[July 21, 2008] NAC Grows Up -- StillSecure's Safe Access 5.0 just outpaces Symantec's and Sophos' security solutions Tweet (Computer Reseller News Via Acquire Media NewsEdge) There are a million things to take into consideration when building out network security; making sure that even employees and welcomed guests only get in if they're prescreened is right at the top. Still, development of a common industry standard for deploying Network Access Control (NAC) has been elusive as vendors take different approaches to get the job done. NAC has gotten a bad rap in the past by creating obstacles for end users whenever they didn't follow strict procedures. The process became so clumsy that at one time the technology was referred to as "help-desk call generators." That was certainly no way to endear itself to either a CIO or a CFO-not to mention every user that needs access. That's changed today. Even though there's no standard way to deploy a NAC solution (some are hardware-based, some are software-based, some combine both elements), ease-of-use has taken leaps forward-as has the industry's understanding of the threat landscape. There was a time when the impetus for hackers and other forms of cybermiscreants was for "street cred" and bragging rights. Today's threats are, in general, motivated by profit; a guarantee that inventive tactics for penetrating networks and accessing sensitive data are relentless and plentiful. And so the CRN Test Center looked at three solutions available to VARs to provide both ease of access and security. Methodology CRN Test Center reviewers considered a variety of vendors and solutions before finalizing the scope and vendors for this test. Vendors approach the NAC space from a variety of angles, looking at traditional client security, offering desktop agents and comprehensive policy servers. While a majority of the vendors offer an appliance-based solution, a handful of them offer software solutions, leaving channel partners free to source their own hardware. Reviewers placed themselves in the mindset of a solution provider looking for a comprehensive solution that would work within privacy, compliance and data-retention requirements. The customer network would consist of guests with limited access, along with roaming and on-site users. To balance the competing features, the solutions were restricted to software products. NAC vendors Sophos, Burlington, Mass.; StillSecure, Superior, Colo.; and Symantec Corp., Cupertino, Calif., participated in this review. Reviewers examined the feature set, management interface and flexibility in creating policies and profiles. Ease of deployment was also considered. As usual, reviewers also considered each company's channel program to determine which would be best. StillSecure Safe Access 5.0 StillSecure submitted its Safe Access 5.0 product for review. StillSecure gives solution providers the option of either getting the software and installing it on their own hardware, or having StillSecure provide the server as well. The company has a list of specific hardware platforms that it has tested the product on and works with the partner to make sure the sourced hardware is sufficient. For the minimum requirements, the server must have at least an Intel Pentium 4 processor at 2 GHz, 2 GB of RAM, Gigabit Ethernet networking, a CD-ROM drive and networking cards (the exact number varies with the type of installation). StillSecure is currently pushing Dell servers as the ideal platform, so reviewers asked the company to source the server as well. The Dell PowerEdge 1950 server came with Intel Xeon processors, a 73-GB SAS hard drive and two networking ports. StillSecure said Safe Access will cost as low as $20 per IP address in a 2,500-user deployment. Safe Access is deployed as an enforcement server on the network. Depending on the network size and needs, customers can choose to have multiple enforcement servers on the network, and they can all be managed from a single management server. The enforcement server can be installed in one of the three enforcement methods-inline, DHCP or 802.1x. Reviewers chose to install SafeAccess inline on a single server. This option means there are no changes required to the network's existing configuration settings. The DHCP method performs an end point assessment before the DHCP server assigns an IP address. The 802.1x method requires a RADIUS server and is ideal for quarantining ports between VLANs. For deployment, the SafeAccess software needs to be installed on the designated server. No other software can be installed on that machine because Safe Access installs StillSecure OS, the company's own hardened Linux-based OS. Because this was a single-server installation, the management and enforcement servers resided on the same box. The server requires a static IP address and host name, along with other basic networking information. Once the software has installed, the server reboots into Safe Access. The rest of the configuration-time information, admin password, etc.