NAC + SSL VPN Product Profile: Array Networks (March 2008)

This product profile is from our NAC Product Selection Guide, the industry's most comprehensive and current anaylsis of NAC products.

Company Profile

Array Networks is a leader in providing access, security and performance for business critical applications and resources. Our application delivery and access control solutions are deployed at over 1000 enterprise, service provider and government customers to meet challenges introduced by trends in data center consolidation, user mobility and compliance. A member of the Red Herring 100 and Deloitte’s Technology Fast 50, Array Networks is a growing global organization with significant corporate and partner presence throughout North America, Asia and Europe. For more information, visit www.arraynetworks.net or call 1-866-MY-ARRAY.

Product Profile

The Array SPX Series Universal Access Controller is a comprehensive SSL VPN secure access, network admission control and resource access control solution. Whether users are remote or local, fixed or wireless, employees or a third-party – the Array SPX is capable of providing secure, flexible and customized access. Leveraging multi-Gigabit scalability and built-in NAC functionality, admission policies and application-level access control can be centralized on a single platform for all users and devices. What’s more, Array’s unique overlay gateway approach delivers all the benefits of NAC – without deployment hurdles associated with widespread hardware replacement or software installation.

Product Category

NAC products can include a number of primary security functions or layers. The "colored cells" in the table below show which ones are provided by the Array SPX.

Primary Security Functions ("Built-in")					Admission Controller Placement
Posture Checking	Net Intrusion Prevention¹	Network Access Control	Application Access Control²	SSL VPN Gateway	Endpoint Software	Out-of-Band Appliance (or server)	In-line Appliance³

The Array SPX will work with standalone 3rd party network intrusion prevention systems; some NAC vendors offer this option; others build NIPS into their NAC products.

Application access control refers to the ability to determine the specific destination resources a user can access based on user identity and usage policies. This is different than control over what individual applications can run on a user device.

The controller function is embedded in either a switch, router or separate in-line appliance.

How It Works – Conceptual View

Unlike solutions concerned only with local traffic, the Array SPX has the built-in ability to extend secure, customized access to remote and wireless users. Remote users request access and local users are detected; all users and devices are identified, quarantined and remedied where applicable; and identity-based access controls are applied with layer 7 granularity – on a platform with the performance, management and reporting capabilities to handle real-world deployments.

Access – SSL VPN access enables portal-based, network-level and application-specific access to be securely extended to remote users across a broad spectrum of operating systems and devices. Users login through a secure portal or single sign-on.

Detection – Local devices connect to a switch or a wireless access point and are placed on user-probation VLANs (on which no critical data, applications or end-points reside). A captive portal is used to gain access beyond probation VLANs. Visitors or unmanaged devices continue using portal-based login, while managed devices may download an agent for single sign-on.

Device Identity – A dissolvable agent checks device identity, health and security posture based on MAC addresses, certificates, hard drive IDs and discovery of personal firewalls, anti-virus, OS service packs, installed apps, registry checks, patches and additional definable criteria.

Quarantine & Remediation – Non-compliant devices remain on probation and are not allowed access to networks or resources. Non-compliant managed devices can be brought into compliance through either self-remediation or active remediation. For unmanaged devices, access may be denied or may be reduced to a limited subset of safe resources according to adaptive policies.

Device Identity – User identity is verified via integration with LDAP, RADIUS, AD, Local DB or other authentication servers and may be reinforced using two-factor authentication.

Control – Layer 2-7 intelligence enforces granular identity-based access control over networks and resources. Policies may be set on the Array SPX or on external policy servers or both. For additional control over un-managed or remote devices, cache cleaning can be enabled to wipe cached information from devices when a session ends; or secure desktop may be enabled to store session data in an encrypted vault and prevent users from saving or printing locally.

Performance, Management & Reporting – Array SPX Series systems support up to 64,000 users with up to 27Gbps throughput while maintaining single digit millisecond latency. Management is simple via an intuitive WebUI and the ability to configure once and propagate settings to all SPX systems on your network. With the Array Report Center, log files are correlated and presented in a logical manner that provides visibility into the network to satisfy compliance mandates.

How It Works – User Connection Process View

Device Posture Checking Tests

There are many ways to scan devices and enforce user privileges. Some products rely exclusively either on network-based scans or an installed “fat client”. Most vendors offer an optional dissolvable browser plug-in. Note that agent options vary in their support of devices and often require administrator-level privileges.

Product Close-Up

The following tables highlight the key features and functions that impact product security, deployment and operations.

Dissolvable and persistant agents require admin-level privileges on the endpoint
Scans for AV sw version, signature files, run status & dates
Scans for MCP sw version and run status
Scans for personal FW version, configuration and run status