenticate and authorize any incoming user,
• Assess the posture of any incoming endpoint device,
• Quarantine that device if it fails to meet policy requirements,
• Remediate the device to bring it into compliance.

In terms of authentication, Cisco´s NAC Appliance natively integrates with Kerberos, Lightweight Directory Access Protocol (LDAP), RADIUS, Active Directory, S/Ident, and others. It supports single sign-on for VPN clients, wireless clients, and Windows Active Directory domains. Administrators can maintain multiple user profiles with different permission levels through the use of roles-based access control.

Posture assessment is performed either through network-based scans or through the use of an Agent, which works on Windows and Macintosh machines. Policies are either created through pre-configured rulesets for hundreds of third-party applications, such as antivirus and anti-spyware, or are customized for specific applications, such as in-house programs.

Cisco´s NAC Appliance performs quarantine (or access control enforcement) through a variety of network-based means, based on customer preferences. These methods include static or dynamic VLAN assignment, via 802.1x, DHCP, switch ports, ACLs, drop/filter packets, Layer 3 subnet isolation, and Layer 2 broadcast domain isolation.

Finally, Cisco´s NAC Appliance offers a variety of methods for remediation. Users can be guided through an Agent-based wizard, a set of web-based instructions, or automated launching of a Windows Update or SUS (Software Update Server) server. Post access control enforcement is accomplished through the Cisco Security Agent software, which mitigates new and evolving threats without requiring reconfigurations or emergency patch updates.

Cisco´s NAC Appliance differentiates based on three elements: 1) the ability of one product to perform all the functions of NAC regardless of the type of endpoint device (laptops, IP phones, game consoles, printers, etc.) or the method of network access (wireless, VPN, LAN, WAN); 2) over 30 deployment methodologies that can fit into any type of network environment; 3) the existence of over 1,000 customers who have purchased and deployed the Cisco NAC Appliance. In terms of budget guidelines, each deployment requires one Manager, and at least one Server. A 100-user license that includes the software and hardware for both Manager and Server is priced at $8,995.

ProCurve Networking by HP

ProCurve Networking by HP has a comprehensive security strategy called ProCurve ProActive Defense, delivering a trusted network infrastructure that is immune to threats, controllable for appropriate use and is able to protect data and integrity for all users. Part of this strategy includes a comprehensive infrastructure-based access control solution through ProCurve´s Identity-Driven Manager (IDM) 2.0 software.

ProCurve was a pioneer in the definition and development of many of the open security initiatives related to network access control, including an initiator of the 802.1x specification and is a consistent contributor to the Trusted Network Connect (TNC) specification from the Trusted Computing Group (TCG). In this effort, ProCurve was one of the first implementers of 802.1x controlled network ports.

ProCurve has continued to build upon its secure connection technologies by building in alternative methods of authentication, including a web-based authentication process and a MAC address based authentication process embedded in ProCurve network devices. Together these port-based access control features provide network administrators strong network access control capabilities at the network edge. In addition, ProCurve has added its Identity Driven Management (IDM) software, which allows administrators to create rules that dynamically adapt the network edge ports (and wireless connections) to the needs of the user.

With this solution, network administrators have the ability to allow and restrict access to the overall network, or resources on the network, based on the business need of users. These access rules can be applied based on user device connecting to the network, place, and time. In addition to the standards based ability to apply a user to an authentication, ProCurve has the ability to apply performance settings (QoS and rate limits) and detailed filtering capabilities (Access Control Lists). These unique ProCurve features are a combination of the ProCurve devices, and the IDM network access policy management.

The ProCurve access control solution is a unified solution, which covers both wired and wireless LAN environments. It integrates with the industry leading RADIUS authentication servers and provides the usual ProCurve value proposition of the best price-performance in the industry.

ProCurve ProActive Defense is the only approach offered today that has the built-in flexibility to meet not only today´s security challenges, but tomorrow´s, as well. Access control is done at the edge of the network: where your security posture should be deployed, versus tunneling everything into the core of the network. In summary, by uniquely melding offense and defense into a cohesive, easily managed and comprehensive architecture, ProCurve ProActive Defense is the best way to harness the full potential of networks, now and in the future.

