|
Infoblox ID-Aware DHCP Solution
|
|
|
Infoblox Inc.
|
http://www.infoblox.com
|
|
Nearly every IP network relies on DHCP services to provide IP addresses to devices. Intelligent control over IP
address assignment is therefore a critical part of any strategy for limiting network access to known users and
compliant end devices.
The Infoblox ID Aware DHCP solution works with DHCP services on Infoblox appliances to provide basic NAC functions
in conjunction with your existing authentication and network infrastructure. The ID Aware solution can also
optionally integrate with a wide range of third-party solutions for endpoint policy assessment and enforcement.
It can make an immediate improvement in network security and compliance and is a lasting investment that provides
critical services required by any NAC implementation.
The Infoblox ID Aware DHCP toolkit enables user identity (and, optionally, endpoint state information) to direct the
operation of DHCP services and supports a number of applications, including:
* Guest access: Restricts access by unknown devices and users in guest areas and conference rooms to a “guest” or
quarantined VLAN without requiring any additional network infrastructure or third-party systems.
* Authenticated DHCP: Provides IP addresses on the production network only to devices whose users have been registered
in the Infoblox appliance database following user authentication against RADIUS, LDAP, or other enterprise directories.
* Endpoint policy assessment and remediation: Integrates with products from Infoblox partners to scan end devices
in quarantine, compare their status with security policies, and bring them into compliance before issuing a production
IP address.
The ID Aware DHCP solution is compatible with any network infrastructure and supports both managed and unmanaged
endpoints. It supports enforcement of network quarantine and access restrictions via multiple methods, including
ACLs and dynamic control of VLAN assignments on network routers and switches. Because it integrates with enterprise
directories and with Infoblox DHCP services, the ID Aware solution provides the unique ability for the Infoblox
appliances to assemble and maintain real-time and historical data that correlate user identity, device, and IP address
information. This information can be accessed via the ID Aware portal by NAC products and solutions from a wide variety
of vendors to support advanced endpoint security, policy enforcement, and compliance reporting applications. It can even
be used to detect rogue devices that attempt to bypass the system.
|
|
Commercial
|
|
Information updated: 05 Aug 06
|
|
EdgeWall
|
|
|
Vernier Networks
|
http://www.verniernetworks.com
|
|
EdgeWall Network Access Control Lifecycle
Authenticate – Identify users and endpoints
Vernier’s authentication capabilities provide customers the ability to configure strict access policies based on who
the end user is, and enforce those access policies in the network with the EdgeWall platforms. Once a user successfully
authenticates (Web login, Windows Domain login, 802.1x, etc.), a network access policy is applied for that user’s traffic.
The user may only communicate with specific servers / destinations using approved applications and protocols once they
pass the Validate phase.
Validate – Determine endpoint security compliance
After the endpoint has been identified in the Authenticate phase, the Vernier NAC solution can accurately determine the
state of the endpoint system from which the user is attempting to access the network. Far too often, a legitimate user
accesses the corporate network and unknowingly transmits worms and viruses to the network or transmits confidential data
to spyware sites. In addition, many endpoint systems are highly vulnerable as they are not up-to-date with the overall
corporate IT policy for software patches, virus definition files, or personal firewall settings. Vernier’s Validation
capabilities provide a non-intrusive “agentless” method for fully scanning the endpoint to ensure that it is in compliance
with all appropriate IT policies. If the endpoint is non-compliant, it will automatically be quarantined from the network
and only allowed to reach the remediation services or other “non-sensitive” areas such as the public Internet.
Authorize – Provide identity-based access control
Once the user identity is known and the endpoint is determined to be compliant, the Vernier NAC solution factors in any
remaining policies (source location, time of day, etc.) for tailoring access to the network and letting traffic be
transmitted to the appropriate destinations. The user experience is seamless and they do not perceive any limitations
in connecting to approved resources on the network if they are compliant. Conversely, all attempts to unapproved
resources are prevented, logged, and alerted.
Inspect – Continuously monitor and enforce endpoint compliance
The state of an endpoint can change dramatically in seconds, and it is not enough to simply check the user and endpoint
for policy compliance at the time of entry onto the network. The communication between an endpoint and server (or other
endpoints) must be continuously inspected for security problems such as worms, viruses, spyware and potential malicious
internal attacks on critical corporate resources. During this phase, any endpoint exhibiting behavior that is out of
compliance with IT policies is immediately quarantined from the network by the EdgeWall platform and only allowed to
reach the remediation service.
Quarantine & Remediate – Isolate non-compliant endpoints
If the endpoint is determined to be non-compliant during the Validate and/or Inspect phases, it is placed into an
isolated location on the network where it cannot reach critical resources or otherwise harm the network. Instructions
may then automatically be provided to the user to remediate themselves so that they can be brought into a compliant
state. Examples of this may an automatic redirection to a website where the user can download the latest Antivirus
signature file or receive the latest antispyware updates. After the necessary updates have been installed, the endpoint
is Validated again to determine if it is compliant. Only after the user is determined to be compliant will full network
access be granted according to the policies. The Vernier NAC solution seamlessly ensures this phase, and the delicate
balance between protection of the corporate infrastructure and employee productivity is maintained. While services are
disabled immediately for non-compliant endpoint systems, highly intuitive feedback is provided to the users to ensure
they can bring their endpoints back into compliance quickly.
|
|
Commercial
|
|
Information updated: 05 Aug 06
|
|
Cisco NAC Appliance and NAC Framework
|
|
|
Cisco Systems Inc.
|
http://www.cisco.com
|
|
Network Admission Control (NAC), a set of technologies and solutions built on an industry initiative led by Cisco,
uses the network infrastructure to enforce security policy compliance on all devices seeking to access network
computing resources, thereby limiting damage from emerging security threats. Customers using NAC can allow network
access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the
access of noncompliant devices.
