|
|
Q. What role does DNAC play within the NAC market? A. General NAC solutions provide network identiy, keep rogue endpoints off the network, ensure consistent configurations for PCs, and let administrators know what's on the network. Despite these benefits, the cost and effort to deploy NAC has slowed its deployment in many organizations. InfoExpress is making NAC easily deployable with a software-based approach that requires orders of magnitude less time and effort to deploy, and does not need updates, upgrades, or changes to the network equipment or configuration. Q. How is DNAC installed and how long does it take? A. DNAC comes as a software installer that provides a complete NAC solution for the LAN. The software installs on a Windows 2000 or 2003 server. The time to set up DNAC on a single network is typically an hour or two. If this process is assisted by an authorized reseller or systems engineer, DNAC can usually run in less than an hour. Q. What is DNAC? A. DNAC (Dynamic Network Access Control) is software that turns ordinary PCs into enforcers that control other endpoint access to the network. DNAC differs from host based solutions because the enforcers control other PCs access to the local subnet and to other networks, not just traffic to itself. DNAC lets administrators authorize, evaluate, and remediate wired, wireless, and LAN users and their machines prior to allowing users onto the network. DNAC identifies whether networked devices such as laptops, IP phones, personal digital assistants, or printers are compliant with an organization's security policies, and repairs any vulnerabilities before permitting access to the network. Q. Why would an organization need DNAC? A. The greatest inadvertent threat to network security is the end user. Because each endpoint is a potential conduit into the network, it is increasingly important for users to bring their machines into compliance with their organizations' security policies. The DNAC software uses the incentive of network access to ensure compliance, and uses the capabilities of compliant endpoints to bring noncompliant machines up to requirements. Q: Why deploy DNAC now instead of waiting? A: The growing numbers of partners, customers, and remote employees creates a need to secure endpoints from threats arising from increased mobility and presence of unmanaged devices. Furthermore, failing to provide accurate reports and audits may result in costly penalties. With DNAC, organizations can benefit from NAC without costly infrastructure upgrades, or difficult configuration. Q. What is the relationship between the DNAC software, the CyberGatekeeper appliance, and the CyberGatekeeper Remote appliance? A. The DNAC software provides a complete NAC solution using the DNAC access control method that runs on a Windows 2000 or Windows 2003 server. The DNAC software comes packaged with the policy manager, policy server, report server, and endpoint software. This package only supports DNAC for quarantining and controlling access to the network. The optional CyberGatekeeper appliance adds other access control methods, such as 802.1x NAC, in-line NAC, Cisco NAC, and other methods. The CyberGatekeeper appliance is used to add more access control methods other than DNAC. The CyberGatekeeper Remote appliance is similar to the CyberGatekeeper appliance, but only supports the in-line access control method, and is primarily designed to provide an in-line solution for remote access VPNs. Q. What is the difference between products from networking infrastructure vendors like Cisco and DNAC? A. Infrastructure equipment approaches to NAC typically use port based control access through (i) 802.1x RADIUS EAP on a switch with agents and RADIUS server, or (ii) SNMP to manage VLANs for certain ports. Port based access control lacks granularity beyond the port. With 801.x EAP, the local port's VLAN is assigned from the RADIUS server. Today's networks often have multiple endpoints on the same port or machine (Virtual Machine, printer, VoIP phone, etc). DNAC enforces individual hosts, whether real or virtual, by turning ordinary PCs into enforcers that police the network. This approach does not require new subnets or other network changes to control access. As DNAC software proliferates, networks containing the endpoints become capable of performing NAC. Feedback from customers who have installed DNAC have indicated installation effort is reduced by 5 to 20 times than competing NAC solutions, without the use of specialized network engineers. Q. What are the key differences between NAC products that use IPS or port monitoring, compared to DNAC? A. Using IPS or port monitoring requires selecting choke points on the network. This is typically an appliance at critical locations on the LAN for IPS, or attaching the monitoring appliance to a monitoring port on the switch. The choke points filter rogues with access control rules or by sending DOS attacks against the rogues. Either of the above approaches provide granularity only whent he monitoring/choke point is moved close to the endpoint. However, this incurs a significant cost when multiple locations are present. For IPS solutions, the choke points also become potential points of failure. Q. What are key issues for NAC products that use IPS or port monitoring compared to DNAC? A. Using IPS requires adding choke points to the network, typically by placing an appliance at at critrical locations on the LAN. The choke points filter rogue with access control rules. The IPS approach lacks granularity when quarantining because intra-LAN traffic can bypass the choke points. Providing coverage for larger networks is expensive because more locations need to be intercepted, and the choke points themselves are potential sources of failure. Q: What features does DNAC offer compared to other NAC solutions? A: DNAC provides the authentication, quarantining, remediation, and posture assessment that infrastructure NAC solutions provide, with even greater quarantine granularity. With DNAC, endpoints can be quarantined by individual machine, even if connected to the same switch port or even when multiple endpoints are running on the same machine (e.g. Virtual Machine). For example, PCs, laptops, virtual machines, VoIP phones, printers, and network access devices are independently quarantined, even if connected to the same port on the switch. Because it uses the CyberGatekeeper NAC software for policy assessment, DNAC provides granular policy constructs, direct and integrated remediation options, and excellent end-user communication. Q. What is the difference between DNAC and host-based firewall or DHCP NAC? A. Desktop software approaches assume the user is running the vendor's security software. If this assumption is invalid, such as on an intruder's PC, the NAC solution offers no protection at all. The DHCP NAC approach places a DHCP proxy between the DHCP server and the switches. Using DHCP is easily overridden by assigning a static IP to the endpoint. Furthermore, the DHCP approach also requires extra subnets to be configured for each switch under management. introduced solutions that enforce policies on individual endpoints. The DNAC enabled endpoints are different, because enforcers control access for other endpoints on the network besides themselves. This means that each endpoint on the network is independently validated by a 3rd party before it gains access to the network. As a result, DNAC solutions are more effective, and integrate into the network with greater ease than either host-based or infrastructure based approaches. Q. Is DNAC specific to LAN users? Do I need a separate product to enforce policies on my remote-access users? A. The DNAC software applies a set of policies to all devices attaching to the network through the LAN or WLAN. These policies also apply to devices attaching through a remote access VPN, through the CyberGatekeeper Remote or CyberGatekeeper appliances.
InfoExpress. Copyright © 2007. All Rights Reserved. |
|
