Overview

Lockdown Networks' network access control (NAC) provides these key capabilities:

• Robust policy engine, with GUI and scripting interfaces, enables development of both broad and highly focused access control policies.
  
  
• Automates guest and device registration.
  
  
• Interoperable with network and security infrastructure you already own.
  
  
• Single–sign on authentication using 802.1x, Web-Login, RADIUS, NDS, etc.
  
  
• In–depth endpoints analysis of ALL IP–based devices. Over 11,000 tests for OS, AV, spyware, and vulnerabilities. Operates with or without an agent.
  
  
• Agent architecture supports persistent and temporary installations, without complex Java or ActiveX deployment requirements.
  
  
• Enforces policy using VLANs for ultimate security and control or IP Subnets for rapid rollout, or mix and match modes as needed.
  
  
• Automated remediation for common isssues such as missing OS updates or antivirus signature file updates.

Every enterprise has different access control requirements. For some, automating guest access is a major concern, others worry about ensuring only appropriate users are on a given VLAN, while for others, keeping "honest users honest" and protecting devices against attack is a higher priority. Some enterprises require both capabilities. Others worry about containing malware that does penetrate defenses.

Only Lockdown provides everything needed to meet all these objectives on your existing network, in a self–contained appliance.

Meet Lockdown Enforcer™

The Power of Policy:

Network access control is about policy automation, and Lockdown Enforcer™ is the champion of policy.

Lockdown Enforcer's Precision Policy Engine™ allows deployment of policy based on group or individual identity, location, time, access method, and other factors. These policies can be built to create rules that apply to everything on the network, just select groups, individuals, or maybe (depending on your needs), a given group at a given location at a specific time.

Among other things, Lockdown policy controls:

• Whether or not guests and devices can be self–registered, registered by an administrator (or other delegate), or are not allowed.
  
  
• If a EULA is required.
  
  
• Which modes of authentication are required for access.
  
  
• Single–sign on authentication using 802.1x, Web-Login, RADIUS, NDS, etc.
  
  
• What test criteria to apply based on group, device or individual identity, location, identity, time, or other factors.
  
  
• Which tests to run before a device connects, which to run after.
  
  
• What to do with a user or device when a security event occurs on the network.

Flexible Deployment:

Enterprises have different security, rollout and management objectives, so Lockdowns' network access control offers multiple modes of deployment to support different use–cases. Lockdown uses both VLANs and IP Subnet Quarantine (ISQ™) for policy enforcement. VLANs provide stronger security and more precise access control, while ISQ offers faster rollout.

In VLAN mode, unauthorized users and unhealthy devices are managed at the point of network entry, delivering "maximum strength protection" from a potentially malicious user, or a risky endpoint. Unlike many network access solutions, Lockdown keeps devices off the network UNTIL the device and user are deemed safe to participate in the network. VLANs enforcement is supported on network control points like switches, WAPs and wireless controllers.

In both VLAN and ISQ modes, users with device health issues are presented with an informative gateway page that provides data on the policy violation, and directions and resources which enable users to self–remediate. In this way, help–desk support calls are minimized.

Deep Assessment, Flexible Options:

Most network access control products provide basic tests for OS and antivirus updates or P2P software.

Lockdown goes further. Way further!

Lockdown Enforcer not only provides these basic network access control tests, but can also uses a proprietary scanning engine to test any network device against a database of more than 11,000 potential vulnerabilities. Lockdown supports creation of custom test sets, and offers pre–defined Sans 20, Quick Scan, and other valuable test sets to speed deployment.

With Lockdown, it’s possible to ensure compliance for devices like printers, embedded systems or network security and switching infrastructure, which other network access control solutions simply can’t deal with.

And IT and security can decide whether or not to use agents to assess both managed and unmanaged Windows or OS X devices. If agents are used, Lockdown agents simplifies rollout and reduces support overhead by offering:

• Persistent or self–dissolving agents. Persistent agent installation is creditialed, dissolving agents are one–click installs, without credentials.
  
  
• Executable installs for persistent and dissolving agents; no Java or ActiveX required! One agent to be deployed on a platform, without complex Java installs or browser dependencies.

Identity:

Lockdown monitors authentication processes to identify every user and device on the network. Lockdown supports all key authentication protocols, and delivers single-sign on capabilities, so users have a convenient experience joining the network.

Lockdown supports single–sign through 802.1x, Windows Authentication, NDS, RADIUS, and offers web–login (with dynamic fallback for failed authentications). And, Lockdown interoperates with any LDAP capable directory service to capture group data on authenticated users.

Lockdown Enforcer now includes a built–in RADIUS server to terminate RADIUS requests, or it can be deployed in networks where RADIUS is already in place.

Guest and Device Registration:

Lockdown Enforcer includes a featured–rich quest and device registration system.

The guest registration system enables IT to deploy:

• Self–registration systems.
  
  
• Device registration for PCs, handhelds, game boxes, and other systems, with association to end users.
  
  
• A simplified operator role enabling delegated users to create temporary or permanent guest accounts.

Interoperable:

Lockdown Enforcer not only works with your existing network infrastructure, it interoperates with your security and event management systems, as well.

Lockdown network access control accepts security events from IDS, IPS, NBA, SIM, and other systems using web–services or syslog notifications. By providing an easy way to interoperate with these external systems, you will not only identify gaps in device security that may expose your network to attack, but you can also react more effectively to network–based attacks.

For example, if an IDS or SIM determines that a security breach has occurred at a given IP address, Lockdown can apply any policy based response to that device, including quarantining it, or perhaps sending a notification to IT providing information on who is logged into the device, and where it is physically located.

