Upload
educause
View
217
Download
0
Embed Size (px)
Citation preview
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 1/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Product Features
Product Overview
Product Name
NAC
Director LX
Cisco
NAC
Appliance
LAN Shield
Switch,
controller and
Manager Enforcer
Sentriant
AG
CounterAC
T
Fortigate
224B
ProCurve
Network
Access
Controlle
800
Appliance or Software Appliance Appliance both Appliance Both Appliance
Applianc
e Appliance
List Pricing
Education Discount
Annual Maintenance for first year
Annual Maintenance for subsequent years
Licensing Costs (if any)
3 Year Cost
Licensing by IP Address
based on
unique
user/perso
n No n/a No Included No No
Licensing by concurrent users
appliances
are sized
based onconcurrent
user count
Yes, per
device. n/a No Yes Yes No No
Hardware
Form Factor 1U Appliance 1U
Enforcer
and
Commande
r:1U and 2U
Rackmount Intel Appliance 1U Fixed
Processor 2.66GHz N/A 128Core
Intel E6300
1.86GHzCore 2 Duo
Pentium 42GHz Dual Xeon ASIC
Intel®
Core™ 2
Duo @
2130 MHz
2 GB
DDR2SDRAM
Hard Drive Specs
dual
160Gb
SATA N/A n/a
1U 80 or
250 GB
2U 75 GB
RAID 36GB
Depends
on
appliance
up to 160G
- typical 3-
6 months
of logs
FortiAnal
yzer 80 GB
Network Admission C
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 2/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Data Throughput Rate Varies 1 GB/sec 10 Gbps
10/100/100
0 1gb
Gigabit -
Out of
band
appliance -
smaller
security
container
than inline
appliances
4.4Gbps
Switchin
g
9 to 16
Kilobytes
of data
between a
single
endpoint
and a
single NA
800 serve
for a singl
testing
session
(approx 2
tests)
#/Type of Network Ports 2x 1Gbps 10/100/100
20/8 1Gbps
SFP
LAN: 2x
10/100/100
0 Ethernet;
Serial: 2xCB-9; USB:
2x USB 2.0 n/a 4/6/8/8
26
10/100,
210/100/1
000
2 RJ-45
auto-
sensing
10/100/10
0 ports - 1
serialconsole
port
# of Concurrent Administrators Allowed
3 types,
multiple of
each No practic 10 unrestricted 1 Unlimited
Unlimite
d
No
enforced
limit
Administration
Central Management Interface for multiple
appliances Yes Yes. Yes Yes Yes Yes Yes
Yes
Out of Band Management Interface Yes Yes. Yes Yes Yes Yes Yes Yes
SSH access Yes Yes. Yes Yes Yes Yes Yes Yes
Operating System
Linux Suse
10.x
Proprietar
y Linux
Proprietary/
Windows Linux
Hardened
Linux
Hardened
Common
Criteria
and FIPS
140-2
certified FortiOS Linux
Automated Backup and Restore Yes Yes. Yes
Manual
Backup and
Restore
only Yes Yes Yes No
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 3/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Active directory administrator login
Note
required No. Yes Yes Yes Yes
Via
RADIUS Yes
Scalability
Redundant Power Yes
Yes, on
larger
devices. Yes
1U -
Active/Pass
ive HA 2U –
Active/Pass
ive HA and
built in
redundancy Yes Yes No No
High Availability Failover Yes Yes. Yes Yes Yes Yes Yes Yes
Max number of users per appliance 8000 3500 2000
300
Quarintine 3000
CTR - 50
Users
CT100 -
250 UsersCT1000 -
1000
Users
CT2000 -
2500
Users
Coming
soon -
CT4000 -
4000 User
appliance
No user
licensing
2,500
endpoints
per
Combinat
on Serve
(CS)
3,000
endpoints
per Enforcem
nt Server
(ES)
10 ES pe
Managem
nt Server
(MS)
totaling
30,000
endpoints
per MS
Time to scan and authenticate end user
under peak load conditions Varies < 1 Sec. 5-30sec
Under 10
seconds
7 seconds
per device
Network
admission:
instant
End user
scan:
seconds
15
seconds
On a
100Mb
LAN, the
testingprocess
would
typically
take
between 5
and 10
seconds.
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 4/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Max number of registrations/scans per minute
1500 per second 4800 2000
Highly
variable,
based on
tests run,
and results,ideally 1800
3000
scans per minute
This isn't a
metric we
keep. We
have
several
customers
with 40-
80Ksystems. *
Will
depend on
tests
defined fo
each scan
with a
target of
250 scans
/ minute
per
enforceme
nt server.
