- +
ARN's A-Z guide to networking 19 December, 2007 14:50:54
As business needs change, so do the requirements for the business backbone. ARN looks at networking trends and technologies and reports on predictions for 2008 and beyond. - +
Zenoss: New dog masters old monitoring tricks 30 November, 2007 12:50:00
Zenoss Core 2.1 impresses with object-based approach, strong device discovery, native Windows monitoring, and open source extensibilitySince the dawn of the business network, there has been a need to ensure that the network services provided to the enterprise are alive and responsive. Traditionally, in midsized businesses, this role has been filled by complex, closed source, and fantastically expensive solutions from manufacturers such as BMC, CA, HP, and IBM. And while these extravagant expenses make no customer happy, many users of these packages also complain of their complexity. Enough administrators have spent enough time wrangling with their monitoring systems to make a lot of smart people imagine that there must be a better way.
Click here for case studies, whitepapers and other useful vendor content Newsletter Subscription
The wide variety of so-called NAC (network access control) products on the market shows a broad range of thinking about policy-based security controls and the management of the network in general, including the end-point devices that connect to the network. Some vendors enforce policies using a client agent, some enforce them in the network, and some even use peers for enforcement. Network-based enforcement itself can take many forms, including dedicated gateway, DHCP manipulation, 802.1x authentication, and port- and VLAN-based enforcement on switches.
In short, there are many ways to skin the NAC cat.
Considering Sophos' extensive background in managing the security of host systems, you might expect its NAC solution to make use of agent-based enforcement, and you'd be right. However, Sophos also took a decidedly open path to the system, allowing for integration with environments using a wide range of anti-virus agents, 802.1x, DHCP, Cisco NAC, and VPN methods of control and enforcement.
Sophos NAC Advanced combines a Windows Server 2003-based policy management server with end-point agents, dissolvable agents, and reporting to deliver a compelling system for Windows-oriented environments. Although Sophos offers anti-virus software for Mac OS X and Linux as well as Windows, this first release of Sophos NAC Advanced is focused strictly on assessment and policy management for Windows end points.
Policy is king
As in my previous reviews of solutions from ConSentry, Enterasys, McAfee, Symantec, and Trend Micro, I looked at the Sophos product's ability to address a set of typical enterprise policies and distinguish the ways in which the product does that. When choosing among NAC solutions, the key is to consider your requirements from within the universe of possible policies, especially in terms of the granularity of both the policies and their enforcement. You will also want to consider how (and how frequently) you want to interact with the system and whether ease of policy creation, policy modification, or reporting are your most vital requirements.
Sophos takes a hierarchical approach to policies. Using a straightforward Web-based GUI, admins create a hierarchy of profiles, with each policy comprising one or more profiles plus the defined outcome for compliant, partially compliant, and noncompliant systems. Sophos allows policies to be run in report-only, remediate, or enforcement mode. This flexibility is especially useful during the introduction of new policies into the system, and provides for a transition as you determine the compliance of the end points in your environment.
You can create profiles for the operating system (at least one of which is required for every policy), applications (including both security components such as anti-virus as well as user applications such as Internet Explorer), and patches for each of them, and assemble them into policies that outline the required OS patch level, anti-virus application and signature currency, and firewall application and settings. The policy definitions also include the resulting access available to the end point and any alerting necessary. In addition, you specify how frequently the agent on each end point will check for updates to the policy, assess and reassess the host system for compliance, and communicate with the reporting system.
ARN Member Login
ARN Panel Sessions: Day 3The last of our panel sessions recorded live at CeBIT 2008. Today, the topic is storage. Data is growing at an enormous rate, so what does the future hold?
Weekly Tech News Update: 13th October, 2008A new BlackBerry takes the world by storm, AMD splits into two and new games are on display at the Tokyo Game Show.
Brian's bloopersIt takes a long time to produce an episode of Channel Watch. Maybe you'll understand why after watching this...
When an IT disaster occurs, how handy it would be to push a button and start again as if nothing had happened.
Discover and learn more about CA XOSoft today.
NETGEAR Introduces First Dual-Band Secure Wireless-N Solution for SMEs 13 October, 2008 15:52:00
NetStar Networks Calls Brisbane Home 13 October, 2008 12:01:00
F-Secure achieves excellent results in Internet security suite comparison 10 October, 2008 14:37:00
Lock It Up With Maxtor BlackArmour, Hardware Encrypted Storage Provides Government Grade Security For Consumers 10 October, 2008 09:04:00
M2M Connectivity announces the new Sierra Wireless MC8792V embedded module for 900 MHz 3G/HSPA networks 10 October, 2008 08:51:00
Dimension Data, La Trobe University and Windows Server 2008 partner to improve compliance
La Trobe University partnered with Dimension Data to deploy Windows Server 2008 and Network Access Protection technology to improve their existing network security solution.
Subscribe to ARN