NAC is delivered two ways:
*
NAC Appliance technology, based on the Cisco Clean Access product line, provides rapid deployment with self-contained
endpoint assessment, policy management, and remediation services.
*
NAC Framework technology, through the
Cisco Network Admission Control Program, integrates an intelligent network
infrastructure with solutions from more than 75 manufacturers of leading antivirus and other security and management
software solutions.
Business Benefits
Dramatically improves security
* Ensures endpoints (laptops, PCs, PDAs, servers, etc.) conform to security policy
* Proactively protects against worms, viruses, spyware, and malware; focuses operations on prevention, not reaction
Extends existing investment
* Enables broad integration with multivendor security and management software
* Enhances investment in network infrastructure and vendor software
* Combining with Cisco Security Agent enables "trusted QoS" capabilities that classify mission-critical traffic at the
endpoint and prioritize it in the network
Increases enterprise resilience
* Comprehensive admission control across all access methods
* Prevents non-compliant and rogue endpoints from impacting network
* Reduces OpEx related to identifying and repairing non-compliant, rogue, and infected systems
Comprehensive span of control
* Assesses all endpoints across all access methods, including LAN, wireless connectivity, remote access, and WAN
|
|
Commercial
|
|
Information updated: 05 Aug 06
|
|
 |
|
Mirage Endpoint Control Appliances
|
|
|
Mirage Networks
|
http://www.miragenetworks.com
|
|
Get Lifecycle Network Access Control - Without the Agents.
Mirage enables you to control who gains admission to the network, ensuring that uninvited, infected, and out-of-policy
endpoints are never allowed to access and harm the network. Our agentless Network Access Control technology performs
risk assessment on all endpoints – regardless of IP device type or OS, irrespective of whether an endpoint is managed or
unmanaged.
As soon as a device attempts to gain access to the network, Mirage immediately identifies the endpoint and runs a quick,
effective policy check to determine if the device is infected with damaging threats and whether it complies with the
security policies in the network segment that it is trying to join. To verify the identity of users and ensure that
uninvited devices don’t gain network access, Mirage authenticates users by checking common credential stores, such
as RADIUS and Active Directory.
Before granting network access, Mirage determines the device type of the endpoint; whether it is known or unknown;
its past policy compliance and threat history; whether it is entering via a wired or wireless connection; and what
services are currently running – such as instant messaging, file transfer protocol services, or peer-to-peer
networking. A resulting risk profile is then used to evaluate whether to admit the endpoint to the network, to
require it to register on the network, to send it to a designated quarantine server for remediation, or to trigger
a combination of additional security checks.
For specific network segments, Mirage can be configured to run policy scans that assess risk factors, such as antivirus
version, signature update levels, OS patch levels, and the absence or presence of spyware and firewall software. In
addition to on-entry scans during network admission, devices can be re-checked throughout their lifecycle on the network.
Mirage’s Network Access Control technology is also easily integrated with third-party solutions like Foundstone and
Qualys for deeper vulnerability scan capabilities.
Going a step beyond identifying a device’s threat posture, Mirage’s admission checks can also be used to identify and
immediately block access for high-risk devices, like rogue endpoints and rogue wireless access points. This feature
offers another level of Endpoint Control, enabling you to establish an admission policy once and then rest assured that
the Mirage appliance is actively enforcing it.
|
|
Commercial
|
|
Information updated: 05 Aug 06
|
|
InfoExpress CyberGatekeeper
|
|
|
InfoExpress
|
http://www.infoexpress.com
|
|
Network Enforcement with CyberGatekeeper
Secure Enforcement - Untrusted Until Proven Trusted
CyberGatekeeper LAN and
CyberGatekeeper Remote let systems access the network only after verifying they comply with
security policies. If systems are not in compliance or do not participate in the audit, they are kept in a quarantine
network.
With network enforcement, systems that are unknown or whose configurations are incorrect will be restricted to the
quarantine network. Because the enforcement is performed by the network, attempts to change system settings, misconfiguring
software, removing the agent, or using a different system will not gain access to the network.
CyberGatekeeper LAN and CyberGatekeeper Remote allow compliant systems in and keep dangerous systems out. CyberGatekeeper
LAN is used to control access for network access points on the LAN, and CyberGatekeeper Remote controls access for remote
systems over VPN, NAS, and SSL. Both products ensure third party anti-virus software, personal firewalls, operating system
patches, and other software is configured properly and up to date.
Key features of CyberGatekeeper provide administrators with:
* Custom policy definitions
* Compulsory enforcement
* End user transparency
* Central management
* Scalability
* Ease of deployment
|
|
Commercial
|
|
Information updated: 05 Aug 06
|
|
StillSecure Safe Access
|
|
|
StillSecure
|
http://www.stillsecure.com
|
|
StillSecure® Safe Access™ protects the network by ensuring endpoint devices are free from threats and in compliance
with IT security policies before they are allowed on the network. An award-winning access control solution, Safe
Access protects the network from the damage a single compromised or infected endpoint can unleash.
