Rollout: Lockdown Networks Enforcer 4.2.7

In most NAC systems, once a host is granted access, it's allowed onto the network until a host reassessment takes place. In the meantime, the NAC system is typically unaware of malicious activity.

Lockdown Networks' latest version of its network access control product, Enforcer 4.2.7, wants to address this weakness by accepting RFC 3164-formatted syslog events and Web services events for use in policy decisions. Enforcer policies can use syslog's severity field and the source IP to react to events by, for example, kicking a device off the network, quarantining it or alerting an administrator.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

Products from other NAC vendors, including Consentry Networks, Enterasys Networks and Nevis Networks, can use IDS events to help make policy decisions. Lockdown's Enforcer is the first to accept syslog events, which means it can accept information feeds from IDSs and other network devices.

Although configuring Enforcer to accept syslog events and incorporate them into its policies is easy, Lockdown hasn't provided sufficient event-management capabilities to extract the full value of that information. Also, event severity and source IP aren't really enough to make good policy enforcement decisions. Finally, administrators must assign meaningful severity to syslog events being used by Enforcer at the source, while ensuring that the severity ratings don't affect other event-processing systems that consume the same events.Log On

Lockdown sent out the Enforcer and a systems engineer to our Syracuse University Real-World Labs®. We spent the day configuring the Enforcer, Snort on Red Hat Enterprise 3 Linux, and a Cisco Systems 2900 XL switch (see diagram at left). We used Snort as a source to generate syslog messages for Enforcer, but any network device that generates syslog messages can send information.

On our Snort IDS, we configured an output rule to send messages to Enforcer using the local syslog server. Then we configured Enforcer to accept syslog events by simply adding the syslog server's IP address to the Enforcer appliance. We also used a custom rule set in Snort to send events of varying severity to syslog. We configured a policy in Enforcer that sent an e-mail whenever a syslog event was received. We wanted Enforcer to take different actions based on event severity, so we had to write a set of policies for each severity rating.

Our policies fired off e-mails when Enforcer received an event, but we could have just as easily written policies to kick off a host assessment, quarantine the host or take any other action Enforcer supports.

Event Management Done Wrong

Any NAC product that accepts events from external sources needs to perform sophisticated event management to provide real value. At a minimum, it must be able to configure the events it receives, rather than require events to be pre-configured at the source. Additionally, the NAC product should include event-management capabilities such as parsing, event mapping and event suppression. Enforcer 4.2.7 fails to meet these requirements.

The biggest problem is Enforcer's rudimentary syslog parsing. It uses two data points: the severity field and the first IP address in the syslog message, which it assumes is the offending client. However, these are insufficient for making policy decisions because syslog severities lack context. Also there is no way to get access to the syslog message text from Enforcer, which means admins must go to the source of the event to get more information.

Without a way to parse the syslog event string, there's no way to differentiate one event from another-- Enforcer treats all events with a given severity equally. That's not necessarily good--some sources are more accurate than others. Lockdown says it'll add support for identifiers that can differentiate events in the next release.

Enforcer also can't suppress the events it receives; instead, the source has to squelch them. While Snort allows suppression of multiple events, a company's data-retention policy might dictate otherwise. In any case, we fell event suppression should be the responsibility of the consumer of the event.Assuming the first IP address is the client is also problematic. Snort 2.6 happens to format syslog messages this way, but other IDSs, and other devices that generate syslog messages, may not.

Lockdown is on the right track, but wait at least one rev cycle before seriously considering syslog integration. Enforcer 4.2.7 starts at $24,995. The latest version is available free to existing customers with support contracts.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs and former editor in chief of Secure Enterprise. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at [email protected].