Bake-Off: 3 Network Access Control Apps Put To The Test


Controlling network access has become one of the most important tenets of IT security, which is why so many vendors now are offering network access control (NAC) products.

NAC solutions are all about enforcing pre-defined security policies on end points such as notebooks and other mobile devices trying to connect to corporate networks.


Slide Show: How The 3 Candidates Performed

In the words of one solution provider: "When you control the end point, you control access to the network."

While that common-sense approach sums up what solution providers need to do to build enterprise security, getting there requires VARs to understand how end points access the network and how policy management affects that access.

With that in mind, the CRN Test Center researched more than 15 offerings and then narrowed the field by focusing on software-based solutions that can help accelerate a solution provider's entry into the NAC market. The results netted three review candidates: InfoExpress Dynamic NAC, StillSecure Safe Access 5.0 and Symantec NAC 5.1.

Engineers evaluated the products based on deployment, feature set, integration capabilities, scalability and suitability to task.

Next: InfoExpress Dynamic NAC

InfoExpress Dynamic NAC
InfoExpress offers Dynamic NAC, a software-based product that provides deployment flexibility. Partners can choose to install the product as a Microsoft Windows server or purchase the software preinstalled on InfoExpress' CyberGateKeeper Server Appliance. CRN Test Center engineers examined the software-only version.

Either way, Dynamic NAC brings centralized management, policy definition, granular access control, monitoring and remediation to Windows networks. The product works independently of network devices, meaning no firmware or device changes are needed for deployment. That knocks installation and configuration down to a few hours as opposed to days for hardware-dependent NAC solutions.

One of Dynamic NAC's most interesting aspects is its use of a peer-to-peer-type model that enrolls some network PCs as "enforcers." If an end point fails an enforcer's compliance check, the enforcer can redirect the end point to the Dynamic NAC server for remediation or walk the user through the remediation process. If remediation is not performed, the enforcer blocks the PC from accessing the network.

To control the access of more devices, just add more enforcers to the segment. What's more, enforcers can be housed at remote locations to cut down on remote site traffic. A good rule of thumb is to have enforcers available on each network segment.

Also, by having an existing PC work as an enforcer, that PC by default will be completely secure. The downside is that the PCs must be left on to perform those enforcer tasks.

Installation consists of little more than running a wizard, selecting enforcers and answering a few infrastructure- and security-related questions. One of the big advantages Dynamic NAC offers is the inherent compatibility with existing infrastructure devices. That means no network upgrades, reconfigurations or even programming of assorted switches, routers or other devices are needed—a major time-saver for VARs.

Configuration, on the other hand, can be a little intense. Administrators will need to understand how policies affect access and what the granular controls accomplish. Mistakes in the configuration process could lock users out of the network unintentionally. Luckily, InfoExpress has identified those issues and presents its management console and policy creation tasks concisely with ample documentation and support.

Test Center engineers found just one downside: the lack of support for access technologies such as 802.1x NAC, in-line NAC, Cisco Systems NAC and other hardware-centric access control methods. Those shortcomings can be addressed by trading up to InfoExpress' appliance-based NAC solution.

The company's Alliance Partner Program offers margins as high as 40 percent. Product pricing starts at $49 per seat, with volume discounts available.

Next: StillSecure Safe Access 5.0

StillSecure Safe Access 5.0
StillSecure's Safe Access is billed as a complete NAC solution, offering pre-connect testing, post-connect monitoring, end-point testing, compliance enforcement, remediation and identity-based access controls. The product also promises future support of Linux and Mac OS X to complement its existing Windows capabilities.

Safe Access 5.0 started shipping in October 2006 and brings significant features to the NAC arena. It is a major upgrade from previous versions and is designed to run on existing network servers.

The product offers several configuration and installation options. The most basic configuration uses a single in-line server to process all NAC functions. Solution providers also have the option of using enforcement schemes based on 802.1x or DHCP, both of which offer a slightly higher level of security but complicate the rollout of the product. Those new to NAC will want to start off with an in-line installation to keep deployment simple and effective and then scale up to the other enforcement levels if warranted.