With multiple, flexible testing and enforcement options, Safe Access integrates seamlessly into virtually any
network environment (as shown at left). Safe Access controls network access for the full range of user types
including trusted and untrusted, foreign and internal, remote, and wireless endpoints.
Safe Access is a flexible, enterprise-class solution, offering:
* Purpose-built network access control engine
* True agent-less endpoint testing option; no software installed on or downloaded to endpoint
* Multiple enforcement options: 802.1x, Inline, DHCP, and enforcement through Cisco's NAC architecture
* Integration with the IT environment through the StillSecure Enterprise Integration Framework™
* Deep endpoint testing with hundreds of off-the-shelf tests (view test list)
* Compatibility with heterogeneous network infrastructure; no hardware upgrades required
* Comprehensive coverage of user types – network users, visitors, partners, remote users etc. (LAN, VPN, RAS, and
WiFi connections)
|
|
Commercial
|
|
Information updated: 05 Aug 06
|
|
|
|
Check Point Integrity Product Family
|
|
|
Check Point Software Technologies, Ltd.
|
http://www.checkpoint.com
|
|
Total Access Protection
Check Point Integrity endpoint security protects PCs and the enterprise networks they connect to from the worms,
spyware, and intrusion attempts that evade other security products. By defeating PC-borne threats, Integrity
mitigates the risk of major financial loss that can occur when information confidentiality or network availability
is compromised. It’s the only solution that delivers Total Access Protection, ensuring that both IT-managed and
guest PCs are secure before they are allowed to connect to the network.
Integrity’s award-winning defenses – based on the protections in ZoneAlarm, the world’s most trusted personal
firewall – automatically update antivirus and patches, terminate malware, remove spyware, block buffer overflow
attacks, and secure employee use of instant messaging services. Because it’s part of Check Point’s Unified Security
Architecture, Integrity is more easily deployed, integrated, and administered than alternatives. As a result,
Integrity minimizes the cost of defending the enterprise against the most dangerous endpoint threats.
Benefits
Stops theft of customer and proprietary data
Updates antivirus, patches, and spyware defenses before PCs connect to LAN
Blocks intrusions by hackers and worms
Secures endpoints without involving end users
Minimizes administration through automation and unified central management
Check Point
Integrity SecureClient for VPN-1 brings a new level of simplicity and effectiveness to securing
remote connections. By combining the market leading capabilities of SecureClient and Integrity, Integrity
SecureClient delivers the most advanced remote access connectivity, endpoint protection, and network access
policy enforcement in one solution. Combining multiple safeguards into a single package also makes it easier to
deploy and manage these critical endpoint defenses. And because it’s managed from the same unified security
platform as other Check Point products, Integrity SecureClient helps minimize the overall cost of protecting
enterprise networks and data.
Integrity Clientless Security mitigates the risks of unmanaged and unsafe PCs connecting to Web-facing resources.
Enterprises can now offer Web applications, online customer accounts, and SSL VPN connectivity to PCs outside the
control of the IT group without compromising on security or the end user experience. The unique solution enforces
pre-login security policy compliance, blocks spyware and network intruders, and enables end-to-end session
confidentiality on-demand, without the need for IT to install client security software. Integrity Clientless Security
is easy to deploy, simple to configure, and requires minimal ongoing administration.
The
Integrity Advanced Server option for SmartCenter and Provider-1 fulfills the management needs of even the
largest enterprises. Its server cluster architecture delivers the highest availability, scalability, and hardware
efficiency of any endpoint security product. It also enables centralized, multi-tiered administration of distinct
organizational and geographic domains. For enterprises that demand true carrier-class management and control with
the lowest total cost of ownership, Integrity Advanced Server is the only option.
|
|
Commercial
|
|
Information updated: 05 Aug 06
|
|
EndForce Enterprise
|
|
|
Endforce, Inc.
|
http://www.endforce.com
|
|
ENDFORCE Enterprise™ Features
Complete Enforcement Coverage
Multiple enforcement options, used alone or in combination, provide enterprises with 100% network enforcement coverage today:
* Agent enforcement protects the network by providing self-quarantine for non-compliant endpoints.
* DHCP enforcement protects the network from LAN-connected devices by leveraging an enterprise's existing DHCP
infrastructure to quarantine non-compliant and rogue endpoints.
* IEEE 802.1X enforcement protects the network from devices connected to the LAN by leveraging an enterprise's
802.1X-compliant infrastructure.
* ENDFORCE Enterprise fully supports dynamic VLAN assignment and guest access.
* RADIUS enforcement protects the network from mobile devices by providing enforcement prior to opening IPSec, SSL-VPN, or
wireless connections. On capable wireless access points and VPN concentrators, ENDFORCE Enterprise can also perform dynamic
ACL assignment.
Centralized Policy Definition and Management
The ENDFORCE Enterprise Web interface provides an intuitive interface for defining and managing endpoint policies,
supporting all major security applications, custom element definition, and point-and-click contextual OS patch definition.
Policies and enforcement points are defined centrally for complete network coverage.