Multiple
enforceme
nt servers
can be
managed
by a single
manageme
nt server ia domain
System Diagnostics
CPU monitor (GUI or CLI) Both Both. n/a Yes GUI
We have
diagnostic
s available
in the GUI
that
indicates if
there is an
issue with
the
appliance.
Additionall
y, you can
alwaysmanually
verify the
health of
the
appliance
with the
command
line. yes GUI
Memory Utilization (GUI or CLI) Both Yes. yes Yes GUI yes GUI
Disk Utilization (GUI or CLI) CLI Yes. n/a Yes GUI yes GUI
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 5/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Uptime (GUI or CLI) CLI Yes. yes Yes GUI yes GUI
NAC Features
NAC Features ]
Agent or Agentless
Persistent,
run-once,
agentless
Nessus
integration. Both. dissolvable Yes Both
Agentless -
We have
an agent if
requested. Optional Both
Requires Administrative Privileges
Depends
on policy No. no No
Sometime
s Yes No
The NAC
800 offers
4 user
roles each
with
different
privileges
Zero Day Threat Prevention
Integration
with
IDS/IPS,
Nessus No. yes Yes* Yes Yes Yes No
Pre-Admission Checks Yes Yes. yes Yes Yes Yes Yes YesPost-Admission Checks Yes Yes. yes Yes Yes Yes Yes Yes
Dynamic Policy Enforcement Yes Yes. yes Yes Yes Yes Yes
Yes, with
IDM
Quarantine Yes Yes. yes Yes Yes
Yes -
multiple
methods Yes Yes
Quarantine without risk of cross-infection Yes Yes. yes Yes Yes
Yes -
multiple
methods Yes
Is possibl
depending
on the the
switch
where the
endpoint i
connectin
.
Remediation Yes Yes. yes Yes Yes
Yes -
multiple
methods Yes Yes
Notification to end user of specific reason
why access has been disabled Yes Yes. yes Yes Yes
Yes -
multiple
methods Yes Yes
Inline or Out of Band Out Either. Inline Both Both
Out of
band Inline Both
Searchable by any client field (IP address,
MAC address, Active Directory ID, email) Yes Yes. yes Yes Yes Yes Yes Yes
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 6/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Correlate Wired and Wireless MAC
addresses for the same computer Yes Yes. yes Yes no Yes No No
Real-time collection and reporting of data Yes Yes. yes Yes Yes Yes Yes Yes
Scanning of Client machines at
authentication Yes Yes. yes Yes Yes Yes Yes No
Allows access for non-SMU affiliated guests Yes Yes. yes Yes Yes Yes Yes Yes
Allows access for remote users Yes Yes. yes Yes Yes Yes Yes Yes
Realtime (ongoing) Nessus-type scanning of
client machines Yes No. no Yes No Yes No No
Custom Nessus Scanning Yes Yes. no Yes No Yes No No
Registry Key Scanning Yes Yes. yes Yes Yes Yes No Yes
Client Administrator Access Required
Only for
writes to
the system
- as
mentionedabove,
policy
scans do
not require
admin
access. No. no Yes Yes Yes No Yes
Time of Day Policies Yes Yes. yes Yes No Yes Yes
Yes, with
IDM
NAT Detection Yes Yes. no
No -
however
this is
available
when it
occursdownstream
from some
Cisco
switches No Yes No No
Rogue DHCP Server Detection Yes Yes. yes Yes Yes Yes Yes No
Supports integration with Cisco, Nortel and
HP routers Yes Yes.
not
necessary n/a Yes
Yes - and
more (e.g.
Extreme,
Foundry,
etc) N/A Yes
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 7/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Supports integration with Nortel, HP and
Aruba Networks Switches Yes Yes. yes Yes Yes
Yes - and
more (e.g.
Extreme,
Foundry,
etc)
HP,
Aruba, Yes
Supports SSH communication with network
devices Yes Yes. yes Yes Yes
Would
have to
understand
the scope
of the
integration -
quite
possibly
native. If
not our Perl plugin
SDK
allows you
to write
plugins for
CounterAC
T No Yes
Supports Bandwidth management Yes Yes. Q4 - 2007 No No
Out of
band Yes No
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 8/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Supports integration with PacketShaper Yes No. no No No
Would
have to
understand
the scope
of the
integration -
quite
possibly
native (e.g.
syslog,
snmp, etc) -
and if not -
our Perl
plugin SDK
allows you
to write
plugins for
CounterAC
T Yes No
IPv4 and IPv6 capable
Yes in a
future
release No. yes Yes No
IPv4 now -
IPv6 end
of year Yes No
Policy Enforcement
Flexible
policy
definitions
are Yes Yes. yes Yes Yes
Yes -
multiple
methods Yes Yes
End-User Authentication
Active Directory Integration using single sign
on at login
Yes by
using login
scripts on
the
directory
server. Yes.
