Enterasys has upgraded its security appliances so they can carry out network access control (NAC) on traffic coming through non-Enterasys switches, making them a viable option for businesses that don't have the vendor's gear.
The Sentinel NAC Solution 1.1 software - which consists of Sentinel Trusted Access Gateway appliance and Sentinel Trusted Access Manager - supports blocking access-switch ports when devices fail network security policies checks, the company says. Sentinel previously did this only via Enterasys switches.
By adding the ability to use SNMP controls to block ports the company has extended NAC-enforcement capabilities to any managed switch. Alternatively, access to these switches can be blocked using 802.1Q virtual LAN tags to quarantine traffic from devices that have been scanned and found lacking by the NAC gear.
The device can use 802.1x authentication to block access to the network. If a customer has Enterasys switches, the NAC gear can make finer determinations of what to block. For example, Bentley College in Waltham, Mass., is deploying Sentinel to block peer-to-peer file sharing, which accounted for more than 75 percent of network traffic when unchecked, says Todd Marsh, principal network architect for the school.
These new features will put Enterasys in competition with vendors such as ConSentry, Nevis, StillSecure and Mirage, which make NAC appliances that fit into heterogeneous networks. These vendors contrast themselves with Cisco's NAC architecture, which calls for all Cisco switches. They say customers can add NAC to their network security without major network upgrades.
The 1.1 software also integrates Sentinel Trusted Access Gateway with Enterasys' Dragon Network Intrusion Detection, making it possible to cut off access to machines that misbehave once they are admitted to networks. If Dragon software detects an intrusion based on malware signatures or unauthorized behaviour, it can trigger the Sentinel gateway to block access for that device.
This gives Enterasys both pre-admission and post-admission NAC capabilities. Pre-admission NAC determines if the security posture of a device meets security standards and therefore gains network access. Post-admission NAC detects when endpoints attempt to access resources they are not supposed to and shuts down their network access.
Enterasys does not make its own NAC client that scans endpoints to perform pre-admission NAC. It instead relies on clients made by other vendors such as Tenable Network Security, Lockdown Networks and most recently Microsoft.
The Enterasys gear also works in conjunction with endpoint scans that don't require a client made by vendors including Check Point and Symantec.