Comprehensive Reporting and Alerting
Includes powerful audit and reporting capabilities that enable administrators to monitor and manage endpoint compliance,
as well as any changes made to policy. Gives access to real-time and historical endpoint data that provides sophisticated
analysis, reporting, and trending information that can also be extracted and viewed in third-party data analysis tools
such as Crystal Reports. Provides real-time alerting based on compliance state changes and enforcement actions.
Client-Based
A client-based ENDFORCE Agent provides comprehensive compliance assessment and enforcement of managed endpoints both prior
to and during a session on the corporate network.
Client Web Agent
A clientless ENDFORCE Web Agent provides comprehensive compliance assessment prior to network access for remote or
LAN-based unmanaged endpoints or on managed endpoints where a client is not practical.
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
|
|
Juniper Networks Infranet Controller
|
|
|
Juniper Networks, Inc.
|
http://www.juniper.net
|
|
Unified Access Control
o Combines identity-based policy and endpoint intelligence to give enterprises real-time visibility and policy control
throughout the network
o A cost-effective solution to the problem of unmanaged or ill managed endpoint security throughout the LAN
o Integrates seamlessly with existing security infrastructure
o Endpoint assessment done via the Infranet Agent, a lightweight agent that is dynamically provisioned by the
Infranet Controller
o Policy enforcement at key places in the network, using Juniper's firewall/VPNs
Also, the
Juniper Networks Odyssey Access Server and Client
* Complete family of secure 802.1X access clients for the enterprise and government agencies
* Provides strong wireless security, to fully protect network data and credentials
* Easily deployed and managed enterprise-wide, for the lowest total cost of ownership
Juniper Networks' Odyssey Access Client is enterprise-class 802.1X access client software with full support for the
advanced WLAN security protocols that you require for wireless access to your LAN. Together with an 802.1X-compatible
RADIUS server such as Juniper Networks' Odyssey Access Server or Steel-Belted Radius®, OAC secures the authentication
and connection of WLAN users, ensuring that only authorized users can connect, that login credentials will not be
compromised, and that data privacy will be maintained over the wireless link. (A specialized version of OAC includes
a cryptographic module that has been FIPS 140-2 Level 1 Validated, to meet security requirements of government agencies.)
OAC is also an ideal client for enterprises that are deploying identity-based (wired 802.1X) networking.
OAC fully supports wired 802.1X connections, and saves time and effort by permitting one-time deployment of wireless
and wired 802.1X access. The use of a single interface for both functions also simplifies user experience and reduces
costs associated with user training.
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
LANDesk Security Suite
|
|
|
LANDesk Software
|
http://www.landesk.com
|
|
LANDesk Security Suite lets you automatically detect and deploy security patches with active endpoint security management
from a single console. Take active control of endpoint security with support for advanced security management with
quarantine, antivirus enforcement, vulnerability detection, threat remediation, computer access restriction tools and more.
Use LANDesk Security Suite to minimize network downtime, reduce infrastructure and help desk costs, protect critical data
and more with:
* Network access control capabilities
* Exclusive security management over the Internet
* Advanced vulnerability detection
* Remediation tools
* Antivirus enforcement and firewall capabilities
* Patch management tools
* Assurance
Network Access Control Capabilities
Stop infected or unprotected systems from connecting to your corporate network as well as protect your corporate resources
from connected systems that become corrupt using LANDesk® Security Suite with LANDesk® Trusted Access™ technology.
Identify and quarantine out-of-date or unpatched managed and unmanaged computers and fix them before granting access.
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
Microsoft Network Access Protection
|
|
|
Microsoft Corp.
|
http://www.microsoft.com
|
|
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform built into the Microsoft Windows Vista and Windows
Server Code Name "Longhorn" operating systems that allows you to better protect network assets by enforcing compliance
with system health requirements. With Network Access Protection, you can create customized health policies to validate
computer health before allowing access or communication, automatically update compliant computers to ensure ongoing
compliance, and optionally isolate noncompliant computers to a restricted network until they become compliant.
For more information, see the white paper
Introduction to Network Access Protection.
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
|
|
Nortel Secure Network Access
|
|
|
Nortel Networks
|
http://www.nortel.com
|
|
Nortel Secure Network Access for the enterprise LAN extends endpoint security-- threat mitigation and policy compliance --
to secure the enterprise LAN infrastructure. Because so many threats are from internal users on the network, endpoint
security must include wired and wireless endpoints within the corporate network.. The Nortel Secure Network Access Switch
(SNAS) is the intelligent policy engine that applies and enforces security policy to any/all LAN users/devices at the point
of network access. The solution provides a set of capabilities to help customers protect their networks by inspecting
PC health state, restricting network access for unhealthy clients, and updating unhealthy clients for full, role-based
network access, thereby ensure LAN network integrity.
This is an open solution but it is tightly integrated with Nortel Ethernet Routing Switches 8300 and 5500 series. It
enables a highly integrated Layer 2 security solution from a management and ease of use perspective. With the solution,
the enterprise can define, deploy, and enforce a robust, and consistent security policy across its varied network segments
with role based access enablement premised on user identity and session context. All devices that access the LAN network
can be evaluated including the operating system, patches, anti-virus software, personal firewall status, registry settings
and other system configuration components. Verifying compliance and blocking connections from non-compliant systems can
guarantee 100 percent compliance with corporate policy 100 percent of the time.
