Startup Insightix hopes to make its mark in the network access control market by incorporating its software that discovers all the devices on a network into an overall NAC deployment.
Insightix NAC is an add-on to the company's core product, Enterprise Collector, software that monitors network traffic and probes individual devices to elicit more information about them and to draw a network topology map. It keeps the map updated as elements change, such as a device logging off and logging back in again with a different configuration.
To use Insightix NAC, network administrators mark each device as having authorized access to the network or not. If not, the software blocks access by using ARP (Address Resolution Protocol) spoofing that essentially tells the device it is ineligible to send traffic to the network. Alternatively, the software can send SNMP commands to switches to prevent unauthorized devices from being granted access to switch ports.
Other NAC schemes can be exploited by machines that masquerade as devices that should be allowed on the network, says Ofir Arkin, Insightix's CTO. For instance, a printer would not be included among devices that need to pass NAC scrutiny, so a device mimicking one could access the network unchecked to perform mischief, he says.
Insightix uses its own Dynamic Infrastructure Discovery (DID) software to unmask such devices. DID, a component of Enterprise Collector, is loaded on a server that has two network access cards, one attached to the network and one to a spanning port on a core switch. The one on the spanning port monitors network traffic to figure out what devices are active on the network. The second card is used to probe devices as necessary.
So DID might send queries to figure out if a device reporting itself as a printer is actually a printer. If it is something else, Insightix NAC can shut it down.
The enforcement mechanism can be either ARP spoofing controlled by Insightix NAC itself or via SNMP prompts to switches with published Management Information Bases (MIBs) such as those from 3Com, Cisco, Foundry, Nortel and others, Arkin says.
The Insightix gear can be deployed and a topology map created within several hours, the company says. The gear requires no agent on the end-devices it screens, although the company is considering creating one. It would enable the software to gather specific information customers might want to draw from devices attached to the network that cannot be gathered via monitoring traffic and probing, Arkin says.