Policies work uniquely in Safe Access. Each Safe Access server uses one set
of policies. You can customize the provided policies and add additional policies
of your own, in either an enabled or disabled state. You assign to each policy
a set of Windows domains or endpoint devices by name, MAC address, subnet address,
or IP address range, then arrange the policies in a logical order. Endpoints
are tested according to the first policy for which they meet membership requirements.
Endpoints that match no policies will be tested according to the last—usually
most restrictive—listed policy. For each test within a policy, you can
set actions that Safe Access will take on failure, including an email message
to an administrative email address, immediate or delayed quarantine, and a call
to an automated remediation system. When an endpoint fails more than one test
in a policy, the software assigns the most restrictive of the resulting failure
actions. I configured email notification and found that it provided a detailed
description of the reasons an endpoint failed the test—information that
occurred to me as potentially quite useful to Help desk staff assisting users
with remediation problems. If predefined tests don't meet your needs, the Safe
Access user guide documents how to use the Python development language to code
custom tests.
When testing quarantine, I found no surprises. Test failure resulted in immediate
quarantine when that was configured and in delayed quarantine if that was the
test specification. From the device status screen, I was able to immediately
grant a quarantined device additional time, and I was able to retest the endpoint
for compliance.
Bottom line. Safe Access offers network administrators an excellent
combination of ease of use, flexible policy assignment, and network security
options. The Web-based UI is responsive, quickly understood, and replete with
useful context-sensitive Help. Although the Safe Access management interface
lacks the integration of other tiered security products (e.g., McAfee's EPO),
you might prefer the lean, efficient simplicity of its design.
StillSecure Safe Access 5.0
PROS: Broad range of testing and enforcement options, including 802.1x;
flexible, easily implemented policy structure; relatively granular console
security structure, adaptable to distributed administration; endpoint testing
is highly customizable through Python, when existing tests don't meet the
need
CONS: Lacks support for enforcement via SNMP managed switches
RATING: 4.5 out of 5
PRICE: Approximately $20 per IP address, assuming a 2500-user deployment. No extra charge for white-listed IP addresses.
RECOMMENDATION: StillSecure has produced
an excellent, easy to configure and use NAC system. The responsive web console,
predefined tests, preconfigured enforcement options, made it a pleasure
to set up and use. The ability to easily grant temporary network access
to failing systems will help keep your users happy.
CONTACT: StillSecure
(http://www.stillsecure.com)
888-847-8766 |
Editor's Choice
At the conclusion of my testing, I had two favorites in this group. First, StillSecure's
Safe Access gets my Editor's Choice for its clean 802.1x implementation, easy
manageability and flexible quarantine features. I didn't test performance features,
but I suspect the product's Linux-based, designed-for-NAC core would handle
a heavy load. My other favorite is McAfee's Policy Enforcer. I'm a fan of the
EPO console for its well designed ability to integrate the management of McAfee's
suite of security products.