Key Features:
* Universal client device support
* "Intelligent Policy Engine" Nortel Secure Network Access Switch 4050
* Tight integration with edge switches (Ethernet Routing Switch 8300 and Ethernet Routing Switch 5500 series)
* Tunnel Guard protection and remediation for clientless endpoints
* "On-demand, always-on" vulnerability vigilance
* Policy compliance (Sarbanes Oxley, COBIT)
* Port basis scanning for granular access interrogation
* Scalable, flexible architecture
* Security-policy creation engine with Enterprise Policy Manager
* Open-vendor alliances
Also see the
Nortel Secure Network Access for Remote VPNs (IPSec and SSL). This leverages Tunnel Guard technology to
enforce endpoint
security for remote VPN users. Nortel SNA enables network administrators to define security policy on the VPN devices
itself-- VPN Routers and VPN Gateways -- and ensures that all users or devices connecting to the VPN gateway devices
are inspected for compliance to the enterprise security policy. Nortel’s Tunnel Guard will check the security status
of an endpoint device, including the status of executables, software versions and operating system, before accepting
or rejecting the endpoint VPN connection to the corporate network. Nortel VPN Tunnel Guard helps to prevent the
end-user PC from becoming a vehicle for viruses or other unwanted intrusions into the secure enterprise network
through the VPN tunnel, thereby providing a comprehensive security solution, capable of enforcing security best
practices on both managed and unmanaged (IPsec and SSL VPN) endpoints.
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
SafeWord SecureWire
|
|
|
Secure Computing Corporation
|
http://www.securecomputing.com
|
|
SafeWord® SecureWire™ is a powerful identity and access management (IAM) appliance that secures access, enforces
policy, and provides complete and customizable reporting for your entire network. SecureWire provides lightning fast,
ultra secure access to every application and data resource in your network, hosting every access method for users both
inside and outside the enterprise—and it does it with identity, security, and simplicity in mind. As a vital component
of your complete identity and access management strategy, SecureWire revolutionizes the way you provide access to
employees, business partners, and extranet users.
It's simpler with SecureWire:
* Internal and external network access
* User and identity management
* Security policy enforcement
* Configuration compliance and end-point security
* Reporting
SecureWire benefits:
* Simplifies network access and secures every access point
* Improves security by identifying users from all network points
* Simplifies access management by consolidating policies on a single device
* Enables configuration compliance to ensure that only properly configured end-point devices can access the network
* Reduces IT workload by providing a single point of management and reporting
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
Symantec Network Access Control
|
|
|
Symantec Corporation
|
http://www.symantec.com
|
|
Symantec Network Access Control 5.1 increases security, network availability, and regulatory compliance by enabling
enterprises to enforce security settings and software running on the hosts connected to their enterprise networks.
Support for the widest variety of network equipment, access methods, and protocols in the industry helps organizations
maximize ROI by eliminating ties to specific vendors.
Key Features
* Blocks or quarantines non-compliant devices from accessing the corporate network and resources.
* Host Integrity tests against pre-defined templates such as patch level, service packs, antivirus, and personal firewall
status, as well as custom created checks tailored for the enterprise environment.
* Pervasive endpoint coverage for managed and unmanaged laptops, desktops, and servers existing both on and off the
corporate network.
Key Benefits
* Protects the network from dangerous endpoints by enforcing compliance on contact with the enterprise LAN, wireless
network, and remote access services.
* Ensures lowest total cost of ownership by managing integrated endpoint protection and network access control in one
centralized architecture.
* Leverages existing network investments through integration with all major infrastructure vendors.
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
|
|
McAfee Policy Enforcer
|
|
|
McAfee Inc.
|
http://www.nai.com
|
|
Protect your network from the risk of noncompliant systems
McAfee® Policy Enforcer limits network access to systems that comply with your security policies. It complements
McAfee protection and other leading products as a key part of your network access control solution.
Benefits:
* Extensive risk mitigation - Mitigate your risk with comprehensive network access control across all access methods
and for all endpoint devices
* Increased network availability - By enforcing policy compliance at network access, Policy Enforcer avoids network
slowdowns caused by viruses and other threats
* Safely extends your network - Policy Enforcer lets you expand your business by safely and securely extending network
access to your business partners, vendors, and suppliers
* Early start at minimal investment - Policy Enforcer's software-based solution integrates with your current network
and security environment for enhanced security at minimal incremental cost
Features:
* Discovers noncompliant systems - Policy Enforcer discovers both managed and unmanaged systems that could cause harm
to your network and its users.
* Comprehensive system checks - Policy Enforcer assesses compliance for security applications, Microsoft® patches and
critical infections
* Broad enforcement - Policy Enforcer provides built-in enforcement for managed and unmanaged systems connected locally
or remotely; it also provides integration with third-party enforcement framework methods
* Flexible remediation - Policy Enforcer supports portal remediation with one-click updates and automated remediation
* Centralized management and control - Manage and control access to your network, along with your other system security
products, through a single console with Policy Enforcer and McAfee® ePolicy Orchestrator®
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
Lockdown Enforcer
|
|
|
Lockdown Networks
|
http://www.lockdownnetworks.com
|
|
Lockdown Enforcer is the cornerstone of the Lockdown NAC solution. Lockdown Enforcer is a dynamic network access control
appliance that simultaneously authenticates users and devices, then audits them on-schedule or on-demand to ensure
conformance with IT and security policies. Enforcer ensures the right users are on your network, and that devices
comply with policy to minimize your exposure to unauthorized access, exploits and attacks.