-is done with a workstation using a Web browser with at least 128-bit encryption. The management interface was cleanly laid out in a three-pane window. All the options for policies, reports and configuration were available to the left, information was in the middle pane, and more details and information were to the right. User authentication can occur against LDAP or a RDBMS. For testing, reviewers used an LDAP-based server. StillSecure's Safe Access performs authorization based on the physical device. This means all the users must meet the same end-point-security requirements (patches installed, antivirus running, etc.) before being allowed network access. StillSecure does support authorization based on user roles to a limited extent, where different security requirements kick in, based on whether the user is connecting from a VPN or LAN. This can be defined by creating a NAC policy for LANs, VPNs, wireless, etc. After creating the NAC policy, the end-point checks can be mapped to a device group. The NAC policy is not created on the individual user level. When a guest tries to connect, an Active X agent performs a system assessment on the guest's machine. If the guest passes muster, they are allowed onto the network. While the initial checks are run before the client is allowed on the network, Safe Access can be configured to retest end points at set intervals. So if the guest turns off the antivirus after connecting to the network, a retest will find that and correct it. Safe Access supports most major antivirus products and many of the smaller ones, such as ClamWin and Panda. It also supports personal firewalls such as Check Point's ZoneAlarm. And it can check for Windows operating system patches and for other software packages, such as Microsoft Office. Many of the checks are configured into the box, such as operating system services and security authentication. Safe Access also supports custom checks, so tests to ensure an in-house-application is installed, or that there aren't certain files on the machine, can be created. The checks are created using a Python-based process. Programming-savvy IT admins can develop their own checks, but this is an area where solution providers can offer value. Symantec End Point Protection Client And Network Access Control Today, Symantec's NAC solution automatically remediates machines that are placed into quarantine. This solution eliminates the need for users to connect to special sites. Symantec offers a layered architecture, where users seeking access are routed through a single gateway enforcer server, a policy manager with a central management console and an end-point client. Symantec's NAC also works with third-party software patch solutions like Altiris and Microsoft Systems Management Server to automate patch management. Contractors, consultants and even employees that are connecting with other users' machines can take advantage of this flexibility. The users don't need to have persistent access point clients on machines that they're using temporarily. Now at version 11.0, Symantec's End Point Protection Client and Network Access Control management tools arrive with multiple enforcement options-802.1x, DHCP enforcement, LAN enforcement and a host-based self enforcement. But NAC is more about checking the integrity of end points than it is about figuring out the authentication process through Active Directory, LDAP and 802.1x RADIUS. The self-enforcement option, for instance, is the easiest method to deploy for companies looking to introduce NAC. Host-based self-enforcement uses personal firewalls installed on end-user machines. In a self-enforcement scenario, devices check their own statuses. If agents don't find them compliant, they will automatically switch the machines into a quarantine state. The process is driven by policies. Administrators can create quarantine policies for firewalls, antivirus, desktop IDS/IPS and particular device controls. Symantec's NAC tools go beyond network devices, too. The policies work on just about any device that is accessible through IP and SNMP. The enforcer will detect clients that are trying to connect and will challenge them to see if they have agents installed. Clients without agents are processed through a scanner. Noncompliant clients end up in a quarantine zone or blocked altogether. Symantec's NAC offering also has a peer-to-peer enforcement option. With this option, only employees from the same group can connect into a LAN. Scanning without agents has one advantage: It doesn't require loading agents. However, it's extremely limited. There's also a delay for users that are trying to come in through gateway, VPN or other external access points. Dissolvable agents, which can perform the same functions as the permanent agents, tend to be the most popular way to interact with clients. Even the authentication process runs the same way, but as clients pass through the authentication process the agents delete themselves. Overall, Symantec's NAC solution is simple to deploy and manage. The management interface is intuitive enough that even junior administrators can create sophisticated policies with little assistance. The Test Center found the products quite comprehensive in their coverage. Sophos NAC Advanced Sophos NAC Advanced, like the others, is a software-based solution. The premise of how the solution works is a three-way strategy to protect the end point-by assessing Microsoft security patches, antimalware software and personal firewall. Sophos' claim is that this type of end-point-driven focus is important to counteracting today's type of security threats. Sophos