Lockdown Networks has simplified management of its NAC gear by reducing the number of boxes it has to deal with in order to protect networks from potentially infected wireless devices.
New software for Lockdown Enforcer appliances can block access to wireless devices by shutting down ports on wireless switches. That means by dealing with a single switch, the Enforcers can admit or deny any wireless access point attached to the switch.
Previously, Lockdown Enforcer devices had to deal with each individual access point to enforce policies, which meant having to manage interactions with many more devices.
The Lockdown gear scans endpoints as they attempt to access networks and can block those that don't comply with set policies. So a system without a properly patched operating system or whose virus library is out of date can be prevented from accessing the network or confined to a quarantine virtual LAN until it is fixed.
Lockdown devices compete with other NAC vendors that make appliances that are added to current networks without requiring infrastructure upgrades such as ConSentry Networks, Nevis Networks and Vernier Networks.
The software upgrade provides new options for updating noncompliant devices. It contains a larger library of remediation resources to bring devices into compliance automatically rather than referring users to Web sites, for example, to get virus updates.
The software upgrade introduces a proprietary scan of endpoints that check for whether operating systems are updated to the proper degree and whether security applications are updated and turned on. This feature replaces parts of the open source Nessus service discovery and vulnerability management software Lockdown used before.
The new scan takes about two seconds, down from about 15 seconds with Nessus, so end users are less likely to become impatient, the company says.
Lockdown prefers to use Nessus to scan devices to which Lockdown gear cannot download scanning software or devices for which a deeper scan is desired.
The new software changes the default setting for the device so they assess compliance of devices trying to gain network access, but don't enforce the policies. This allows customers first to assess how much of a problem they have to fix and to plan how they will bring noncompliant devices into compliance in a manageable fashion.
Previously the default setting was to enforce policies, which would block noncompliant devices from gaining access before network executives had a handle on how many devices were likely to be denied. This created potential floods of help-desk calls.