Lockdown Enforcer delivers policy-based access control by interfacing with network entry points to deny access to or
quarantine users and devices that do not conform to administrator-defined rules. Quarantined users are directed to
appropriate resources for assisted remediation. Enforcer includes the full capabilities of the Lockdown Auditor with
the addition of a robust and powerful policy management environment for network access control.
Features:
Powerful Policy Engine
Enforcement at the Switch
Enforcement at the Wireless Access Point
Multiple Authentication Methods
Powerful Agent or Agentless Vulnerability Assessment
Integrated Authentication Server
Integrates with Directory Services
High Availability
Automatic Segmentation and Quarantine
Configurable Audits
Aggregates and Baselines Vulnerability Data
XML API and ODBC Interface
Centralized Reporting
Enforcement Via ACLs
Workflow and Notification
Backup/Restore
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
ConSentry LANShield products
|
|
|
ConSentry Networks
|
http://www.consentry.com
|
|
Controlling access to the LAN entails controlling both who connects to the network and the machines they use. For
NAC to be an effective first line of defense, it must encompass both
* User authentication; and
* Host posture check.
Enterprises need to verify that users are who they say they are and that the machine they’re using to enter the
LAN complies with corporate standards, running an approved operating system with current patches and fixes and an
updated anti-virus program. Without both sets of admission controls, authorized users may unwittingly unleash
malware that anti-virus software would have removed from their laptop. To ensure that a NAC solution meets enterprise
needs, user authentication and host posture check offerings should meet the following requirements.
Requirements for User Authentication
* Ability to support both passive and active authentication
* Flexibility to work with multiple identity stores for authentication
* Ability to identify a user’s role as part of authentication
Requirements for Host Posture Check
* Ability to provide ubiquitous, easy to administer host posture check
* Support for host posture check on hosts not under enterprise control
* Ability to work with multiple NAC agents or architectures
The
LANShield Switch and
LANShield Controller support NAC by leveraging an organization’s existing AAA servers and
identity stores as well as its host integrity infrastructure. Where applicable, the Secure LAN products can actively
participate in user authentication and host posture checks.
As full-featured LAN security platforms, ConSentry’s Secure LAN products provide a robust NAC solution, meeting all the
requirements for user authentication and host posture check.
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
|
|
Nevis Networks LANEnforcer and LANSight
|
|
|
Nevis Networks
|
http://www.nevisnetworks.com
|
|
IT needs to be able to ensure that devices attempting network access are in compliance with corporate security
policies, every time, and before they are allowed onto the network. Endpoints that fail to meet policy compliance
should be automatically quarantined.
Endpoint software is one alternative today, however, it is expensive to deploy and maintain. Network infrastructure-based
solutions offered by other vendors can be expensive to deploy, require all systems to be upgraded, and still require
desktop client software that needs to be maintained. Basically, today's solutions are not cost effective to deploy and
operate and can't provide a comprehensive solution to the LAN security problem.
Nevis provides a comprehensive LAN security solution with its LANenforcer LAN security systems LANsight security
management products that address the requirements for network admission control. Nevis' solution delivers:
* Automatic, clientless endpoint security audit before allowing network access; quarantine and deny access if device fails
* Role-based user, network and application access control
* Ability to identify individual user identity so users can be quickly assisted and identified should a security event occur
* Easy integration as a drop-in to existing network infrastructures and services (switches, routers, AAA, directory services,
VLANs etc.) without requiring configuration changes or upgrades
|
|
Commercial
|
|
Information updated: 10 Aug 06
|
|
CounterACT
|
|
|
Forescout Technologies
|
http://www.forescout.com
|
|
CounterACT combines clientless network access control (NAC) and signatureless intrusion prevention to ensure all
connecting devices are in compliance with network security policies and are free of worms and self-propagating malware.
CounterACT seamlessly integrates into any network environment without requiring costly upgrades or infrastructure changes,
and enables enterprises to tailor enforcement actions to match the level of policy violations, eliminating disruptions
during device interrogation.
CounterACT solves the complex problem of enterprise-wide network policy enforcement across all devices connected to a
network by ensuring that all endpoints are up-to-date with necessary patches, (i.e. Microsoft Security Updates or anti-virus
definition files), and are free of unauthorized programs and malware. By detecting and instantly blocking critical threats
(fast spreading worms and malware) upon connection, CounterACT allows users to connect to the network while their device
is undergoing a deep interrogation, without disruptions or changes in end-user experience.
In addition to traditional security issues, today's enterprises are dealing with the influx of vulnerabilities introduced
by contractors, guests and mobile/home employees who are able to bypass physical security and the traditional network
security mechanisms designed to prevent non-compliant endpoints from accessing the network. CounterACT addresses this
problem by enforcing network security policies across all managed and unmanaged network devices, including desktops
and laptops as well as non-OS devices such as VoIP phones, handhelds and network printers, without the need for a
software agent of any kind.
|
|
Commercial
|
|
Information updated: 14 Aug 06
|
|
BigFix IT.Next Platform
|
|
|
BigFix Inc.
|
http://www.bigfix.com
|
|
BigFix is the only policy-driven, unified IT security and operations optimization platform that
enables IT.Next levels of real-time visibility and control of all enterprise computing devices.