Passive
Kerberos
Snooping Yes N/A Yes Yes YesRadius Authentication Yes Yes. Yes Yes Yes Capable Yes Yes
802.1x Support - Pass-through/proxy Yes Yes.
Yes -
transparent,
no proxy req. Yes Yes Yes Yes Yes
802.1x Support - Integrated
Not
currently
Yes -
future
release No. Yes Yes Yes Yes Yes Yes
Role Based Identification Yes Yes. Yes Yes Yes Yes No Yes
Definition of separate security policies based
on group membership (active directory) Yes Yes. Yes Yes No Yes Yes Yes
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 9/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Operating Systems Supported
Windows Vista
All
versions
are Yes Yes. yes Yes No Yes Yes No
Windows XP Yes Yes. yes Yes Yes Yes yes
Yes Home
and
Profession
al
Apple OSX
Support for
versions
10.1 and
above. Yes. yes Yes Yes Yes yes
Yes Mac
OS versio
10.3.7 or
later
Linux
Yes with
non-
persistent
agent only Yes. yes Yes No Yes yes No
Palm or other PDA
manual or
automated
bypass Yes. yes Yes* No Yes yes No
Antivirus Supported
MacAfee Yes Yes. yes Yes Yes Yes Yes YesNorton Yes Yes. yes Yes Yes Yes Yes Yes
Kapersky Yes Yes. yes Yes Yes Yes yes Yes
eTrust Yes Yes. yes Yes Yes Yes No Yes
F-Secure Yes Yes. yes Yes Yes Yes Yes Yes
Panda Yes Yes. yes Yes Yes Yes Yes Yes
Symantec Yes Yes. yes Yes Yes Yes No Yes
Spohos Yes Yes. yes Yes Yes Yes Yes Yes
Trend Micro Yes Yes. yes Yes Yes Yes Yes Yes
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 10/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Other (please list) Yes.
avast!,SOFW
IN,
BitDenfender
, Zonelabs, AVG,
NOD32, AVG
for Linux
AEC,
AhnLab,
ALWIL
Software
avast!,
AOL,
Authentium,
Avira
GmbH,
Beijing
Rising
Technology,
BellSouth,
Check
Point,
ClamWin,
Earthlink,
Eset
Software,
Frisk,
Gdata,
Grisoft,H+BEDV
Datentechni
k, Yes
You can
add as
many as
you would
like.
Virtually
unlimited.
Adding a
custom AV
can be
done inless than
45
seconds.
Forticlie
nt
NOD32
AntiVirus AVG
AntiVirus
Free Ed
AntiSpyware Supported
Counterspy Yes Yes. No Yes Yes n/a No Yes
McAfee Yes Yes. Yes Yes Yes No Yes
Spybot Yes Yes. No Yes No No No
Adaware Yes Yes. No Yes Yes No Yes
Windows Defender Yes Yes. Yes Yes Yes No Yes
Sophos Yes No. Yes Yes No No No
F-Secure Yes No. Yes Yes No No No
SpyHunter Yes No. No Yes No No NoPestPatrol Yes Yes. No Yes Yes No Yes
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 11/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Other (please list) Yes.
