Network Access ControlThis newsletter is sponsored by Nevis NetworksNetwork World's Network Access Control Newsletter, 06/26/07Do SSL VPN checks measure up to the rigors of NAC?By Tim GreeneMany SSL VPN vendors assess the security of endpoints as part of their network-admission routine, but that doesn’t mean these assessments are equivalent to NAC. The purpose of SSL VPN endpoint checking and NAC are similar - to evaluate the security posture of the device and impose an access policy based on that evaluation. Most SSL VPN vendors that do this use downloadable software agents to do the work, supplemented by a permanent SSL VPN client for managed machines that need network-layer VPN access.
These agents gather data about the configuration of the device and forward it to a policy server that decides whether the device state warrants access, and if so, to what. This roughly fits the description of NAC, but here are a few features that are key to NAC that can help distinguish whether SSL VPN checks measure up to the rigors of NAC. * How is endpoint-check data sent? With NAC, methods range from 802.1x to piggybacking on other authentication schemes or using a captive portal that requires allowing the scan. SSL VPN vendors often lack the richness of options. * Can the endpoint check gather data from third party clients? NAC vendors actively seek alliances with other software vendors, such as patch-management purveyors, as a means for gathering key information about configuration and security posture. * How many operating systems does the integrity checker support? This varies from vendor to vendor, but some have a wide range of support including agents for smart phones. SSL VPN integrity checks may offer sufficient protection even if they don’t include all the elements that NAC does. In fact, the SSL admission control may be appropriate for remote access purposes. It all depends on the needs of the individual customer. Since NAC is generally applied to LAN-connected devices, not remote access devices, NAC and SSL VPN integrity checks are separate. But it is valuable to compare and contrast what they do in order to devise flexible overall admission policies.
|
Contact the author: Tim Greene is a senior editor at Network World, covering network access control, virtual private networking gear, remote access, WAN acceleration and aspects of VoIP technology. You can reach him at tgreene@nww.com. This newsletter is sponsored by Nevis NetworksARCHIVEArchive of the Network Access Control Newsletter. BONUS FEATUREIT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE International subscribers, click here. SUBSCRIPTION SERVICESTo subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: networking.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007 |
No comments:
Post a Comment