Vernier's In-Band NAC Product Takes Work

ASSESSMENT ANY WAY YOU LIKE IT
Vernier's host scanning uses network- or agent-based scans to assess a host. Scans can be performed at login and periodically thereafter. If a host's condition changes, the corresponding policy is applied. Similar to other in-band NAC appliances, new policies are applied as the policy is set, but hosts aren't immediately reassessed.

EdgeWall uses the Nessus scanner engine for network policy scans or a dissolvable agent. Policy scans focus on host configuration, while vulnerability scans look for known vulnerabilities in hosts. Keeping the two scans separate makes sense because there may be times when a policy scan can't be made but a vulnerability scan can.

EdgeWall not only suffers from the similar hole found with ConSentry, where users could log on locally to a computer and get the last user's network access rights, but we also found that EdgeWall didn't detect when different domain users logged on to the same computer. After the article was published, Vernier contacted us with a solution. Because of how policy rules are laid out, we had overlooked setting the appropriate authentication policy for each rule that a user could fall into. Vernier's management platform added to the mistake by having policy settings laid out in multiple tabs, forcing us to repeat steps for each setting. We did test the new settings, however, and subsequent user logins were properly detected. This is a serious flaw in Vernier's system.

Once the host is on the network, EdgeWall monitors for malicious activity using network intrusion prevention, protocol anomaly detection, and network anomaly detection. The IDS functionality is standard signature-based matching. Protocol anomalies are typical malformed or malicious traffic. Finally, the network anomaly detection looks for malicious traffic patterns such as high connection rates and flooding--common characteristics indicating scanning, denial-of-service attacks, or worm activity.

LOGGING AND TROUBLESHOOTING
While we weren't wowed with ConSentry's log visualization graphs, Vernier's are even less useful. Client data isn't viewable for as long we like, and each time the client session's page is updated, the most recent stats are displayed and earlier stats disappear in the management station.

Two tools were invaluable when they worked. The Simulate User Rights tool shows the rights a user would get based on a number of conditions such as user name, policy assessment, MAC address, and other items. The Trace Transaction tool validates that users are authenticating correctly and displays the data returned from the authentication server. Unfortunately, the Simulate User Rights tool expects the user to authenticate and apparently doesn't handle the case where the user fails to do so. That said, the complexity of policy creation on Vernier's system makes simulation tools a necessity.

You will need to take some time learning how to configure and manage EdgeWall's quirks and foibles. The product's flexibility eases integration and will help you tailor the installation to your needs--if you're patient. Vernier needs to work on the management UI, iron out the spurious errors, and develop a tolerant Control Server failure process.

Rolling Reviews present a comprehensive look at a hot technology category, including market analysis, product reviews, and wrapping up with a synopsis of our findings. See other reviews in this in-band NAC series at Rolling Reviews.