InfoExpress approaches network-access control with a product that requires zero network-infrastructure changes. With the InfoExpress Dynamic NAC for Windows product, policies are controlled from a central policy management server, but enforcement is handled by distributed agents residing on trusted systems, called Enforcers.
These agents are not special systems, but rather could be any trusted device running the InfoExpress DNAC agent. For example, on a network segment of trusted corporate laptops, several of those devices will be acting as enforcers to help manage unauthorized traffic coming from new, unauthorized users or authorized users that happen to be out of compliance with policy.
Think peer-to-peer NAC where a militia of Enforcers work collectively to protect your LAN.
Together, these distributed Enforcers watch network traffic (the company doesn't disclose its secrete sauce, but our educated guess is that they are looking for address-resolution-protocol requests and broadcasts). With this reconnaissance, the Enforcers identify systems without the appropriate agent in place and respond to directions from the central management server about how to treat endpoints after compliance assessments have been performed. The Enforcers then handle the quarantine measures for noncompliant machines by blocking the endpoint's network access except for traffic allowed by policy.
Enforcers also can handle guests and other unmanaged devices by redirecting them to a captive portal where they can pick up compliant agent software.
This product has the potential to scale efficiently, because the more systems you add to the network, more Enforcers you can designate.
In addition to the agent software, DNAC has three other major components. The Policy Server communicates with all agents -- both those serving as Enforcers and those not serving in that capacity -- to see whether they are in compliance. The Policy Manager is a separate application used just for policy development. The Reporting Server collects information from the Policy Server for reporting purposes, which is easily accessible from a separate Web interface.
For testing, we installed the server components on a central Windows 2003 server and installed agents on our several of our Windows' systems. InfoExpress can also function in an 802.1X environment. That requires the company's 802.1X appliance called the CyberGatekeeper Server, which InfoExpress did not submit for testing.
Active Directory authentication is supported, but setting it up was short of seamless. The process requires setting up a Web site where authentication verification occurs behind the scenes via communication with an InfoExpress-provided program placed on the site that then passes authentication information to Active Directory.
In a DNAC deployment, policies are applied to IP address groups only, which may not provide all the flexibility some organizations require depending on the granularity of policy requirements. Creating policies within the product is cumbersome where you have to create them in the separate policy-manager application and then push the policies to the policy server for deployment. The policy-manager application itself is not intuitive to use, and it is challenging to set up more complex policy checks using the interface.
For endpoint assessment, DNAC supports some of the major vendors for both antivirus software and desktop firewalls out of the box. System patch-status checks are available, but are cumbersome and complex to configure, as you have to go through all released Microsoft patches and check the ones you want to be included in the policy. If new patches are released, you need to go change your policy to include them in your next system check. We would prefer a "current with patches" check to ease setup and administrative overhead.