A supplier of network hubs, converters, extenders and other infrastructure pieces has turned out its first network access control appliances.
Black Box Corp. said its Veri-NAC family of devices doesn’t require the installation of software agents on connected machines, and works with existing network and legacy infrastructure
“This is one piece of a multi-piece push by Black Box into a space where we sort of played but didn’t have really good tools, or enough of them,” said Jim Schriver, the Pittsburg company’s director of new technologies.
The five models, which start at US$2,850, are aimed at organizations that have found that other NAC solutions are hard to implement, he said.
“If we architected our NAC like everyone else’s, we would have an expensive proxy server and agents everywhere, and we would want everyone to upgrade their entire switch architecture.”
The Veri-NACs compete with a number of software or hardware-based access control devices from Cisco Systems Inc., Juniper Networks, Microsoft Corp., Enterasys Networks, Inc., Check Point Software Technologies Ltd., Symantec Corp. and others.
In a recent report, Forrester Research acknowledged that after some seven years many NAC products are still not ready for enterprises. Some can’t scale while others have irrelevant features and functions.
Black Box’s Veri-NACs don’t stand out in this market, said report author Usman Sindhu, a researcher in the company’s security and risk management practice. Several nice vendors have similar products, he said. “I don’t see anything striking.”
Veri-NACs are 1U-high, non-inline appliances that manage IP addresses, meaning they can cover not only PCs but also anything with an Internet connection – from printers to bar code readers. It only allows devices with known MAC addresses onto the network.
It can detect and stop a machine trying to get in under a spoofed MAC address. It also checks to make sure each connected machine complies with set standards, such as up-to-date operating system patches and port configurations. Vulnerable devices are locked out of the network except for the resources the user needs to bring the computer into compliance.
Laptops of visitors can be allowed access to the Internet but not the corporate intranet.
The company chose not to use agents because they can be hacked, Schriver said. It also means the solution is not based on the number of seats in an organization, thus lowering the cost.
The five models start with the 5200, which includes two Ethernet ports that can support 10 virtual LANs each, and can manage up to 250 devices. The top-of-the-line 5800, which costs US$33950, has eight Ethernet ports and can support up to 80 VLANs and manage up to 2,000 devices.
Three models, the 5800, the 5600 and the 5400 also come with Command Centre software which allows the three to be chained together. A series of 5800s can manage up to 100,000 devices.
Black Box, which is also resells and assembles network and communications solutions from a number of leading manufacturers, has slowly been trying to expand its product line. In April it came out with the Optinet Web gateway, a Layer 7 deep packet inspection appliance. The company is also getting into physical security with a biometric identification scanner that it wants to tie into network security systems.
Organizations are concerned about automating many security tasks, said the Forrester report. Successful NAC solutions will encompass features that help organizations cut operational costs and expand to more use cases even if it demands integration with broader security products.
Advanced features include virtualization support, device fingerprinting, integration with indentity and access management solutions, dedicated partner access management and support for the Trusted Computing Group’s IF-MAP open source protocol. It enables a common database where NAC, intrusion prevention systems, unified threat management,
routers, switches, and other infrastructure appliances are able to post configuration, policy and identity information.
Very few vendors have built this support to date, says Forrester, but some of the vendors have this on the road map. IF-MAP has a broader security implication than just NAC, says the report. It will be a key component as organizations continue to combine the functions of a network operations center (NOC) with a security operations center.