Currently, the product is available as either a physical or a virtual appliance. Test Center engineers took a look at the virtual version, which is designed to run on a VMware virtual server session. That should prove to be the most efficient way for a solution provider to get started with Safe Access 5.0. Of course, they can choose to upgrade to an appliance later if need be.

Engineers were impressed by the straightforwardness and speed of the in-line installation method. An added bonus is that administrators will not have to make any changes to switches, routers or other infrastructure devices, thus speeding deployment.

Once installed, the product uses a browser-based console to manage policies, security schemes and remediation tasks. Test Center engineers found that defining more complex policies was quite easy and were able in a matter of minutes to create a policy that checked end points for service packs, detected antivirus applications and approved software. Any end points that failed the validation process were automatically blocked from accessing the network. What's more, the product has the ability to test connected end points frequently to make sure that those devices remain in compliance, a handy feature that will catch unauthorized changes.

A good NAC solution should do more than just check, allow or block devices: Remediation and reporting can prove to be just as important. Safe Access is strong in both areas. CRN Test Center engineers were able to quickly script a remediation process that brought end points into compliance before being allowed to access the network, a process that is greatly simplified by Safe Access 5.0's inclusion of support for services from security vendors such as Symantec. End-point testing can be accomplished using three methods: an agentless scan, an ActiveX-based test or via a traditional remote agent.

The product's excellent reporting module provides proof of ROI, audit information or general network access statisitics, offering dozens of reports on areas such as compliance, device lists and actions taken.

StillSecure's channel program offers margins from 10 percent to 30 percent. Plenty of service opportunities exist for authorized partners, ranging from installation to maintenance to training and data analysis. Safe Access 5.0 is priced at $40 per node, with volume discounts available.

Next: Symantec NAC 5.1

Symantec NAC 5.1
With Symantec's purchase of Sygate in late 2005, the company gained security knowledge and tools that have allowed it to pursue new product areas. For security partners, the most important offspring of the union is Symantec Network Access Control (SNAC), a line of software and hardware offerings for networks of almost any size.

In its most basic form, SNAC 5.1 is a software-only product that combines a management server with agent-based technology to enforce end-point policies and block or remediate systems that fail to comply. For VARs building larger networks, Symantec offers three appliances that provide LAN, gateway and physical DHCP policy enforcement.

CRN Test Center engineers looked at a software-only implementation of SNAC, which consisted of the Symantec Sygate Policy Manager, an enforcement agent, Sygate personal firewall and a DHCP server software plug-in. Installation of the product was relatively straightforward, but installers should plan the implementation of the product and just not dive into the installation wizard. A basic understanding of the network layout and end points is a must to guarantee an uncomplicated installation.

The policy manager component is installed on a Windows 2003 server and has several other prerequisites (as do most NAC products), such as Internet Information Services and World Wide Web Services and, of course, must meet the minimum hardware requirements outlined in the startup guide. For the sake of simplicity, Test Center engineers installed the policy manager and its related components on a single server. The product's server configuration wizard made short work of the actual installation, and the included quick-start documentation proved to be an excellent resource for installation.

SNAC's policy manager organizes the network by groups based on departments, locations and so on. Smaller sites usually can get by with a single global group for policy management. The heart of the product is its security policies, where administrators define end-point requirements and actions to be taken. Policy creation and management is quite easy, thanks in part to a concise management interface, ample online help and extensive documentation.

Once policies are defined, the next step is to enforce the rules created at the end points. Although the product does offer an agentless configuration, most administrators will want to deploy agents, which will ensure that policies cannot be usurped and that remediation takes place. SNAC offers two types of agents: an enforcement agent and a protection agent. The protection agent is used on end points that will use Symantec's own Sygate firewall, while the enforcement agent is used on end points that have third-party firewalls in place. Either way, agents can be pushed down to end points using common deployment tools and packages, thus automating much of the initial deployment.

