Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

NAC underneath the covers: Endpoint health assessments

The main focus of NAC these days is to assess and endpoint and determine that it's "healthy" before it's allowed network access. But vendors have different methods of doing so. Here you'll find the questions you need to ask your vendor in order to understand where these solutions fit into your overall networking and security infrastructure.

Keeping your remote laptops healthy is not an easy task these days. Infections are everywhere, and once these PCs leave the shelter of your enterprise network, they can easily get filled with malware, rootkits, and viruses.

To help stem this tide, various endpoint security vendors have created solutions that take the form of appliances to assess laptop and other endpoint health. The hard part is in understanding how they differentiate their wares and the consequences of how they interact with your network infrastructure. Here is a brief guide of questions you need to ask your vendor to understand where these solutions fit into your overall networking and security infrastructure.

What's in an agent?
Every endpoint security appliance needs some kind of software agent to scan the remote machine and perform the health assessment. But the world of agents is becoming more complex, and how this software is delivered to the machine, how long it sticks around, and whether it can remove itself automatically are all critical questions for potential customers of these technologies.

For example, some of the products use what are called "on-demand" or temporary agents, meaning that the software doesn't get onto the client PC until the PC tries to connect to the enterprise network. These typically take the form of Javascript or Active-X controls that are sent downstream when a browser connects to the network or when a user attempts to login to the network. These on-demand agents are useful in the case of unmanaged systems that are outside the purview of the IT department, such as with guests and contractor machines.


NAC – More than endpoint security
Network access control is a hot topic and a challenging one. Learn the ins and outs in our special report:  
>>NAC: Should you implement now?
>>NAC and endpoint security frameworks: Which way to go? >>NAC appliances: Shortcut to access control
>>NAC underneath the covers: Endpoint health assessments >>Defending an expansive definition of NAC
Symantec's and Lockdown's network access control (NAC) products both have on-demand agents and thick agents for the managed clients, where an IT department can push software down to each desktop or laptop. Vernier Network's approach only uses on-demand agents, and works in conjunction with the Windows managed interface to log in to a computer and do its health scans. Sometimes the level of assessment of the agent depends on whether administrative access is available for each machine. "Using administrative credentials, we can detect pre-packaged and administrator specified values, such as executables, registry settings, installed software such as Kazaa and Skype, as well as malware including rootkits," says Dan Clark, vice president of marketing for the company.

Whether the products have one or more different kinds of agents, some of them are limited in terms of the kinds of client devices that they can assess, particularly when you move outside the Windows world. For example, while Forescout's CounterACT is completely agentless, it didn't support Mac OS clients until its latest version, 6.0. Symantec's on-demand agent runs on Mac OS and Linux, but its managed agents only work on Windows 2000 and XP. Microsoft has promised agents for Windows XP SP2 and for Vista to support its Network Access Protection (NAP) system – everyone else will have to find third parties if they want to make use of NAP.

Does it come with its own IPS/IDS or play well with others?
Some endpoint security products, such as the EdgeWall from Vernier Networks and ForeScout's CounterACT, come with their own intrusion detection and prevention systems (IDS/IPS) that are part of the endpoint security assessment process. Others work with existing IPS products. For example, Lockdown Network's NAC device doesn't have any IPS functionality, but works with Enterasys' Dragon intrusion appliances.

Some of the products come with other components that may already be in use on enterprise networks, which means more work to get them setup. Symantec's Network Access Control has its own RADIUS server, and additional software that is installed on Microsoft's Active Directory that handles DHCP assessments. Some of the products, such as Cisco's, require their own 802.1x authentication servers, and require upgrades to Cisco network switches and router firmware, which can get expensive.

Where does the hardware need to be located on the network?
Each of the endpoint products has a different design and is intended to function best in varying places on the enterprise network. Some operate in-line and are required to sit as close to the edge as possible, while others can protect critical network resources such as servers or particular departmental branches, or operate on span ports. Some start out operating out-of-band, then insert themselves into the network stream once a successful authentication has occurred through an Active Directory or VPN login. And some products are part of an overall VPN solution and offer more or less integration into these products as well.

Vernier's NAC platform is placed as an in-line aggregation device between traditional access and distribution or core switches. "By connecting directly in-line, we do not need to use tap or span ports, nor do we rely on out of band methods. With the increased throughput and port aggregation capabilities of our latest platform, we are starting to see some customers use the EdgeWall 8800 in place of distribution switches," says Rod Murchison, vice president of marketing for the company.

Lockdown's product, however, operates out-of-band: "We connect to the trunk and manage the routing of devices to different VLANs," says Clark. Lockdown plans on offering in-band VPN integration by the end of 2006, according to company representatives. Mirage Networks operates out-of-band, and then changes the Address Resolution Protocol cache of the endpoint for quarantine purposes.

How are health assessments carried out?
Each endpoint product carries out its health assessments somewhat differently in terms of when a machine is scanned (before or after a network login) and what exactly is part of the scan. Forescout and Vernier, because they have integrated IPS, both look to see if a user has valid domain authentication credentials and is using a managed PC that is already known to their system. If so, the user is immediately allowed on the network and further health assessment happens post-login. "We don't have to quarantine everything as they come on to the network," says Gord Boyce, vice president of sales and marketing at Forescout. "This means that the checks take only a couple of seconds for most users."

Sometimes the decision about what is healthy and what isn't is very binary. For Cisco, for example, either a client passes muster and allowed on the network, or isn't. Others have more granularity, and can remediate what they find wrong with the client's configuration. Finally, some products only do assessments after a user has authenticated himself to the network, which could be an issue for viral products that could already have been transmitted if a PC has gained access to a network.

Obviously, there is still a lot more work to be done with endpoint health assessment, and new vendors are entering the market every day. But these questions should help a network manager gain some clarity about which products are appropriate for particular situations.

About the author:
David Strom is founding editor-in-chief of Network Computing magazine and author of two networking books. He writes frequently on IT, networking, Internet, security, and other computing topics and his blog can be found at strominator.com. He is based in St. Louis and can be reached at david@strom.com.

This was last published in November 2006

Dig Deeper on Network Access Control

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.