One of the main promises of network access control is that you can ensure that endpoint security tools are up to date and that non-compliant machines can be identified or blocked. As regulatory compliance has grown in importance, NAC vendors have reacted by building strong feature sets aimed at endpoint security and compliance. In our NAC testing, we had good, and sometimes great, results across the board when it came to endpoint security.
We created a very basic endpoint security policy, and then checked to see if we could implement that policy in our NAC products. We also looked at a variation on endpoint security, the ability of NAC products to handle system misbehaviour. For example, if a typical, compliant, desktop started to try and brute-force break into other systems by guessing passwords, that would be a misbehaviour we'd like to detect. Whether the desktop is infected, or the user is acting maliciously, it's still misbehaviour and NAC can help put a stop to it.
We discovered some products that handled our policy, and some that went far beyond what we asked. Alcatel-Lucent SafeNAC, Bradford Network Sentry, Enterasys NAC, ForeScout CounterACT and McAfee NAC are the ones to start with if you want to get very deep and very dirty in your endpoint posture assessment. The good news is that every NAC product passed the main part of this test. We were able to put in our policy, or a close approximation, and we were able to successfully detect Windows 7 systems that were not compliant. Not every product could match our policy exactly, but we were able to get very close in every case.
Macintosh support is spottier. Most products had some degree of Mac support, and we were able to find our installed Sophos antivirus with every product, although not necessarily easily. For example, Alcatel-Lucent Safe NAC doesn't know about antivirus tools, so we had to craft a policy based on other ways of detecting Sophos running in the client.
Overall, Macintosh OS X support is much weaker than Windows support in all products. This reflects both the compliance aspects of NAC endpoint posture assessment as well as the generally laissez-faire approach to end-point security tools common in the Macintosh community.
Beyond the basics
Beyond basic endpoint security posture assessment, though, we found lots of differences between products. The difficult part was trying to figure out which differences mattered and which did not. We started at the highest level and found two main approaches to endpoint security: using a client that runs on the endpoint, and using a scanning tool that tries to detect the status of endpoint security remotely.
A number of products, including Avenda eTIPS, Bradford Network Sentry, Cisco NAC Appliance, Enterasys NAC and ForeScout CounterACT, actually combine both techniques, although with a caveat: the combination can be farcical.
The problem with using both an endpoint client and endpoint scanner is that real vulnerability scanners are complex and expensive animals. For example, Nessus, the best-known vulnerability scanner, is built-in to several of the products we tested. Unfortunately, the licensing and charging model for Nessus changed in 2006 in such a way that it made updating Nessus impractical — leaving NAC vendors with a 4-year-old version of Nessus and an out-of-date set of scanning rules.
It's not just a Nessus problem, though; it's a question of whether the network manager taking care of the NAC management system also is ready to manage a vulnerability scanning system. For example, Cisco includes Nessus in their NAC Appliance, but a Cisco system engineer told us dismissively "nobody uses our Nessus." That's not surprising, and it's not Cisco's fault. The result is that products which include network scanners of all types are good at some things, such as detecting open ports and operating systems, but often not so good at actually doing vulnerability scans remotely.
When the scanning is very limited in the scope of what it is looking for, there's definitely useful information available to NAC products. One of our favorite examples was Trustwave NAC's scanning tool. In building NAC policy, you can define some endpoint security features such as "is not running an unauthorized mail server." If you set up that policy, Trustwave NAC will scan devices attaching to the network, looking specifically for mail servers.
Sometimes detecting ports and operating systems is useful outside of the context of endpoint posture assessment. For example, when a NAC deployment has to include embedded devices, such as printers or VoIP phones, it's useful to have an external scanner try and validate whether or not the device really is a printer or phone.
As a general rule, scanning externally is useful, but it's not as good an approach as an agent on the device.