network admission control: a survey of approaches (166374611)

7/29/2019 Network Admission Control: A Survey of Approaches (166374611)

http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 1/34

Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/

Lockdown Extreme ForeScout Fortinet HP

Product Features

Product Overview

Product Name

NAC

Director LX

Cisco

NAC

Appliance

LAN Shield

Switch,

controller and

Manager Enforcer

Sentriant

AG

CounterAC

T

Fortigate

224B

ProCurve

Network

Access

Controlle

800

Appliance or Software Appliance Appliance both Appliance Both Appliance

Applianc

e Appliance

List Pricing

Education Discount

Annual Maintenance for first year

Annual Maintenance for subsequent years

Licensing Costs (if any)

3 Year Cost

Licensing by IP Address

based on

unique

user/perso

n No n/a No Included No No

Licensing by concurrent users

appliances

are sized

based onconcurrent

user count

Yes, per

device. n/a No Yes Yes No No

Hardware

Form Factor 1U Appliance 1U

Enforcer

and

Commande

r:1U and 2U

Rackmount Intel Appliance 1U Fixed

Processor 2.66GHz N/A 128Core

Intel E6300

1.86GHzCore 2 Duo

Pentium 42GHz Dual Xeon ASIC

Intel®

Core™ 2

Duo @

2130 MHz

2 GB

DDR2SDRAM

Hard Drive Specs

dual

160Gb

SATA N/A n/a

1U 80 or

250 GB

2U 75 GB

RAID 36GB

Depends

on

appliance

up to 160G

- typical 3-

6 months

of logs

FortiAnal

yzer 80 GB

Network Admission C

SMU Confidential 9/7/2013



Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Data Throughput Rate Varies 1 GB/sec 10 Gbps

10/100/100

0 1gb

Gigabit -

Out of

band

appliance -

smaller

security

container

than inline

appliances

4.4Gbps

Switchin

g

9 to 16

Kilobytes

of data

between a

single

endpoint

and a

single NA

800 serve

for a singl

testing

session

(approx 2

tests)

#/Type of Network Ports 2x 1Gbps 10/100/100

20/8 1Gbps

SFP

LAN: 2x

10/100/100

0 Ethernet;

Serial: 2xCB-9; USB:

2x USB 2.0 n/a 4/6/8/8

26

10/100,

210/100/1

000

2 RJ-45

auto-

sensing

10/100/10

0 ports - 1

serialconsole

port

# of Concurrent Administrators Allowed

3 types,

multiple of

each No practic 10 unrestricted 1 Unlimited

Unlimite

d

No

enforced

limit

Administration

Central Management Interface for multiple

appliances Yes Yes. Yes Yes Yes Yes Yes

Yes

Out of Band Management Interface Yes Yes. Yes Yes Yes Yes Yes Yes

SSH access Yes Yes. Yes Yes Yes Yes Yes Yes

Operating System

Linux Suse

10.x

Proprietar

y Linux

Proprietary/

Windows Linux

Hardened

Linux

Hardened

Common

Criteria

and FIPS

140-2

certified FortiOS Linux

Automated Backup and Restore Yes Yes. Yes

Manual

Backup and

Restore

only Yes Yes Yes No




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Active directory administrator login

Note

required No. Yes Yes Yes Yes

Via

RADIUS Yes

Scalability

Redundant Power Yes

Yes, on

larger

devices. Yes

1U -

Active/Pass

ive HA 2U –

Active/Pass

ive HA and

built in

redundancy Yes Yes No No

High Availability Failover Yes Yes. Yes Yes Yes Yes Yes Yes

Max number of users per appliance 8000 3500 2000

300

Quarintine 3000

CTR - 50

Users

CT100 -

250 UsersCT1000 -

1000

Users

CT2000 -

2500

Users

Coming

soon -

CT4000 -

4000 User

appliance

No user

licensing

2,500

endpoints

per

Combinat

on Serve

(CS)

3,000

endpoints

per Enforcem

nt Server

(ES)

10 ES pe

Managem

nt Server

(MS)

totaling

30,000

endpoints

per MS

Time to scan and authenticate end user

under peak load conditions Varies < 1 Sec. 5-30sec

Under 10

seconds

7 seconds

per device

Network

admission:

instant

End user

scan:

seconds

15

seconds

On a

100Mb

LAN, the

testingprocess

would

typically

take

between 5

and 10

seconds.




