Advertisement

NAC Product Profile: Bradford Networks (March 2008)

This product profile is from our NAC Product Selection Guide, the industry's most comprehensive and current anaylsis of NAC products.

Company Profile

Bradford Networks is dedicated to solving the real-world network access control challenges facing enterprises, institutions and government by developing comprehensive NAC solutions for wired, wireless and VPN networks that deliver automated security services by leveraging existing network infrastructures and investments. Bradford Networks’ NAC Director (for enterprises) and Campus Manager (for education) deliver the three key elements of user-focused, network based NAC solutions - identity management, endpoint compliance and usage policy enforcement – in a integrated, out-of-band, appliance-based solution.

Product Profile

An out-of-band architecture utilizes current network configuration and traffic data from switches, wireless access points, and other infrastructure equipment to create a logical representation of the network, then correlates this data with user identity and usage policy information. When violations occur, the NAC controller determines the policy-based actions needed and executes corrective action via CLI, SNMP, or RADIUS commands to the corresponding network equipment to address the threat at the point of network access.

Product Category

NAC products can include a number of primary security functions or layers. The "colored cells" in the table below show which ones are provided by the Bradford NAC products.

Primary Security Functions ("Built-in")					Admission Controller Placement
Posture Checking	Net Intrusion Prevention1	Network Access Control	Application Access Control2	SSL VPN Gateway	Endpoint Software	Out-of-Band Appliance (or server)	In-line Appliance (or switch)3

1. This product will work with standalone 3rd party network intrusion prevention systems; some NAC vendors offer a similar option; others build NIPS into their NAC products.
2. Application access control refers to the ability to determine the specific destination resources a user can access based on user identity and usage policies. This is different than control over what individual applications can run on a user device.
3. The controller function is embedded in either a switch, router or separate in-line appliance.

How It Works – Conceptual View

How It Works – User Connection Process View

 

Device Posture Checking Tests

There are many ways to scan devices and enforce user privileges. Some products rely exclusively either on network-based scans or an installed “fat client”. Most vendors offer an optional dissolvable browser plug-in. Note that agent options vary in their support of devices and often require administrator-level privileges.

Notes:
1. Refers to the ability to remove malicious code from the endpoint
2. Bridged connection refers to an untested device connecting to the network through a tested and admitted device.

Product Close-Up

The following tables highlight the key features and functions that impact product security, deployment and operations.

1. Quarantined devices can be isolated per switch
2. Scans for AV software version, signature files, run status & dates
3. Scans for MCP software version and run status
4. Scans for personal FW version, configuration and run status
5. Dissolvable agent does not require administrator privileges on endpoint
6. Persistent agent does not require administrator privileges on endpoint