Bradford Networks is revamping its network access control software, which initially was customized for college campuses, to make it more suitable for corporate use.
The vendor's new NAC Director appliances come loaded with software that is functionally very similar to Bradford's original product, Campus Director.
In its initial release, NAC Director attaches to the monitoring port on a network switch where it profiles the network by interrogating switches, access points and databases.
The device can be dropped into heterogeneous networks without altering their architecture, essentially adding a security-control plane, says Eric Ogren, an analyst with Enterprise Strategy Group. This lets customers add NAC functionality without a big investment in new network switches or software on every device connected to the network, he says.
This was key to NaviMedix, an Internet portal company that links medical facilities to insurance companies and other third-party providers. The company is a Cisco shop, but didn't want to be tied to a single vendor for its security, says Bob Chin, the executive vice president for NaviMedix. "It's out-of-band so we're not tied to a particular set of network equipment, which Cisco does," he says.
The fact that the appliance links users to MAC addresses makes it easier for users to change locations yet maintain NAC security, he says. The architecture does not rely on devices being attached to specific switch ports. "If someone moves from cube 1 to cube 17, they don't have to go to the wiring closet and move things around," Chin says.
Other vendors touting add-on NAC include Nevis Networks, ConSentry Networks, Mirage Networks and Vernier Networks.
Once it has familiarized itself with the network, NAC Director can manage identities of individuals by associating them with MAC addresses, the users' roles in the company, IP addresses, how the device is attached to the network and time of day.
It can then check the endpoint to see whether it complies with security policies such as updated operating systems, registry settings, application patches and whether certain applications such as antivirus scanning are running. Based on the results, the device can admit the machine trying to gain access or quarantine it to a virtual LAN where the user can fix whatever shortcoming was found.
NAC Director also can enforce usage policies set for each user. It can limit bandwidth available to each user, for example. The policies are enforced via other network devices such as switches and traffic shapers. These receive instructions from NAC Director via a variety of means including SNMP commands and command-line interface commands, which Bradford Networks has customized for individual network devices sold by multiple vendors.
NAC Director appliances can be centrally located and can support from 100 uses per device to 6,000 users via multiple devices. Three models are available, starting at US$6,500. If multiple appliances are linked to boost capacity, a separate device called Access Manager is required as well.