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Max number of registrations/scans per minute

1500 per second 4800 2000

Highly

variable,

based on

tests run,

and results,ideally 1800

3000

scans per minute

This isn't a

metric we

keep. We

have

several

customers

with 40-

80Ksystems. *

Will

depend on

tests

defined fo

each scan

with a

target of

250 scans

/ minute

per

enforceme

nt server.

Multiple

enforceme

nt servers

can be

managed

by a single

manageme

nt server ia domain

System Diagnostics

CPU monitor (GUI or CLI) Both Both. n/a Yes GUI

We have

diagnostic

s available

in the GUI

that

indicates if

there is an

issue with

the

appliance.

Additionall

y, you can

alwaysmanually

verify the

health of

the

appliance

with the

command

line. yes GUI

Memory Utilization (GUI or CLI) Both Yes. yes Yes GUI yes GUI

Disk Utilization (GUI or CLI) CLI Yes. n/a Yes GUI yes GUI




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Uptime (GUI or CLI) CLI Yes. yes Yes GUI yes GUI

NAC Features

NAC Features ]

Agent or Agentless

Persistent,

run-once,

agentless

Nessus

integration. Both. dissolvable Yes Both

Agentless -

We have

an agent if

requested. Optional Both

Requires Administrative Privileges

Depends

on policy No. no No

Sometime

s Yes No

The NAC

800 offers

4 user

roles each

with

different

privileges

Zero Day Threat Prevention

Integration

with

IDS/IPS,

Nessus No. yes Yes* Yes Yes Yes No

Pre-Admission Checks Yes Yes. yes Yes Yes Yes Yes YesPost-Admission Checks Yes Yes. yes Yes Yes Yes Yes Yes

Dynamic Policy Enforcement Yes Yes. yes Yes Yes Yes Yes

Yes, with

IDM

Quarantine Yes Yes. yes Yes Yes

Yes -

multiple

methods Yes Yes

Quarantine without risk of cross-infection Yes Yes. yes Yes Yes

Yes -

multiple

methods Yes

Is possibl

depending

on the the

switch

where the

endpoint i

connectin

.

Remediation Yes Yes. yes Yes Yes

Yes -

multiple

methods Yes Yes

Notification to end user of specific reason

why access has been disabled Yes Yes. yes Yes Yes

Yes -

multiple

methods Yes Yes

Inline or Out of Band Out Either. Inline Both Both

Out of

band Inline Both

Searchable by any client field (IP address,

MAC address, Active Directory ID, email) Yes Yes. yes Yes Yes Yes Yes Yes




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Correlate Wired and Wireless MAC

addresses for the same computer Yes Yes. yes Yes no Yes No No

Real-time collection and reporting of data Yes Yes. yes Yes Yes Yes Yes Yes

Scanning of Client machines at

authentication Yes Yes. yes Yes Yes Yes Yes No

Allows access for non-SMU affiliated guests Yes Yes. yes Yes Yes Yes Yes Yes

Allows access for remote users Yes Yes. yes Yes Yes Yes Yes Yes

Realtime (ongoing) Nessus-type scanning of

client machines Yes No. no Yes No Yes No No

Custom Nessus Scanning Yes Yes. no Yes No Yes No No

Registry Key Scanning Yes Yes. yes Yes Yes Yes No Yes

Client Administrator Access Required

Only for

writes to

the system

- as

mentionedabove,

policy

scans do

not require

admin

access. No. no Yes Yes Yes No Yes

Time of Day Policies Yes Yes. yes Yes No Yes Yes

Yes, with

IDM

NAT Detection Yes Yes. no

No -

however

this is

available

when it

occursdownstream

from some

Cisco

switches No Yes No No

Rogue DHCP Server Detection Yes Yes. yes Yes Yes Yes Yes No

Supports integration with Cisco, Nortel and

HP routers Yes Yes.

not

necessary n/a Yes

Yes - and

more (e.g.

Extreme,

Foundry,

etc) N/A Yes




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Supports integration with Nortel, HP and

Aruba Networks Switches Yes Yes. yes Yes Yes

Yes - and

more (e.g.