On the network side, Lockdown Enforcer works with enterprise control points from industry leading vendors like Cisco Networks, Foundry Networks, Enterasys Networks, HP ProCurve, 3Com, and Extreme Networks. Lockdown is always out of band, so there is no degradation of network performance, and future network upgrades like 40Gpbs and 100Gpbs will be supported without network access control upgrades.

Lockdown Enforcer with iNAC™ (intelligent NAC) also provides integration with Microsoft Network Access Protection (NAP), Trusted Computing Group (TCG), Safend, Lancope, PatchLink, New Boundary, and other third party solutions.

How It Works

Lockdown Enforcer™ is several products in one. Lockdown Enforcer combines a sophisticated policy engine, state–of–the–art device assessment, L2 VLAN and DHCP enforcement, automated remediation, reporting, and management in one convenient appliance.

Inside the Lockdown Enforcer™

The inner workings of Lockdown Enforcer are sophisticated.

The following information provides background on the general operation of Lockdown Enforcer, including deployment, integration, authentication assessment, enforcement, and remediation.

Lockdown Enforcer works out–of–band and can be deployed almost anywhere in the network. Lockdown Enforcer integrates with existing network infrastructure – regardless of vendor, using Layer 2 information to detect devices as they connect to the network.

After Lockdown Enforcer is deployed it must be configured to integrate and communicate with switches and wireless access points. We refer to these as "control points".

In VLAN mode, Lockdown Enforcer learns the configuration of these devices including their VLANs. Lockdown Enforcer creates a "hold" VLAN and a configurable pool of dynamic "quarantine" VLANs. Lockdown Enforcer does not modify existing VLANs. Unlike other network access control solutions, this allows Lockdown Enforcer to keep users and devices off the network until they are deemed compliant.

Once Lockdown Enforcer is integrated with chosen control points it receives information such as SNMP traps and RADIUS requests and sends information using RADIUS and SNMP as well as Telnet or SSH (Secure Shell).

In IP Subnet Quarantine (ISQ), Lockdown Enforcer works by routing quarantined devices into a specified subnet with access to remediation resources. ISQ works with all DHCP based devices. Lockdown Enforcer assesses devices when the DHCP lease is renewed, or at any time (if an agent is used) .

In general, ISQ is less secure than VLAN enforcement (the exception is when switches capable of DHCP enforcement are deployed). ISQ is recommended at the start of a network access control project to quickly bring users into compliance, or in applications where control of device compliance is a much higher priority than containment of potentially malicious users.

Lockdown Enforcer leverages your existing authentication systems to learn about users and make determinations about network access. Enforcer makes use of 802.1x, RADIUS, LDAP, Windows Authentication, NDS authentication and Web-login, as well as possessing the unique ability to dynamically fall back from 802.1x to another form of authentication.

This is especially useful for organizations with heterogeneous clients lacking 100% 802.1x supplicant coverage. This feature also adds flexibility to 802.1x by offering more options than simply ON or OFF for the port.

Lockdown Enforcer can assess devices for vulnerabilities, compliance to health standards, compliance to policy, and a host of other attributes. It does this using one or combinations of different methods including network, credential and (optional) agent–based scanning.

Network–based scanning checks IP address ranges, open ports, running services, and network related vulnerabilities. Credential–based scanning provides access to a remote device by authenticating and establishing an SMB, Telnet or SSH connection to view registry keys, file system attributes and even some anti–virus software information.

Lockdown Enforcer can use, but does not require the Lockdown Agent™. Agent–based scanning provides access to a remote device and gathers information including, but not limited to anti–virus, personal firewalls, anti–spyware, operating system updates, and file system attributes.

"Enforcement" is defined as the action executed for a connecting or existing networked device. In order to explain "enforcement" we will walk through a typical scenario.

John arrives to the office on Friday morning after spending a week on the road attending sales calls. John places his laptop in its docking station and powers it on. He logs in to the domain and a Web browser window opens up. John reads the page, which tells him he is in quarantine for Windows Update.

The page goes on to provide him instructions on how to remedy the situation and gain network access. John updates his machine and regains access to the production network.

What happened behind the scenes? First we must talk about the policy being enforced. Lockdown Enforcer is configured with a policy stating that authenticated users who possess current anti–virus software and Windows Update will be given access to the production network. Failure to comply will result in quarantine for remediation.

When John powered up his laptop, it made a connection to the switch. The switch sent a "link-up" event to Lockdown Enforcer, which began listening to the device. Lockdown Enforcer wants to learn the MAC and IP address of the device. If the device does not have an IP address and is configured for DHCP, Enforcer can forward the DHCP request and help the device gain Layer 3 connectivity.

Once Lockdown Enforcer learns the MAC and IP of the device, it is moved to one of the quarantine VLANs so Lockdown Enforcer can individually monitor or help broker authentication and perform an assessment. In this case John authenticated against Windows Active Directory.

The authentication portion of policy is satisfied.

John's laptop makes use of the Lockdown Agent, which maintains communication with Lockdown Enforcer when it is online. Lockdown Enforcer asks the Lockdown Agent to gather information about anti–virus and Windows update, which it sends back for analysis. Lockdown Enforcer examines the information and discovers John's device has current anti–virus software, but that the latest operating system software updates have not been installed.

John's device remains isolated in quarantine for remediation.

While it may not be a risk to other devices, it may be vulnerable, so individualized quarantine provides protection. The Lockdown Agent opens a browser window on John's laptop informing him of the policy violation, as well as providing directions for remediation.

John has access to resources configured by the administrator including "Windows Update". John follows the directions and installs the latest operating system software updates. He then initiates a "rescan" by selecting a button on the gateway page. Lockdown Enforcer performs an assessment based on policy and sees the device possesses current anti–virus and operating system software updates.

In accordance to policy, Lockdown Enforcer moves the port to the VLAN associated with the production network.

Features