NAC Advanced is capable of monitoring managed and unmanaged computers. Managed PCs are assessed through an installed, persistent agent. Unmanaged PCs (unknown on the network, or "guest users") are assessed through Web technology. The testing environment consisted of a Windows 2003 server on which NAC Advanced's Console, Enterprise Console and DHCP enhancer were installed. In addition, two Windows XP clients served as guinea pigs: one client a managed one with the agent installed, and the other unmanaged to test the Web interaction capabilities. Upon logging into the managed client, Sophos' NAC registered and updated the PC with the latest policy information. The unmanaged PC was kept quarantined off-network until going to a designated URL to make it compliant. Policies, with Sophos' product, can be enforced in a couple of different ways: DHCP, VPN (IPSec or SSL) or 802.1x. There is also an agent enforcement option built into the NAC agent. The management interface is detailed and customizable. The only critique is that interfaces seem to be all over the place. There's the Enterprise Console and the NAC Console. The Enterprise Console is a dashboard that gives an overall look at the NAC-protected environment of a network. Items listed can include the number of managed or unmanaged computers, status on updates (which evoke an MMC snap-in) and alerts on computers with malware or suspect files. The interface also offers a more drilled-down view and the state of the machines' antivirus versions, firewall and any alerts or errors. Threshold levels can be defined; if a level is exceeded, the dashboard status indicator reflects urgency. SMTP e-mail alerts can be sent as well. Reporting is another feature. Reports are customizable and can be viewed in tabular or chart views. Reports are exportable as PDF, Excel, Word, HTML, RTF, XML or HTTP. Inside a generated tabular report, any alerts listed are hyperlinks, which will redirect to Sophos' Web site for additional information. The NAC Console differs from the Enterprise Console primarily because it is there that policies and profiles are configured. There were a couple of "what-if" scenarios reviewers posed. For instance, machines are checked to ensure they have the latest antivirus signature files. This is a good protection against known threats. A zero-day attack would still leave a NAC-protected machine vulnerable. Sophos contends that zero-day protection is integrated with its antimalware protection, which employs Behavioral Genotype technology as a defense against zero-day exploits. For zero-day protection, NAC is only as good as the antimalware solution deployed in an enterprise. There are also spoofing and the possibility that a machine appears to have, but does not have, the proper compliancy requirements. Sophos states that its solution uses a multitude of checks, such as, files, registries, processes and APIs. NAC Advanced currently only supports the Windows platform, but Sophos has plans to include other platforms. Reviewers would also liked to have seen "in-the-box" policies designed for specific regulations like PCI and HIPAA. Bottom Line In many cases, a software-based solution for NAC will meet the needs of an organization-and provide an integrator with the opportunity to wrap custom solutions or services around it. After evaluating each of these products, the Test Center found that StillSecure's Safe Access 5.0 slightly outpaced the others, followed by Symantec's solution and then Sophos'. Safe Access 5.0 is robust and customizable, justifying adding a NAC as an extra layer of security. Symantec offers a nice solution, but finds itself more limited than Safe Access 5.0 without deploying agents. Sophos, too, is good, but we were left wanting more. While all the solutions could be fine in particular deployments, functionality led us to choose Safe Access 5.0 first, Symantec second and Sophos third in this comparative review. Mario Morejon, Fahmida Y. Rashid and Samara Lynn contributed to this story. --- VAR's Voice Getting Started Dan Thormodsgaard, director of solutions architecture at Fishnet Security Inc., based in Kansas City, Mo., gives a few tips for successfully getting into the NAC space. ASSESS CUSTOMERS' INFRASTRUCTURE: Research process and technologies for a NAC solution. Do your due diligence and look for a solution that's multivector for authentication and authorization. Above all, most NAC solutions have to fit into the enterprise. Look at manageability. Enforcing or discussing enforcing a NAC policy is a daunting task. What does it look like today? If you want to enforce it, what kind of impact does it have on the organization? ESTABLISH CLEAR OBJECTIVES: You need to identify what your business requirements are, what you're trying to accomplish. Some areas are compliance. In order for them to comply, they have no choice. Next there are some risk-mitigation objectives, to protect data systems. Implementation on the remote access side is well-received and budgeted. Same for guest access for wired and wireless-more so [for] wireless. If they can have one solution that provides that NAC access, that is the desired state. EDUCATE YOUR CUSTOMER: We provide strategic guidance for customers-we are educating them on NAC for the most part. Often they're talking about a specific product. But