Extreme,

Foundry,

etc)

HP,

Aruba, Yes

Supports SSH communication with network

devices Yes Yes. yes Yes Yes

Would

have to

understand

the scope

of the

integration -

quite

possibly

native. If

not our Perl plugin

SDK

allows you

to write

plugins for

CounterAC

T No Yes

Supports Bandwidth management Yes Yes. Q4 - 2007 No No

Out of

band Yes No




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Supports integration with PacketShaper Yes No. no No No

Would

have to

understand

the scope

of the

integration -

quite

possibly

native (e.g.

syslog,

snmp, etc) -

and if not -

our Perl

plugin SDK

allows you

to write

plugins for

CounterAC

T Yes No

IPv4 and IPv6 capable

Yes in a

future

release No. yes Yes No

IPv4 now -

IPv6 end

of year Yes No

Policy Enforcement

Flexible

policy

definitions

are Yes Yes. yes Yes Yes

Yes -

multiple

methods Yes Yes

End-User Authentication

Active Directory Integration using single sign

on at login

Yes by

using login

scripts on

the

directory

server. Yes.

Passive

Kerberos

Snooping Yes N/A Yes Yes YesRadius Authentication Yes Yes. Yes Yes Yes Capable Yes Yes

802.1x Support - Pass-through/proxy Yes Yes.

Yes -

transparent,

no proxy req. Yes Yes Yes Yes Yes

802.1x Support - Integrated

Not

currently

Yes -

future

release No. Yes Yes Yes Yes Yes Yes

Role Based Identification Yes Yes. Yes Yes Yes Yes No Yes

Definition of separate security policies based

on group membership (active directory) Yes Yes. Yes Yes No Yes Yes Yes




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Operating Systems Supported

Windows Vista

All

versions

are Yes Yes. yes Yes No Yes Yes No

Windows XP Yes Yes. yes Yes Yes Yes yes

Yes Home

and

Profession

al

Apple OSX

Support for

versions

10.1 and

above. Yes. yes Yes Yes Yes yes

Yes Mac

OS versio

10.3.7 or

later

Linux

Yes with

non-

persistent

agent only Yes. yes Yes No Yes yes No

Palm or other PDA

manual or

automated

bypass Yes. yes Yes* No Yes yes No

Antivirus Supported

MacAfee Yes Yes. yes Yes Yes Yes Yes YesNorton Yes Yes. yes Yes Yes Yes Yes Yes

Kapersky Yes Yes. yes Yes Yes Yes yes Yes

eTrust Yes Yes. yes Yes Yes Yes No Yes

F-Secure Yes Yes. yes Yes Yes Yes Yes Yes

Panda Yes Yes. yes Yes Yes Yes Yes Yes

Symantec Yes Yes. yes Yes Yes Yes No Yes

Spohos Yes Yes. yes Yes Yes Yes Yes Yes

Trend Micro Yes Yes. yes Yes Yes Yes Yes Yes




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Other (please list) Yes.

avast!,SOFW

IN,

BitDenfender

, Zonelabs, AVG,

NOD32, AVG

for Linux

AEC,

AhnLab,

ALWIL

Software

avast!,

AOL,

Authentium,

Avira

GmbH,

Beijing

Rising

Technology,

BellSouth,

Check

Point,

ClamWin,

Earthlink,

Eset

Software,

Frisk,

Gdata,

Grisoft,H+BEDV

Datentechni

k, Yes

You can

add as

many as

you would

like.

Virtually

unlimited.

Adding a

custom AV

can be

done inless than

45

seconds.

Forticlie

nt

NOD32

AntiVirus AVG

AntiVirus

Free Ed

AntiSpyware Supported

Counterspy Yes Yes. No Yes Yes n/a No Yes

McAfee Yes Yes. Yes Yes Yes No Yes

Spybot Yes Yes. No Yes No No No

Adaware Yes Yes. No Yes Yes No Yes

Windows Defender Yes Yes. Yes Yes Yes No Yes

Sophos Yes No. Yes Yes No No No

F-Secure Yes No. Yes Yes No No No

SpyHunter Yes No. No Yes No No NoPestPatrol Yes Yes. No Yes Yes No Yes




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Other (please list) Yes.

Performs

dynamic

antispyware

scanning with

downloadabl

e signature

updates. FW

(check point,

redhat linux,

Max OS, CA

EZ Firewall,

Window XP,

BlackICE PC,

Kerio Fw,

Outpost,

Norton)

AhnLab,

AOL,

Anonymizer

,

Authentium,

BellSouth,

Bullet Proof,

CheckPoint,

eTrust,

EarthLink,

xCleaner,

Grisoft,

Spyware

Blaster,

Spyware

Begone,

Spyware

Doctor Yes

Forticlie

nt

CounterSp

y

Spyware

Eliminato

Webroot

Spy

Sweeper

Reporting

Event Logging

Searchable by Date Yes Yes. yes Yes Yes Yes Yes YesSearchable by Log Level/Type Yes Yes. yes Yes Yes Yes Yes No