Foundry Networks

Foundry Networks provides standards based NAC, which has been validated with various agent and agentless NAC solutions. Foundry’s edge chassis and stackable switches support all of the key Radius 802.1x, MAC, and Web authentication capabilities, and have been proven to work with a variety of Radius Servers and supplicants. This includes Microsoft’s IAS, FreeRadius, Cisco’s ACS, Infoblox, and Funk Software. Foundry’s access control infrastructure provides the flexibility to support any standard Radius server and client implementation, and does not lock customers into a proprietary high-cost solution.

Foundry’s edge based Layer 2/3 switches and routers have been validated with a number of agent and agentless NAC solutions including those from Symantec, Check Point, and StillSecure. These agents use Radius and 802.1x, to validate both the user and client health. The NAC policy server can automatically and dynamically switch the client to a guest, quarantine or production VLAN, depending upon the outcome of conformance test. Depending upon security policy, a user may be blocked out of the network completely, given limited or guest access. In addition, Foundry´s IronShield 360 security program adds anomaly detection services to its Layer 2/3 devices, which enable its IronView Network Manager (INM) to participate in remediation of anomalistic network behavior uncovered post admission control.

Foundry is a member of Microsoft’s Network Admission Protection (NAP) partner program where it´s working with Microsoft to insure that its´ switches and routers are fully interoperable with NAP software components for Windows Vista and Longhorn releases. Foundry is also collaborating with a number of NAC appliance vendors such as Lockdown Networks and Impulse Point to insure they can dynamically remediate Foundry equipment, include changing VLANs and other network address assignment, to insure that clients are properly placed on the production, quarantine, or remediation VLANs or disable their network access.

Extreme Networks

Extreme Networks offers the full-featured SentriantTM Access Guard (AG) solution for enterprises that require increased security at the edge where the network is dynamically protected from endpoint devices like PCs that do not comply with organizational security policies. This solution minimizes the threat of viruses and attacks originating from infected or unprotected endpoints.

Sentriant AG supports a variety of testing methods enabling a variety of network endpoints to be tested within any customer environment before they are allowed to access the network. The Sentriant AG also controls network access for various user types including employees, visitors, partners and remote users connecting over the wired or wireless Local Area Network (LAN) or Virtual Private Network (VPN).

Sentriant AG supports multiple enforcement mechanisms including Inline, DHCP, and 802.1x. By leveraging Extreme Networks’ standards-based 802.1x implementation on its award-winning Ethernet switches and ExtremeXOS® operating system, the Sentriant AG can place end-points in the appropriate VLANs (quarantine VLAN, guest VLAN or production VLAN) based on test results and further restrict access using more granular policy enforcement techniques such dynamic Access Control Lists (ACLs) and bandwidth rate limiting.
Key features include true agent-less testing, which requires no additional client-side software and features support within Windows 2000 and XP environments. Browser-based testing (ActiveX) or a lightweight, persistent agent is available for all Microsoft-supported versions of Windows. Mac OS X and Linux clients will be supported in a future software release

Nortel

The Nortel Secure Network Access (NSNA) appliance provides a unified access policy for admission control for wired, wireless and mobile workers. NSNA is an out-of-path appliance that delivers superior scalability and reduced latency for multimedia applications such as IP telephony and video, when compared with other solutions. NSNA provides a unique clientless solution that offers customers a flexible choice of deployment and enforcement models, including both VLAN and/or traffic filters. NSNA provides superior out-of-path performance by tightly integrating with network access elements such as Ethernet switches, WLAN controllers and VPN Gateways. The NSNA solution supports IP Phones, Windows, Linux, Mac OS and non-interactive devices such as printers and gaming consoles. In addition, NSNA supports customer environments with mixed deployments of Nortel and non-Nortel network elements such as non-Nortel Ethernet switches.