there isn't one product that has an overall encompassing solution around NAC. You've got other components. IMPLEMENT IN PHASES: In Q1 and Q2 they have a budget, but they're kind of pushing back on purchasing. It's not an absolute thing that they have to do-unless there's a clear business objective to why they're doing it. Try to talk short-term and long-term strategy. -Stefanie Hoffman --- The Key Players In NAC Key Players: Sophos Burlington, Mass. (781) 494-5800 www.sophos.com Key Product: Sophos NAC Advanced Channel Points: Sophos has a three-tiered partner program: Platinum, Gold and Silver. A training and certification program is offered, as well as 24-hour technical support, dedicated channel managers, sales and marketing tools, free product training and increased margins. Key Players: Symantec Cupertino, Calif. (408) 517-8000 www.symantec.com Key Product: Symantec End Point Protection Client and Network Access Control Channel Points: Symantec has a four-level partner program: Registered, Silver, Gold and Platinum. All levels receive access to marketing tools, as well as access to the PartnerNet Portal and Tools. A configuration/quote generator tool is also available for all partners. Online technical support is available, but 24x7 support varies among levels. Key Players: McAfee Santa Clara, Calif. www.mcafee.com (866) 736-3971 Key Product: McAfee Network Access Control Channel Points: McAfee offers an extensive and varied partner program with four divisions: Security Innovation Alliance Partners, McAfee Service Provider Partners, OEM Partners and Partner Security Services Partners. Partners receive support, training, marketing tools, and substantial incentives and rebates. Key Players: Juniper Networks Sunnyvale, Calif. (888) 586-4737 www.juniper.net Key Product: Juniper Networks UAC deployed with EX-series Ethernet switches Channel Points: Juniper's "J-Partner" architecture provides an array of partner programs designed to provide partners with the tools they need to deliver customer satisfaction and Incentives; training and support spans across all of their partner programs. Key Players: Trend Micro Cupertino, Calif. (800) 228-5651 www.trendmicro.com Key Product: Network VirusWall Enforcer Channel Points: Trend Micro offers three partner programs: SecureOne Partner, Vantage Partner and VantageONE Partner. Technical and sales certification are available for partners. Vantage partners can participate in the Vantage Rewards program and receive cash for selling Trend Micro products. --- VAR's Voice Handling Objections Ed Glorioso, president of Network System Architects Inc., a Denver-based VAR, offers engineering and IT consulting solutions to a range of clients from SMBs to enterprises. Here, he offers a few strategies for overcoming customer concerns about NAC solutions. BE PREPARED FOR RESISTANCE: NAC is as much a cultural change and shift as it is technical. Everyone is hurting for IT dollars. I really like [NAC] but it has to compete with this other stuff. When [customers] have money, that's what they do. When they don't have money, it's on the back burner. LISTEN TO YOUR CUSTOMER: Everybody has a seat at the table. Nobody is feeling left out. The more they have a voice, the higher your success rate. REASSURE YOUR CUSTOMER AND TAKE SMALL STEPS: NAC honestly is a good opening story. It's a really good sales leader. We can open up that conversation in the SMB with NAC because it doesn't cost anything to listen. If you say NAC, they say, "I've heard of that and it's great stuff." But most of them say, "No way, I can't afford it." We can get people stoked about solving problems and not turning their organizations upside down. [For SMBs], the biggest inhibitor is that NAC equals money, and lots of it, and that's not necessarily true. PACKAGE NAC WITH OTHER SECURITY MUST-HAVES: We just talk to them about how we can solve their problems. If we can bundle it into their antivirus, then we're talking. It's a different conversation entirely. MAKE DEPLOYMENT EASY: We can walk into a client environment and have it up in a matter of hours. The agents are nonintrusive. Monday morning a person coming in can log into their desktop. Monday afternoon they are logging into their desktop and it's doing the same thing. They don't even know it's there. BE TRANSPARENT ABOUT DEADLINES: Enterprise has a totally different, complex set of problems. Enterprise is so large that they're afraid to death to make any changes. They'll talk about it for the next 20 years. The biggest thing for enterprise is to lower the fear of this big process engagement that's going to unfold. Transparency is a word that can roll it all up into one strong point for enterprise-collaboration and transparency. -Stefanie Hoffman --- 1: Scorecard StillSecure Safe Access 5.0 Deployment 5 stars Security 5 stars Management 5 stars Features 5 stars Profit Potential 4 stars --- 2: Scorecard Symantec End Point Protection Client And NAC Deployment 4 stars Security 4 stars Management 4 stars Features 4 stars Profit Potential 5 stars --- 3: Scorecard Sophos NAC Advanced Deployment 4 stars Security 4 stars Management 3 stars Features 4 stars Profit Potential 5 stars http://www.crn.com Copyright 2008 United Business Media LLC. All rights reserved. Copyright ? 2008 CMP Media LLC [ Back To TMCnet.com's Homepage ]