NAC Grows Up

Sophos' claim is that this type of end-point-driven focus is important to counteracting today's type of security threats.

Sophos NAC Advanced is capable of monitoring managed and unmanaged computers. Managed PCs are assessed through an installed, persistent agent. Unmanaged PCs (unknown on the network, or "guest users") are assessed through Web technology.

The testing environment consisted of a Windows 2003 server on which NAC Advanced's Console, Enterprise Console and DHCP enhancer were installed. In addition, two Windows XP clients served as guinea pigs: one client a managed one with the agent installed, and the other unmanaged to test the Web interaction capabilities.

Upon logging into the managed client, Sophos' NAC registered and updated the PC with the latest policy information. The unmanaged PC was kept quarantined off-network until going to a designated URL to make it compliant.

Policies, with Sophos' product, can be enforced in a couple of different ways: DHCP, VPN (IPSec or SSL) or 802.1x. There is also an agent enforcement option built into the NAC agent.

The management interface is detailed and customizable. The only critique is that interfaces seem to be all over the place. There's the Enterprise Console and the NAC Console. The Enterprise Console is a dashboard that gives an overall look at the NAC-protected environment of a network. Items listed can include the number of managed or unmanaged computers, status on updates (which evoke an MMC snap-in) and alerts on computers with malware or suspect files. The interface also offers a more drilled-down view and the state of the machines' antivirus versions, firewall and any alerts or errors. Threshold levels can be defined; if a level is exceeded, the dashboard status indicator reflects urgency. SMTP e-mail alerts can be sent as well.

Reporting is another feature. Reports are customizable and can be viewed in tabular or chart views. Reports are exportable as PDF, Excel, Word, HTML, RTF, XML or HTTP. Inside a generated tabular report, any alerts listed are hyperlinks, which will redirect to Sophos' Web site for additional information.

The NAC Console differs from the Enterprise Console primarily because it is there that policies and profiles are configured. There were a couple of "what-if" scenarios reviewers posed. For instance, machines are checked to ensure they have the latest antivirus signature files. This is a good protection against known threats. A zero-day attack would still leave a NAC-protected machine vulnerable.

Sophos contends that zero-day protection is integrated with its antimalware protection, which employs Behavioral Genotype technology as a defense against zero-day exploits. For zero-day protection, NAC is only as good as the antimalware solution deployed in an enterprise.

There are also spoofing and the possibility that a machine appears to have, but does not have, the proper compliancy requirements. Sophos states that its solution uses a multitude of checks, such as, files, registries, processes and APIs.

NAC Advanced currently only supports the Windows platform, but Sophos has plans to include other platforms. Reviewers would also liked to have seen "in-the-box" policies designed for specific regulations like PCI and HIPAA.

Next: The Bottom Line