Performs
dynamic
antispyware
scanning with
downloadabl
e signature
updates. FW
(check point,
redhat linux,
Max OS, CA
EZ Firewall,
Window XP,
BlackICE PC,
Kerio Fw,
Outpost,
Norton)
AhnLab,
AOL,
Anonymizer
,
Authentium,
BellSouth,
Bullet Proof,
CheckPoint,
eTrust,
EarthLink,
xCleaner,
Grisoft,
Spyware
Blaster,
Spyware
Begone,
Spyware
Doctor Yes
Forticlie
nt
CounterSp
y
Spyware
Eliminato
Webroot
Spy
Sweeper
Reporting
Event Logging
Searchable by Date Yes Yes. yes Yes Yes Yes Yes YesSearchable by Log Level/Type Yes Yes. yes Yes Yes Yes Yes No
Searchable by Service Yes Yes. yes Yes Yes Yes Yes No
Searchable by User Level
Not
currently Yes. yes No No Yes Yes No
Searchable by Operation Yes Yes. yes No No Yes Yes No
Searchable by message Yes Yes. yes Yes No Yes Yes No
Can send syslog messages to centralized
logging server (Security Information
Management)
Not
currently -
roadmap
item for CY
08 Yes. yes Yes Yes Yes Yes No
Can syslog messages for most events, user
registrations, authentication failures, scanresults
Not
currently -
roadmap
item for CY08 Yes. yes Yes Yes Yes Yes No
System Diagnostics
CPU monitor Yes Yes. yes Yes We have Y Yes (view
Memory Utilization Yes Yes. yes Yes Yes Y
Yes (view
but no
reporting
Disk Utilization Yes Yes. yes Yes Yes Y
Yes (view
but no
reporting
Uptime Yes Yes. yes Yes Yes Y
Yes (view
but no
reporting
Custom Reports
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 12/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Can be emailed to administrators
Not
currently Yes. yes Yes Yes Yes Y No
Multiple Formats available - can import to
other reporting systems
Supports
HTML,
CSV,
Excel,
XML, PDF
and RTF
formats Yes. yes Yes Yes
Yes - CSV
capable Y No
Can access the database with reporting tools
(e.g. 3rd party reporting tools like Crystal
Reports)
All data is
stored in a
MySQL
database
and is
available
externally Yes. yes Yes Yes
We have
our own
reporting
engine. N No
Custom reports can be created on the
appliance itself based on any field Yes No. yes No No
Yes -
multiple
methods Y Yes
Web Server Statistics
Yes
throughback-end
CLI
commands Yes. GUI Yes
Not quiteclear -
most likely
Yes Y No
Generic LDAP/Radius Authentication Yes ? Radius Yes Yes
Not quite
clear -
most likely
Yes Y Yes
User Tracking
Supports
login/logoff
time,
userid,
user name,
location IP,MAC, and
bandwidth
information
for logging Yes. yes Yes Yes
Not quite
clear -
most likely
Yes Y Yes
Additional Features
Security
Root access via SSH disabled Yes Yes. Yes Yes No Yes Y No
Webserver runs on the appliance Yes Yes. No Yes Yes
Yes -
Tomcat Y No
Product History
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 13/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Year in which product came to market 2001 2003 2004 2005 2004
IPS -
2001; NAC
- 2005 2006 2007
Current revision level of software 3.1.7 4.1 3.1 v4.5.4 01/05/00 6.1.3
3.0
Mainten
ance
Release
5
software
version
1.0c
Number of developers working on product 10 19 50 20 80 35
ProCurve
does not
disclose
this
information
.
Frequency of Product Updates
Quarterly
for
maintenan
ce updates
- 2 major updates
per year Quarterly
2 Major, 6
Maintenance
Twice
Annually
As
needed
3-5
Months for
significant
updates -
Product isconsidered
mature.
Quarterl
y basis
There is
not a set
update
schedule.
Updates
are made
on an "asneeded"
basis.
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 14/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission C
Frequency of Signature Updates Weekly Hourly Monthly Twice daily
As
needed
N/A for
IPS -
Monthly for
MS vulns
Daily/W
eekly
is
automatica
lly updated
with tests
that cover
newlyreleased
patches,
hotfixes,
software
updates,
worms,
and
Trojans,
and
recommen
ded
security
settings fo
common
application
s. Newtests are
automatica
lly added
to the test
database
as
frequently
as hourly,
ensuring
immediate
Average Product Lifecycle
Hardware
3-5 years 2 yrs. 5 years N/A
Not quite
clear -
Hardware
or
software? Actual or
projected?
3-5
years
On
average,
ProCurve
products
have a 5year
lifecycle.
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 15/34
Bradford
Networks
Cisco
Systems
ConSentry
Networks
Enterasys/
Lockdown Extreme ForeScout Fortinet HP
Network Admission Co
Strategic Vendor Partnerships
Aruba,
Stonesoft,
Packeteer,
HP,
Extreme,
Meru,
Enterasys,
BigFix Multiple. Alcatel
Microsoft,P
atchlink,Saf
e End,
Lancope,
Intel, IBM,
Patchlink,
Qualsys,
IBM,
Microsoft,
several
others. We
integrate
very well
with other
products
because of
our
modular
plugin
architectur
e.
