Peter Stephenson
Out-of-band NAC uses existing network architecture
There are three important functions of network access control (NAC) systems. They are endpoint management and compliance, identity management and usage policy enforcement. Bradford Networks’ NAC Director does all three — for wired, wireless and VPN systems — and it does it 100 percent out of band. There is no need to rewire your existing enterprise to implement NAC Director. NAC Director is an appliance that sits on the perimeter of the network and notes all users attempting to enter the network. Each user has an agent on their computer that can be either persistent or dissolvable. Persistent agents are deployed to regular employees and contractors who enter the network routinely, while dissolvable agents are appropriate for ad hoc visitors to the network. Agents are tied to MAC addresses. NAC Director has three important features that make it unique. First, it has an unprecedented breadth of supported devices, including at least 20 network vendors and a wide variety of security applications (anti-virus, anti-spyware, operating system) and allowed or prohibited applications, configurations and revision levels.
	>> Download the full article (PDF) >> Access to SC Magazine website

The second unique feature is its ability to be deployed in a wired, wireless or VPN environment. This is very important because today’s enterprises are likely to contain all three. Finally, NAC Director integrates easily with your existing enterprise infrastructure.

When a new user accesses the network for the first time, an agent is placed on the user’s computer. That agent may be persistent or dissolvable. The user is assigned to specific groups, each of which enforces assigned usage policies. Users are identified by what Bradford calls its 7-Point Identity Profile. This profile includes the user’s name or ID, the device’s name, MAC address and IP address, the user’s role, the place on the network from which the user is accessing the enterprise, and the time of day.

NAC Director has several safeguards that check users as they log in. First, users’ computers are validated to ensure that they are not violating any of the 7-point profile elements. If they are in violation, or if they match a known stolen device, NAC Director can apply its Get Out/Stay Out control. Devices accessing the enterprise may be scanned for vulnerabilities using the popular Nessus scanner. Finally, NAC Director checks for processes running on the accessing computer and ensures that only those allowed are running.

Once NAC Director determines that the user is welcome on the network, the next step is to apply policies for the user’s role or group. These can assign the user to a particular VLAN and/or route to an individual port. If a user is out of compliance, they may be directed to resources that can assist in self-remediation, simplifying administration and use for administrators and users alike.

NAC Director has comprehensive reporting and alarming. Reports may be customized, but the product comes with several standard reports pre-configured. For high security applications, NAC Director can integrate IDS/IPS systems that perform deep packet inspection. Reports easily support compliance with regulatory requirements, such as SOX, HIPAA and GLBA.

Initial deployment of the appliance consists of installation and subsequent discovery of all of the devices on the enterprise. When the user accesses the network, NAC Director performs its functions, and if the user’s machine is in violation of policies, NAC Director reports to the appropriate device and dictates the actions per the violated policy. The device then responds by following NAC Director’s orders and either forces the user to perform remediation or excludes the user from the enterprise.

I found NAC Director to be acceptably easy to deploy, well documented and well supported. The breadth of supported devices and security programs coupled with its robust feature set are enhanced by its out-of-band implementation. Pricing starts at $6,495, which is extremely reasonable for a product of this type, especially given its unique qualities. The Bradford Networks website is a feast of information, including data sheets, features and benefits charts, a knowledge bank, white papers, interoperability guides, product manuals, FAQs and application notes.

Prior to reviewing NAC Director, we received a comprehensive online demo complete with the opportunity to play around with the product and question qualified engineers. As always, one question related to whether Bradford Networks supplies this level of pre-sales support to potential customers. We were assured that all customers get the same treatment that we did. Because there are several unique aspects to the product, we appreciated the direct contact with NAC Director experts and a chance for supervised hands-on instruction before we got deeply into the product.

This is a well-thought-out product from a pioneering company that’s been in the business of NAC since 2002. In addition to the NAC Director, the company offers a broad suite of implementation, customization and training services. When it comes to a comprehensive NAC product, NAC Director is the real McCoy.

What it does:

Manages network access control across wired, wireless and VPN implementations for access to a very wide variety of network devices, software products and security prodcuts and services.

What we liked:

Breadth of supported devices, comprehensive environments supported, out-of-band deployment, as well as depth of analysis of devices attempting to access the enterprise.

What we didn't like

Nothing. This one's a winner from start to finish.