The real fun begins when a device doesn't meet the defined policies and is blocked from accessing the network. Administrators can script steps to automate remediation and grant network access once remediation has occurred.

The product also offers comprehensive reporting capabilities, an important feature for demonstrating ROI, tracking assets and enhancing change management. Administrators will find the reports a valuble source of information when it comes to maintaining patches, installing software and tracking access to the network.

One of SNAC's major strengths is its deployment flexibility: The product offers a plethora of deployment scenarios and options that would make it a good fit for enterprises small to large. Another strength is its scalability, where solution providers can start with a software-only deployment and then add appliances as needed to meet growth or new compliance requirements. Those two strengths make Symantec's first major stab at NAC a strong platform on which to build sales growth.

The product's ease of use and deployment are added benefits that should empower solution providers that are neophytes to NAC technologies and smooth the learning curve. Symantec does not release margin information for its PartnerNet program. Pricing starts at about $800 for 25 to 50 users.

Next: The Bottom Line

The Bottom Line
All three NAC products reviewed here would serve any small enterprise well. One of the biggest differentiators is how each product scales to suit larger organizations. For most VARs, StillSecure's model makes the most sense, easing the transition from software-based NAC to a hardware-based solution while generating ongoing revenue and service opportunities. That said, the other two players here come pretty close.

One of the biggest challenges for partners is the startup and deployment costs of NAC. InfoExpress's software-based offering is arguably one of the easiest NAC solutions to sell. Its ability to be quickly integrated without the purchase of additional hardware makes it palatable for businesses constrained by budgets.

Ease of use and management are key. Here, StillSecure's Safe Access is clearly the best. Its simplified dashboard ensures that administrators can get up and running quickly. In contrast, Symantec and InfoExpress use browser-based consoles that prove to be more complicated.

On features, Symantec offers a robust set that compliments other products in the vendor's portfolio. StillSecure's support for third-party products and custom scripting should meet most customers' needs, while InfoExpress' extensive features include many remediation and testing options to speed policy creation and deployment.

Each contender has respectable channel programs, but Symantec's experience with the partner community gives the company an advantage. StillSecure and InfoExpress cover the basics well but have not reached the same heights of channel support.

In short, solution providers can't go wrong with any of these products, but once all of the elements are added up, InfoExpress barely edges out the competition.

Shopping The Ingredients
VENDOR: InfoExpress
Mountain View, Calif.
(650) 623-0260
www.infoexpress.com

• PRODUCT: Dynamic NAC for Windows
• PRICE:
Starts at $49 per user, with volume discounts available
• PARTNER INCENTIVES:
Margins of 30% or higher.

• PROGRAM PARTNERS:
13 partners.
• PROGRAM COSTS:
None.
• DISTRIBUTORS:
None in North America

VENDOR: StillSecure
Superior, Colo..
(303) 381-3830
www.stillsecure.com

• PRODUCT: Safe Access 5.0
• PRICE/SUPPORT:
Costs about $20 per IP for 2,500 user deployment; three support levels, in addition to online support.
• PARTNER INCENTIVES:
Referral and reseller margins of 15% to 25%

• PROGRAM PARTNERS:
35 partners
• PROGRAM COSTS:
None.
• DISTRIBUTORS:
None.

VENDOR: Symantec
Cupertino, Calif.
(408) 517-8000
www.symantec.com

• PRODUCT: Symantec Network Access Control 5.1
• PRICE/SUPPORT:
$18,000 MSRP for 1,000-user license; Includes one-year of Gold Maintenance Support.
• PARTNER INCENTIVES:
Offers rebate program.

• PROGRAM PARTNERS:
More than 60,000 partners worldwide
• PROGRAMS COSTS:
None
• DISTRIBUTORS:
Arrow, Avnet, Douglas Stewart, Ingram Micro, MOCA, Synnex, Tech Data.