HP,
Aruba,
Alcatel,
Arcsight
SonicWall
& Fortinet
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 16/34
Trend
Micro
Vernier
Networks
No
Respon
se
No
Respons
e
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 17/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 18/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 19/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 20/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 21/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 22/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 23/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 24/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 25/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 26/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 27/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 28/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 29/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 30/34
Trend
Micro
Vernier
Networks
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 31/34
Bradford
Networks
Check
Point
Cisco
Systems
ConSentry
Networks Enterasys
ForeScout
Technologies InfoExpress
J
Ne
Product Features
Product Overview
Hardware Administration
Scalability
System Diagnostics
NAC Features
NAC Features
End-User Authentication
Operating Systems Supported
AntiVirus Supported
AntiSpyware Supported
Reporting
Event Logging
System Diagnostics
Custom Reports
Additional Features
SecurityProduct History
Overall Evaluation
Network Admission Contro
SMU Confidential 9/7/2013
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 32/34
(Insert Vendor Name Here) Notes
Product Features
Product Overview
Product Name
Appliance or Software
List Pricing
DIR Pricing Available
*DIR Pricing is standard discount pricing set by the
Texas Department of Information ResourcesEducation Discount
Annual Maintenance for first year
Annual Maintenance for subsequent years
Licensing Costs (if any)
Licensing by IP Address
Licensing by concurrent users
Hardware
Form Factor
Processor
Hard Drive Specs
Data Throughput Rate
#/Type of Network Ports
# of Concurrent Administrators Allowed
AdministrationCentral Management Interface for multiple
appliances
Out of Band Management Interface
SSH access
Operating System
Automated Backup and Restore
Active directory administrator login
Scalability
Redundant Power
High Availability Failover
Max number of users per appliance
Time to scan and authenticate end user
under peak load conditions
Max number of registrations/scans per minute
System Diagnostics
CPU monitor (GUI or CLI)
Memory Utilization (GUI or CLI)
Disk Utilization (GUI or CLI)
Uptime (GUI or CLI)
NAC Features
NAC Features
Agent or Agentless
Requires Administrative Privileges
Zero Day Threat Prevention
Pre-Admission Checks
Post-Admission ChecksDynamic Policy Enforcement
Quarantine
Quarantine without risk of cross-infection
Remediation
Notification to end user of specific reason why
access has been disabled
Inline or Out of Band
Searchable by any client field (IP address,
MAC address, Active Directory ID, email)
Correlate Wired and Wireless MAC
addresses for the same computer
NAC Vendor Questionnaire
SMU Confidential 9/7/2013 Page 32
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 33/34
Real-time collection and reporting of data
Scanning of Client machines at authentication
Allows access for non-SMU affiliated guests
Allows access for remote users
Realtime (ongoing) Nessus-type scanning of
client machines
Custom Nessus Scanning Registry Key Scanning
Client Administrator Access Required
Time of Day Policies
NAT Detection
Rogue DHCP Server Detection
Supports integration with Cisco, Nortel and
HP routers
Supports integration with Nortel, HP and
Aruba Networks Switches
Supports SSH communication with network
devices
Supports Bandwidth management
Supports integration with PacketShaper
IPv4 and IPv6 capablePolicy Enforcement
End-User Authentication
Active Directory Integration using single sign
on at login
Radius Authentication
802.1x Support - Pass-through/proxy
802.1x Support - Integrated
Role Based Identification
Definition of separate security policies based
on group membership (active directory)
Operating Systems Supported
Windows Vista
Windows XP Apple OSX
Linux
Palm or other PDA
Antivirus Supported
MacAfee
Norton
Kapersky
eTrust
F-Secure
Panda
Symantec
Spohos
Trend Micro
Other (please list)
AntiSpyware Supported
Counterspy
McAfee
Spybot
Adaware
Windows Defender
Sophos
F-Secure
SpyHunter
PestPatrol
SMU Confidential 9/7/2013 Page 33
7/29/2019 Network Admission Control: A Survey of Approaches (166374611)
http://slidepdf.com/reader/full/network-admission-control-a-survey-of-approaches-166374611 34/34
Other (please list)
Reporting
Event Logging
Searchable by Date
Searchable by Log Level/Type
Searchable by Service
Searchable by User Level
Searchable by Operation
Searchable by messageCan send syslog messages to centralized
logging server (Security Information
Management)
Can syslog messages for most events, user
registrations, authentication failures, scan
results
System Diagnostics
CPU monitor
Memory Utilization
Disk Utilization
Uptime
Custom Reports
Can be emailed to administrators
Multiple Formats available - can import toother reporting systems
Can access the database with reporting tools
(e.g. 3rd party reporting tools like Crystal
Reports)
Custom reports can be created on the
appliance itself based on any field
Web Server Statistics
Generic LDAP/Radius Authentication
User Tracking
Additional Features
Security
Root access via SSH disabled
Webserver runs on the appliance
Product HistoryYear in which product came to market
Current revision level of software
Number of developers working on product
Frequency of Product Updates
Frequency of Signature Updates
Average Product LifecycleStrategic Vendor Partnerships