Searchable by Service Yes Yes. yes Yes Yes Yes Yes No

Searchable by User Level

Not

currently Yes. yes No No Yes Yes No

Searchable by Operation Yes Yes. yes No No Yes Yes No

Searchable by message Yes Yes. yes Yes No Yes Yes No

Can send syslog messages to centralized

logging server (Security Information

Management)

Not

currently -

roadmap

item for CY

08 Yes. yes Yes Yes Yes Yes No

Can syslog messages for most events, user

registrations, authentication failures, scanresults

Not

currently -

roadmap

item for CY08 Yes. yes Yes Yes Yes Yes No

System Diagnostics

CPU monitor Yes Yes. yes Yes We have Y Yes (view

Memory Utilization Yes Yes. yes Yes Yes Y

Yes (view

but no

reporting

Disk Utilization Yes Yes. yes Yes Yes Y

Yes (view

but no

reporting

Uptime Yes Yes. yes Yes Yes Y

Yes (view

but no

reporting

Custom Reports




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Can be emailed to administrators

Not

currently Yes. yes Yes Yes Yes Y No

Multiple Formats available - can import to

other reporting systems

Supports

HTML,

CSV,

Excel,

XML, PDF

and RTF

formats Yes. yes Yes Yes

Yes - CSV

capable Y No

Can access the database with reporting tools

(e.g. 3rd party reporting tools like Crystal

Reports)

All data is

stored in a

MySQL

database

and is

available

externally Yes. yes Yes Yes

We have

our own

reporting

engine. N No

Custom reports can be created on the

appliance itself based on any field Yes No. yes No No

Yes -

multiple

methods Y Yes

Web Server Statistics

Yes

throughback-end

CLI

commands Yes. GUI Yes

Not quiteclear -

most likely

Yes Y No

Generic LDAP/Radius Authentication Yes ? Radius Yes Yes

Not quite

clear -

most likely

Yes Y Yes

User Tracking

Supports

login/logoff

time,

userid,

user name,

location IP,MAC, and

bandwidth

information

for logging Yes. yes Yes Yes

Not quite

clear -

most likely

Yes Y Yes

Additional Features

Security

Root access via SSH disabled Yes Yes. Yes Yes No Yes Y No

Webserver runs on the appliance Yes Yes. No Yes Yes

Yes -

Tomcat Y No

Product History




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Year in which product came to market 2001 2003 2004 2005 2004

IPS -

2001; NAC

- 2005 2006 2007

Current revision level of software 3.1.7 4.1 3.1 v4.5.4 01/05/00 6.1.3

3.0

Mainten

ance

Release

5

software

version

1.0c

Number of developers working on product 10 19 50 20 80 35

ProCurve

does not

disclose

this

information

.

Frequency of Product Updates

Quarterly

for

maintenan

ce updates

- 2 major updates

per year Quarterly

2 Major, 6

Maintenance

Twice

Annually

As

needed

3-5

Months for

significant

updates -

Product isconsidered

mature.

Quarterl

y basis

There is

not a set

update

schedule.

Updates

are made

on an "asneeded"

basis.




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission C

Frequency of Signature Updates Weekly Hourly Monthly Twice daily

As

needed

N/A for

IPS -

Monthly for

MS vulns

Daily/W

eekly

is

automatica

lly updated

with tests

that cover

newlyreleased

patches,

hotfixes,

software

updates,

worms,

and

Trojans,

and

recommen

ded

security

settings fo

common

application

s. Newtests are

automatica

lly added

to the test

database

as

frequently

as hourly,

ensuring

immediate

Average Product Lifecycle

Hardware

3-5 years 2 yrs. 5 years N/A

Not quite

clear -

Hardware

or

software? Actual or

projected?

3-5

years

On

average,

ProCurve

products

have a 5year

lifecycle.




Bradford

Networks

Cisco

Systems

ConSentry

Networks

Enterasys/


Network Admission Co

Strategic Vendor Partnerships

Aruba,

Stonesoft,

Packeteer,

HP,

Extreme,

Meru,

Enterasys,

BigFix Multiple. Alcatel

Microsoft,P

atchlink,Saf

e End,

Lancope,

Intel, IBM,

Patchlink,

Qualsys,

IBM,

Microsoft,

several

others. We

integrate

very well

with other

products

because of

our

modular

plugin

architectur

e.

