Finding a NAC solution

This week has been very busy. I had four meetings that took up almost four full days. The meetings were with vendors to check out their offerings in NAC systems. Friday was spent discussing pros and cons of each system and trying to decide which one would meet our needs and budget. I feel the decision has come down to two NAC vendors: Infoblox and Enterasys.

From a “what they can do” stand point, the Enterasys system wins hands down. Enterasys appliances will actually work at the port level of the switches in order to limit a computer or users ports, speed and access. We liked that it would work with or without the client software installed. With the client installed, we would have the ability to fully scan systems even if they are not part of the domain. Without the client, systems not on the domain could block scans. We would just leave systems in quarantine limbo (i.e. no network connection) if the scan fails.

Out of the box, Enterasys works with many different antivirus programs and operating systems as part of the system compliance check (OS patches, installed programs, AV updates, etc.). The system also allows you to set QoS and bandwidth throttles based on MAC address, IP address or client login. IT department = full throttle, everyone else = 20%.

The Infoblox appliance runs a hardened Linux OS that has built-in DHCP, DNS, RADIUS, TFTP and NTP services. All of the services don’t have to be enabled, only the ones you wish to utilize. The Enterasys system supports RADIUS but only as a proxy/pass-through. We could use these appliances to offload DHCP and DNS from the domain servers at each location. RADIUS is not currently implemented on our network yet but it is wanted for an extra layer of wired/wireless authentication. It was simple to import the DNS and DHCP setup from a Windows 2000/2003 server into the Infoblox appliance. Configuration of all appliances (local and remote) is easily handled through a single admin GUI based on Java. No client is required but, just like with Enterasys, this can limit scanning abilities.

Unfortunately, the Infoblox system only works with McAfee antivirus out of the box. They can make it work with other vendors but only if there is an API for the software to allow compliance checks. Also, OS patch checking is performed using BigFix. The vendor said they can make it work with the available Windows Update Agent API so that it will work with our local WSUS server.

I think we will be going with the Infoblox solution. Even though Enterasys does so much more, cost of implementation will probably be the downfall. All of our remote locations have a managed switch with many unmanaged (dumb) switches connected to it. To fully use all of the Enterasys features, we would need to swap out all or most of the unmanaged switches. The cost to do that, and to purchase the Enterasys system, will easily exceed $700,000. The Infoblox systems will cost around $200,000 to fully implement and handles our main needs plus a little more for later use. I would go with Enterasys if I was in charge of picking a solution for a new business setup, an established network that was smaller or had a much larger budget.

Here are the links to the literature page for each company. They both have quite a bit of info on case studies, white papers, fact sheets, product info, etc.

Infoblox
Enterasys

The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy. – Martin Luther King, Jr.

01.Jul.07 Networking, Security