Nortel Secure Network Access (NSNA) delivers a unified access policy focusing on 4 key areas:

1. Authentication & Posture Assessment ?¬¢‚Äö?ᬮ‚Äö?Ñ?? using Nortel´s web-based and customizable captive portal technology to provide network access control based on user identity and system health with Nortel Tunnel Guard technology.
2. Authorization ?¬¢‚Äö?ᬮ‚Äö?Ñ?? using Nortel´s automated per-port firewall capability at the access layer to provide network resource control based on user profile and device identity.
3. Continuous Threat Analysis - continuous validation of user and device security compliance using real-time environmental threat information from network elements such as IDS and IPS.
4. Quarantine & Remediation - automated host quarantine and remediation triggered through continuous threat analysis events.

Nortel is committed to a standards-based deployment with broad interoperability as demonstrated through our work with Microsoft NAP and the Trusted Computing Group TNC frameworks. The list price for the NSNA 4050 appliance is $17,995 and includes a license for 200 concurrent users but incremental user licenses are also available.

Juniper

Juniper’s Unified Access Control (UAC) Solution includes the Infranet Controller, which serves as a centralized policy manager; the UAC Agent, which is a dynamically downloadable endpoint software and several forms of enforcement points.
The Controller is a hardened policy management server that consolidates user authentication, endpoint integrity verification and device location, and combines this information with policy to restrict network, resource, and application access. This policy is then passed to enforcement points within the network for dynamic access control.

Enforcement Points: UAC enforcement points encompass virtually all Juniper firewall/VPN platforms, including Juniper secure router FW/VPNs and Juniper’s Integrated Security Gateways with integrated IDP modules. This variety of enforcement platforms enables security from smaller firewalls to protect printer farms to 30Gbps models to enforce policy in the most traffic-intensive settings.

UAC Agent: The UAC Agent is a dynamically downloaded agent that can be provisioned from a Web browser by the Controller, and provides authentication and endpoint assessment capabilities before log in and throughout the user session. The Agent includes Host Checker, familiar from thousands of Juniper Secure Access SSL VPN deployments, which enables the administrator to scan endpoints for a variety of security applications/states, including antivirus, malware and personal firewalls. UAC also enables custom checks such as registry and port status and can do an MD5 checksum to verify validity.

Deployment is simplified with pre-defined Host Checker policies and automatic monitoring of AV signatures for the latest definition files. The agent also includes an integrated personal firewall for dynamic client-side enforcement of policies, as well as specific functionality for Windows devices that includes IPSec VPN (enables encryption from the endpoint to the firewall) and Single SignOn to Active Directory. UAC supports Windows, Mac, Linux and Solaris platforms. UAC also supports agentless mode, for situations where it would be impossible to download the agent, such as with guest access.

UAC is unique in its Layer 3-7 overlay approach that does not require a forklift upgrade of existing infrastructure, which enables phased access control deployments to protect mission critical assets in campus wired/wireless, data center and remote office/branch office locations. Access control can be easily enabled with enforcement points that can be deployed in transparent mode, eliminating re-routing of network infrastructure. The solution also supports high availability across LAN and WAN for distributed network architectures. Access control rights can be provisioned in an extremely granular way, differentiating not only employees from guests, but within each classification as well. Also unique is the dynamically downloadable agent, as well as the ability to use the solution to realize IPSec to the desktop. The solution can be easily deployed as an overlay today with imminent plans to use standards to incorporate additional, cross vendor infrastructure elements, such as integration with 802.1X supplicants and RADIUS servers from the recent Funk acquisition.

Cross-Vendor Analysis

Here are my thoughts on the above submissions. They are not in any prioritized order. First, most vendors are offering a comprehensive offering with Cisco, ProCurve, Juniper and Nortel being ahead of Foundry and Extreme.

Cisco´s NAC security offering is two pronged: 1) the NAC appliance, which they discuss above and 2) infrastructure based NAC. The NAC appliance with integrated policy manager is an overlay security strategy with limited, if any, integration with its network infrastructure products. Cisco´s NAC approach is comprehensive, offering multiple configuration and design options across its four NAC stages: 1) Authenticate and authorize, 2) Posture assessment, 3) Quarantine and 4) Remediate.