BigFix accomplishes this through a revolutionary massively scaleable service delivery platform
and on-demand policy content modules. A single, highly efficient agent on each end-point
continuously discovers, assesses, optimizes, remediates, and reports on a virtually unlimited
number of IT policies. Using BigFix, you see everything you need to manage, have the power to
change them, and know that actions have taken place--all in real-time, across the enterprise.
Whether you use BigFix to automate and optimize IT Operations, IT Security, Compliance and
Audit--or all three--only BigFix plugs into the infrastructure you already have to manage it from
a unified console.
The BigFix
IT Policy Enforcement Solution Pack provides the Network Access Control functionality,
including:
* On-demand delivery
* IP-enabled and rogue network device discovery
* Host-based vulnerability assessment with severity scoring
* Hardware and software inventory and software useage tracking
* Security patch management and security updates for major operating systems and common
commercially-available applications
* Define and assess client compliance to corporate and third pary security configuration baselines
* Define and enforce security policies and “dress codes”
* Maintain policies and standard configurations on mobile computers on- or off-enterprise networks
* SANS, Microsoft, and BigFix security best practices
|
|
Commercial
|
|
Information updated: 22 June 07
|
|
|
|
Aventail SSL VPN
|
|
|
Aventail Corp.
|
http://www.aventail.com
|
|
Network Access Control (NAC) refers to the automated determination of who gains access to what network resources
using what methods, based on strategic policy. Aventail SSL VPNs provide the easiest remote access control for
today's mobile enterprise network.
SSL VPNs are the progenitors of the NAC concept and technology, and Aventail launched the industry's first SSL-based
product for remote access in 1997. Since then, Aventail has been an award-winning innovator in the field, continually
focusing its resources on delivering the best-of-breed secure remote access solution.
Aventail delivers on the promise of NAC today. Aventail SSL VPNs detect the trustworthiness of a wide range of
end-point environment criteria prior to authorization, connect authorized users to a broad range of applications
according to unified policy, and protect resources based on the security and identity of both the user and the
end-point using a single, easy-to-control gateway. Aventail is a market leader in the SSL VPN industry, and will
continue to build on its experience in access control technology to play a central role in the NAC initiative
into the future.
Aventail delivers comprehensive mobile enterprise network access controls that can detect potential threats in
end-point environments, protect resources from inappropriate access based on unified policies, and connect
authorized users using the widest range of leading end-point devices.
* Aventail® End Point Control™ (EPC) lets administrators enforce granular access rules for Windows®, Windows Mobile,
Macintosh®, and Linux® end-point environments. EPC combines pre-authentication interrogation to detect keystroke
loggers and other malware, as well as end-point criteria such as the presence of current antivirus software.
* Aventail® Unified Policy™ centralizes control of all users, groups, resources, and devices, allowing administrators
to quickly set policy to protect resources with a single rule across all objects.
* Aventail® Smart Tunneling™ connects users with unparalleled application reach, including support for back-connect
applications such as those using voice over Internet protocol (VoIP). Adaptive addressing and routing dynamically
adapts to networks, eliminating addressing and routing conflicts common with other solutions.
An Aventail SSL VPN provides a single, scalable secure gateway for all remote access to your network resources.
|
|
Commercial
|
|
Information updated: 14 Aug 06
|
|
Novell ZENworks Endpoint Security Management
|
|
|
Novell Inc.
|
http://www.novell.com
|
|
Features & Benefits
Personal Firewall - Protect users with transparent solutions. The world's strongest, yet easiest to
use, firewall to protect against hackers, malware, protocol attacks, and more, keeping security
invisible to the end-user and requiring no interaction on their part.
Wireless Security - Keep users from using bogus wireless. Centrally control when, how, and where
users are allowed to connect. Doesn't just detect intrusions, it totally prevents them 24x7 in all
locations. Wi-Fi connectivity can be limited to authorized and known access points, specified
encryption strength, and can be disabled completely if necessary based on location. Easily control
keys, MESH and WiMAX environments, enforces VPN usage if required by policy, and much more.
Encryption Solution - Stolen laptops don't have to spell disaster. Secures data stored on the endpoint
and on removable media, encrypting files so they can only be read by authorized users. Protects
sensitive information on lost or stolen mobile computers. Keys are managed transparently throughout
the enterprise, requiring no end-user involvement other than getting their work done in the usual
way.
USB Security - Don't let your secrets walk out the door on a thumb drive. Prevents intentional or
inadvertent transmission of data to removable storage devices. Storage devices including thumb drives,
iPods, cameras, printers, CD and DVD drives can be placed in read-only mode or fully disabled, while
the endpoint hard drive and all network drives remain accessible and operational. White lists of
specifically approved USB thumb drives can be employed, and in combination with data encryption ...
you just couldn't be more secure from both internal and external data loss; both deliberate or
inadvertent.
Application Control - Keep everyone compliant with the corporate application policies. Ensures only
approved applications are run on corporate IT assets -- create white/black lists, or enforce
applications to run (i.e., VPN) prior to network connection.
