Setting up, installing, and getting a basic default configuration online took me approximately an hour, with the better part of a morning getting device, application, and user groups defined. Microsoft SBS (Small Business Server) 2003 with AD (Active Directory) handled the authorization services. The 525 can also use LDAP, RADIUS, Secure ID, and a local database as a source of user names and passwords. I was able to map user groups in AD back to the Caymas appliance to take advantage of existing security groups. Caymas' Java-based user interface was easier to navigate than most others in the group, second only to Vernier's UI.
Integrated Windows log-in is one feature missing from the system. This means Caymas cannot make use of users' Windows credentials to authenticate them and place them into a security zone. To access the network, all users must authenticate using the captive portal feature. The solution can, however, look up users in a number of different directories to obtain their group affiliations. Caymas says integrated Windows authentication will be available in a future release.
Caymas' policy engine, like the others, requires some planning to get the most out of it, but after it's in place, it requires little ongoing maintenance. Admins can define networks, resources, and applications either singularly or in groups. Admins can also create various security zones that bind networks, authentication methods, and host-checker results to specific Web and file resources and applications.
For example, I created a Financial security zone that required my users to authenticate against Active Directory, to be on an internal network segment, and to successfully pass the host checker. To this security zone, I then assigned a group of applications and resources users would then be able to access. If a user fails any of the required security items, he or she would be placed into a limited-access quarantine policy.
As I was creating and changing my security policies and zones, I was happy to note that I could easily see what my users' effective ACLs (access control lists) would be. No matter if I had selected a specific application or a group of users, I could see in the same window what the security policy was for that object. This glimpse made double-checking the effective rights much quicker.
The Caymas host-checking system does not require an agent to be installed on the host PC. During the authentication process, the appliance will scan the host by pushing either an ActiveX or Java agent (depending on the environment) to the client. On disconnect, the agent is removed with no traces left behind. For the agent to install and run on the host PC, the logged-on user must have power-user or administrative rights to his or her PC. This could be a problem in enterprises where users have limited local rights.
As of this release, Caymas doesn't come with a predefined list of anti-virus, anti-spyware, or personal firewall vendors. Admins have to create their host checking policy by entering the process name or some other identifying information, such as rtvscan.exe, to look for Norton AntiVirus, for instance. With minimal effort, however, it will scan for open ports, Windows service pack level, Registry entries, and files. Admins can nest host-checker policies using Boolean logic to create complex rules. Later releases will feature built-in anti-virus, anti-spyware, and personal firewall lists, as well as the capability of scheduling recurring host checks.
The 525 inspects all user traffic from Layer 3 to Layer 7, taking advantage of the application security engine normally applied to SSL VPN deployments. In fact, the underlying SSL VPN and security features are very much a part of the system. Basically, Caymas provides a stateful inspection firewall for every user and builds ACLs based on the overall security profile of each user. Each packet is inspected as it passes through the appliance, no matter where it comes from. Unlike with Nevis and Lockdown, a "one user to one port" association is not necessary.
Reporting is very well represented in the 525. Admins can view reports on user and resource activity, the number of successful and failed log-ins, and other system information. Admins can export the reports to CSV (comma-separated value) files for analysis in other reporting tools.
Lockdown Networks Enforcer
The Enforcer from Lockdown Networks takes an entirely different tack than the other NAC solutions in this review: It performs enforcement at the managed-switch level through SNMP by placing users into policy-defined VLANs. The policy engine is robust, though not the most intuitive one of the bunch. It does include various sample policies on which to build. Reporting features are the best of the lot with a wide variety of rich reports and graphs.
The Enforcer is available in 1U and 2U configurations (I tested the 1U device), with the 2U doubling the CPU and power supplies. Both versions come with a single Gigabit Ethernet interface for connecting to your managed switches. A single Enforcer can manage up to 256 switches and 4,096 VLANs.
Lockdown also offers the Sentry, a low-cost appliance that brings policy-based access control to remote offices, and the Commander, an appliance that will allow admins to manage multiple Enforcers and Sentries from a single console. Neither the Sentry nor the Commander were part of my testbed.
Tags: Spyware Doctor, Spyware Removers, downloads, software, trial, free, free Spyware Doctor download, computer doctor, secure pc, spyware protection
