NAC Grows Up

StillSecure Safe Access 5.0
StillSecure submitted its Safe Access 5.0 product for review. StillSecure gives solution providers the option of either getting the software and installing it on their own hardware, or having StillSecure provide the server as well. The company has a list of specific hardware platforms that it has tested the product on and works with the partner to make sure the sourced hardware is sufficient. For the minimum requirements, the server must have at least an Intel Pentium 4 processor at 2 GHz, 2 GB of RAM, Gigabit Ethernet networking, a CD-ROM drive and networking cards (the exact number varies with the type of installation). StillSecure is currently pushing Dell servers as the ideal platform, so reviewers asked the company to source the server as well. The Dell PowerEdge 1950 server came with Intel Xeon processors, a 73-GB SAS hard drive and two networking ports. StillSecure said Safe Access will cost as low as $20 per IP address in a 2,500-user deployment.

Safe Access is deployed as an enforcement server on the network. Depending on the network size and needs, customers can choose to have multiple enforcement servers on the network, and they can all be managed from a single management server. The enforcement server can be installed in one of the three enforcement methods—inline, DHCP or 802.1x. Reviewers chose to install SafeAccess inline on a single server. This option means there are no changes required to the network's existing configuration settings. The DHCP method performs an end point assessment before the DHCP server assigns an IP address. The 802.1x method requires a RADIUS server and is ideal for quarantining ports between VLANs.

For deployment, the SafeAccess software needs to be installed on the designated server. No other software can be installed on that machine because Safe Access installs StillSecure OS, the company's own hardened Linux-based OS. Because this was a single-server installation, the management and enforcement servers resided on the same box. The server requires a static IP address and host name, along with other basic networking information. Once the software has installed, the server reboots into Safe Access. The rest of the configuration—time information, admin password, etc.—is done with a workstation using a Web browser with at least 128-bit encryption.

The management interface was cleanly laid out in a three-pane window. All the options for policies, reports and configuration were available to the left, information was in the middle pane, and more details and information were to the right. User authentication can occur against LDAP or a RDBMS. For testing, reviewers used an LDAP-based server.

StillSecure's Safe Access performs authorization based on the physical device. This means all the users must meet the same end-point-security requirements (patches installed, antivirus running, etc.) before being allowed network access. StillSecure does support authorization based on user roles to a limited extent, where different security requirements kick in, based on whether the user is connecting from a VPN or LAN. This can be defined by creating a NAC policy for LANs, VPNs, wireless, etc. After creating the NAC policy, the end-point checks can be mapped to a device group. The NAC policy is not created on the individual user level.

When a guest tries to connect, an Active X agent performs a system assessment on the guest's machine. If the guest passes muster, they are allowed onto the network. While the initial checks are run before the client is allowed on the network, Safe Access can be configured to retest end points at set intervals. So if the guest turns off the antivirus after connecting to the network, a retest will find that and correct it. Safe Access supports most major antivirus products and many of the smaller ones, such as ClamWin and Panda. It also supports personal firewalls such as Check Point's ZoneAlarm. And it can check for Windows operating system patches and for other software packages, such as Microsoft Office.

Many of the checks are configured into the box, such as operating system services and security authentication. Safe Access also supports custom checks, so tests to ensure an in-house-application is installed, or that there aren't certain files on the machine, can be created. The checks are created using a Python-based process. Programming-savvy IT admins can develop their own checks, but this is an area where solution providers can offer value.

Next: Symantec End Point Protection Client And Network Access Control