ProCurve integrates enforcement at the port level of its switches, with a separate identity manager for policy management. Port level enforcement eliminates the need to tunnel traffic over the LAN/WAN, mitigating this vulnerability. ProCurve and others also inject QoS and rate limit at the authorization stage of access control.

Foundry and Extreme´s network security offerings are centered around their Layer 2/3 switch and routers. Foundry´s NAC strategy is based upon standard client and authorization technologies, partnering with Microsoft, NAC appliance suppliers and agent software concerns, with enforcement performed at the network edge. Extreme offers a clientless solution, which is independent of wired or WLAN access, where enforcement is conducted at the port level of its switches.

Nortel, like Cisco, describes an appliance/overlay approach to network access control. For Nortel this strategy allows it to address security requirements for both on and off base customers and prospects. The Nortel NSNA is a comprehensive offering with an aggressive price point. Its NSNA supports multiple access methods and endpoint devices, while Nortel promises to integrate NSNA features into its network infrastructure products. Nortel is the only infrastructure vendor here to provide a statement of direction to be integrated with Microsoft´s NAP and support of TNC simultaneously.

Juniper does not participate in the Ethernet switch market so its network security architecture is centered around its firewall/VPN/Router platforms. Juniper´s Unified Access Control (UAC) solution offers a controller for policy definition and management, an agent/client for endpoint posture assessment and enforcement within its infrastructure platforms. UAC offers high granularity of access control thanks to it controller and infrastructure enforcement. However, UAC must tunnel traffic across the LAN to implement its security services rather than at the port level. Juniper seems to have a distinctive WAN view of network security.

There are a few common threads across all suppliers. First is the support of 802.1x supplicant as the basis for a standard client now and into the future. Second is a growing trend to offer both client and clientless network access control approaches. Third, all network access control vendors limit network access by placing endpoints into either a specific VLAN (production, quarantine, and remediation) or denying access. There is a growing trend to go beyond simple static or dynamic VLAN assignment of clients after posture conformance testing toward increased granularity to Layer 3 subnet isolation, Layer 2 broadcast domains, switch ports, drop/filter packets and ACLs.

Clearly from the above, some vendors are further along then others. However, it doesn´t seem that a customer would be compelled to change infrastructure vendors solely on the basis of security features alone, as all suppliers are investing to deepen security services in their offerings. If NAC was a major competitive differentiator, then Enterasys would be stealing share from all of the above suppliers. The fact is that Enterasys is not taking share and owns approximately 2% of the Ethernet switch market. Network security is a must have and all suppliers are addressing the requirement.

While both Nortel and Cisco discuss NAC appliances above, neither is far along in integrating these appliances into their network infrastructure offerings. ProCurve and Extreme seem to have decided to skip the appliance step and go right to infrastructure based NAC, while Foundry is partnering with NAC appliance suppliers and simultaneously delivering NAC within its switches and routers. Vendors are responding to their unique customer requirements.

Budgeting for NAC is challenging. The best guideline is to budget between 30 to 50% of network acquisition cost for NAC. However, I have seen responses to NAC RFPs to be 100% of Ethernet switch purchase price. NAC appliances can bring that price point down in smaller installations, while mitigating most threats and vulnerabilities. However, a well-designed NAC based infrastructure can be cost effective too. Scale of the deployment is the key-determining factor.

Remember the industry is in the early adoption curve stage for NAC and there will be many new options available in the coming quarters. Threats and vulnerabilities are not going away, and NAC will be one of the most potent defenses in IT´s arsenal to mitigate exploits. It is important to start now and experiment with NAC implementations to develop policy, train staff and understand NAC´s strength and weaknesses, while fitting NAC into your munitions store.

Posted 4 September 2006 at 11:36 am under Lippis Report, The Networked Business Platform, Network Access Control and Protection, Enterprise Mobility. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.