StillSecure Provides All-in-One NAC Protection

Review: Appliance-based Safe Access 5.0 will go from simple deployments to 802.1x authentication.

StillSecures Safe Access 5.0 is a complete, flexible network access control solution that has the potential to accommodate tomorrows technology advances.

Safe Access 5.0, which started shipping in October 2006, is competitively priced at $20 per IP address for a 2,500-user deployment. Safe Access can run on commodity servers, and, in its simplest in-line protection mode, it requires no changes to network switching or routing configurations.

While these factors combine to keep the initial deployment costs low, Safe Access does provide the full range of NAC features that are needed to go from an initial installation to an advanced 802.1x authentication environment with clusters of StillSecure Enforcement Servers.

As with most of the maturing products in the NAC category, Safe Access 5.0 supports a wide range of Microsoft Windows versions, from Windows 98 to Windows Server 2003. Company officials indicated that support for other operating systems, including Linux and Apples Mac OS X, are planned for a future release of the product.

While Safe Access 5.0 can support 802.1x and DHCP (Dynamic Host Configuration Protocol) enforcement, we started our pilot review as we think most organizations will: by installing a single, in-line server installation.

Weve taken to heart the advice given repeatedly at the recent RSA Conference: Dont boil the ocean as the first step of a NAC implementation. While its a good idea to begin with a limited deployment and to keep it simple, the end goal should be to implement a system that can provide robust posture checking along with smooth user remediation.

We spent most of our evaluation time setting up conditions that would require endpoints to be quarantined. For our in-line installation, we used the straightforward Web-based administrator interface to specify an IP address list of servers that provided access to remediation services.

In our case, this was an update to the latest anti-virus update of Symantecs Norton Internet Security 2007. Safe Access 5.0 comes with several Symantec services already configured.

The product itself is quite safe to use in departments with large numbers of network administrators. We were able to easily configure a variety of administrative user roles: from those restricted to view-only for the enforcement cluster for which they were responsible to a system administrator role that had all permissions available.

It is important to look for limited administrative privileges in NAC products to ensure that admins themselves are prevented from creating security gaps.

Access policies determine the requirements that must be met by an endpoint to get a clean bill of health and access to the network. In our most stringent tests, we were able to successfully flunk endpoints that missed only one among several tests. We successfully checked for installed services packs and hotfixes; the presence of approved software; and the absence of worms, viruses, Trojans and unauthorized peer-to-peer software.

StillSecure provides tests, updated automatically every hour, to enforce access policies. We were able to override the hourly cycle and manually check for tests, although we found the hour window sufficient for keeping current.

/zimages/6/28571.gifNAC leaders admit the technology has a long way to go. Click here to read more.

We were especially impressed with the testing and remediation process provided by Safe Access 5.0. When our remote access clients connected via our VPN, they were first subjected to a scanning process that we configured with the help of StillSecure field support.

IT managers should be aware that Safe Access 5.0, like several other NAC products, sometimes requires that Microsofts Internet Explorer browser settings—and similar settings in other browsers—be set to some setting other than "high" security for scanning to work correctly.

Because this requirement is in place only for agentless scanning and for first-time agent installation, we think the risks are worth the payoff.

That said, its hard to see how effective NAC can be without agent software. We suggest that IT managers factor the cost of agent installation and maintenance into any proposed NAC implementation, no matter how rosily the salesperson speaks about agentless machine scanning.

Administrators should note that some older devices are unlikely to be able to use the 802.1x supplicant that is emerging as a requirement for the most secure internal networks. Handling such devices should therefore be considered part of any NAC pilot.

In our tests of Safe Access 5.0, we were able to use static IP addresses combined with MAC addresses to allow unscannable machines onto the network. This is a technique similar to that used by Cisco Systems Network Admission Control product. Its an effective workaround, especially since Safe Access, like other NAC products, has the power to deny network access.

Technical Director Cameron Sturdevant can be reached at

/zimages/6/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.