June 21, 2010, 1:33 PM — One of the main promises of network access control is that you can ensure that endpoint security tools are up to date and that non-compliant machines can be identified or blocked. As regulatory compliance has grown in importance, NAC vendors have reacted by building strong feature sets aimed at endpoint security and compliance. In our NAC testing, we had good, and sometimes great, results across the board when it came to endpoint security.
We created a very basic endpoint security policy, and then checked to see if we could implement that policy in our NAC products. We also looked at a variation on endpoint security, the ability of NAC products to handle system misbehavior. For example, if a typical, compliant, desktop started to try and brute-force break into other systems by guessing passwords, that would be a misbehavior we'd like to detect. Whether the desktop is infected, or the user is acting maliciously, it's still misbehavior and NAC can help put a stop to it.
We discovered some products that handled our policy, and some that went far beyond what we asked. Alcatel-Lucent SafeNAC, Bradford Network Sentry, Enterasys NAC, ForeScout CounterACT and McAfee NAC are the ones to start with if you want to get very deep and very dirty in your endpoint posture assessment. The good news is that every NAC product passed the main part of this test. We were able to put in our policy, or a close approximation, and we were able to successfully detect Windows 7 systems that were not compliant. Not every product could match our policy exactly, but we were able to get very close in every case.
Macintosh support is spottier. Most products had some degree of Mac support, and we were able to find our installed Sophos anti-virus with every product, although not necessarily easily. For example, Alcatel-Lucent Safe NAC doesn't know about anti-virus tools, so we had to craft a policy based on other ways of detecting Sophos running in the client.
Overall, Macintosh OS X support is much weaker than Windows support in all products. This reflects both the compliance aspects of NAC endpoint posture assessment as well as the generally laissez-faire approach to end-point security tools common in the Macintosh community.
Beyond the basics