Posture and Integrity - Ensures 24x7, connected or not, that your employees are actually using their
AV, Anti-spyware, or other applications running according to your policies. Insure that OS security
patches, AV data files and other critical posture elements are in place and up to date. Enables you
to warn, shut down and point to remediation services, or execute a custom script based on whatever
triggers you choose.
Client Self Defense - Secure your security client. Protects the endpoint by ensuring that the security
client cannot be altered, hacked, or uninstalled. Even with administrative rights on a machine, the
user cannot disable the policy enforcement.
Device Control - Prevent rogue access. Managed at the lowest level for optimal security and
performance, safely controlling connectivity via LAN, modem, Bluetooth™, Infrared, 1394 (Firewire™),
and serial and parallel ports.
Alerts / Monitoring / Reporting - Keep a careful eye on everything. Provides a scalable and simple
method for creating, distributing, enforcing, and monitoring security policies on endpoint devices,
without forcing users to make security decisions or adjust settings. Novell offers robust and tunable
reporting to assist in regulatory compliance reporting.
Common Criteria EAL 4+ Certified
|
|
Commercial
|
|
Information updated: 06 Sep 2007
|
|
Network VirusWall Enforcer
|
|
|
Trend Micro Inc.
|
http://www.trendmicro.com
|
|
Network VirusWall™ Enforcer delivers new plug-n-protect network access control to protect the network against
the fastest growing source of infection—the mobile and remote workforce. This second generation Network VirusWall
appliance controls network access by ensuring devices—managed or unmanaged, local or remote—comply with corporate
security policies—before they can access the network.
Network VirusWall Enforcer scans devices for the most up-to-date security software and critical Microsoft
patches—without requiring an agent to be pre-installed on a device. Non-compliant devices are immediately quarantined
and sent through automatic remediation. The appliance also builds on proven Network VirusWall security, filtering
network traffic to detect and block network worms and BOTs—with zero false positives.
|
|
Commercial
|
|
Information updated: 14 Aug 06
|
|
|
|
Caymas Access Gateways
|
|
|
Caymas Systems Inc.
|
http://www.caymassystems.com
|
|
Caymas Systems Identity-Driven Access Gateways are the only appliances that provide both SSL VPN remote access and
Network Access Control from a single platform. Caymas Access Gateways feature the most advanced policy engine,
accepting inputs based on the identities of users, devices, locations, applications, and the results of host
integrity checks, to provide a single point of policy enforcement for enterprises and government organizations.
The result is unprecedented visibility and control for access to the network and to systems, applications, files
in an enterprise.
The Caymas Systems policy engine and hardware architecture harness the Power of IdentityTM to create the most advanced
Network Access Control (NAC) platform available, including the strongest available control for a rapidly growing IT
challenge—Network Quarantine.
Caymas Network Quarantine Features
Network quarantine can be a significant tool for an IT department. Beyond simply being a way to prevent access to the
network, Caymas’ Network Quarantine can serve as a tool to extend access in new ways, increasing user satisfaction and
productivity. Caymas Access Gateways, used either as a NAC appliance or an SSL VPN remote access appliance (or both),
provide a rich set of tools for both protecting the network and improving service levels.
Caymas Access Gateways quarantine the user by restricting them to a limited IP subnet – which could include access to
the Internet. The user only has access to the remediation resources with all other network resources blocked. In
addition, the user is notified how to remediate their system. If the user fails a Host Integrity check or authenticates
using weak resources, they can be placed in a highly restrictive Security Zone.
The key quarantine features on Caymas Access Gateways include:
* Host Integrity Checking. User PCs must be in compliance with corporate security policy before being allowed on the
network. Caymas Access Gateways integrated Host Integrity Checker automatically checks for:
o OS, Service Pack and patch level
o Anti-virus engine and definitions files (all commercial and open source products)
o Personal firewalls and IPS (all commercial products and the Windows XP firewall)
o Anti-spyware products (all commercial and freeware products)
o Registry Entries
o Active processes
o Open and listening ports
* Dynamic Security Zones. Caymas Access Gateways dynamically adjust access based on location, the results of the
Host Integrity Check and user authentication method (i.e., username and password versus RSA SecureID or X.509 certificate).
* Smart Remediation. Users that fail the Host Integrity Check are placed on a quarantine network with specific
instructions and links to remediate the problem. The user will only see the specific items that they need to fix
and not be presented with a list of irrelevant links.
* The Caymas Launchpad Portal. When the user fails a Host Integrity Check, they are automatically placed in a
quarantine security zone and are presented with the Caymas Launchpad Portal. The portal displays links related to
just the specific remediation steps required to fix the discrepancy and then allow the user access the network resource
they are permitted to use.
Caymas Systems has implemented a simple, flexible, and secure quarantine and remediation capability for SSL VPN and
NAC deployments. The result is a comprehensive access control gateway that is able to control access for all users
and devices, while providing help desk relief and lower costs.
|
|
Commercial
|
|
Information updated: 14 Aug 06
|
|
Altiris Endpoint Security Solution
|
|
|
Altiris
|
http://www.altiris.com
|
|
Altiris® Endpoint Security Solution™ software protects your corporate data and prevents malware
and hackers from intruding on individual endpoints or the network itself. With extensive control
over wireless networks, removable storage devices and applications, Altiris provides a single,
centralized endpoint solution that maximizes worker productivity without sacrificing security.
Location-Aware Sys | | |