HP,

Aruba,

Alcatel,

Arcsight

SonicWall

& Fortinet




Trend

Micro

Vernier

Networks

No

Respon

se

No

Respons

e




Trend

Micro

Vernier

Networks




Bradford

Networks

Check

Point

Cisco

Systems

ConSentry

Networks Enterasys

ForeScout

Technologies InfoExpress

J

Ne

Product Features

Product Overview

Hardware Administration

Scalability

System Diagnostics

NAC Features

NAC Features



AntiVirus Supported


Reporting

Event Logging

System Diagnostics

Custom Reports

Additional Features

SecurityProduct History

Overall Evaluation

Network Admission Contro




(Insert Vendor Name Here) Notes

Product Features

Product Overview

Product Name

Appliance or Software

List Pricing

DIR Pricing Available

*DIR Pricing is standard discount pricing set by the

Texas Department of Information ResourcesEducation Discount

Annual Maintenance for first year

Annual Maintenance for subsequent years

Licensing Costs (if any)

Licensing by IP Address

Licensing by concurrent users

Hardware

Form Factor

Processor

Hard Drive Specs

Data Throughput Rate

#/Type of Network Ports

# of Concurrent Administrators Allowed

AdministrationCentral Management Interface for multiple

appliances

Out of Band Management Interface

SSH access

Operating System

Automated Backup and Restore

Active directory administrator login

Scalability

Redundant Power

High Availability Failover

Max number of users per appliance

Time to scan and authenticate end user

under peak load conditions

Max number of registrations/scans per minute

System Diagnostics

CPU monitor (GUI or CLI)

Memory Utilization (GUI or CLI)

Disk Utilization (GUI or CLI)

Uptime (GUI or CLI)

NAC Features

NAC Features

Agent or Agentless

Requires Administrative Privileges

Zero Day Threat Prevention

Pre-Admission Checks

Post-Admission ChecksDynamic Policy Enforcement

Quarantine

Quarantine without risk of cross-infection

Remediation

Notification to end user of specific reason why

access has been disabled

Inline or Out of Band

Searchable by any client field (IP address,

MAC address, Active Directory ID, email)

Correlate Wired and Wireless MAC

addresses for the same computer

NAC Vendor Questionnaire




Real-time collection and reporting of data

Scanning of Client machines at authentication

Allows access for non-SMU affiliated guests

Allows access for remote users

Realtime (ongoing) Nessus-type scanning of

client machines

Custom Nessus Scanning Registry Key Scanning

Client Administrator Access Required

Time of Day Policies

NAT Detection

Rogue DHCP Server Detection

Supports integration with Cisco, Nortel and

HP routers

Supports integration with Nortel, HP and

Aruba Networks Switches

Supports SSH communication with network

devices

Supports Bandwidth management

Supports integration with PacketShaper

IPv4 and IPv6 capablePolicy Enforcement


Active Directory Integration using single sign

on at login

Radius Authentication

802.1x Support - Pass-through/proxy

802.1x Support - Integrated

Role Based Identification

Definition of separate security policies based

on group membership (active directory)


Windows Vista

Windows XP Apple OSX

Linux

Palm or other PDA

Antivirus Supported

MacAfee

Norton

Kapersky

eTrust

F-Secure

Panda

Symantec

Spohos

Trend Micro

Other (please list)


Counterspy

McAfee

Spybot

Adaware

Windows Defender

Sophos

F-Secure

SpyHunter

PestPatrol




Other (please list)

Reporting

Event Logging

Searchable by Date

Searchable by Log Level/Type

Searchable by Service

Searchable by User Level

Searchable by Operation

Searchable by messageCan send syslog messages to centralized

logging server (Security Information

Management)

Can syslog messages for most events, user

registrations, authentication failures, scan

results

System Diagnostics

CPU monitor

Memory Utilization

Disk Utilization

Uptime

Custom Reports

Can be emailed to administrators

Multiple Formats available - can import toother reporting systems

Can access the database with reporting tools

(e.g. 3rd party reporting tools like Crystal

Reports)

Custom reports can be created on the

appliance itself based on any field

Web Server Statistics

Generic LDAP/Radius Authentication

User Tracking

Additional Features

Security

Root access via SSH disabled

Webserver runs on the appliance

Product HistoryYear in which product came to market

Current revision level of software

Number of developers working on product

Frequency of Product Updates

Frequency of Signature Updates

Average Product LifecycleStrategic Vendor Partnerships

network admission control: a survey of approaches (166374611)

Documents