Overview

While 802.1x is an excellent protocol for securing access to the network based on username and password certificates, there are some limitations to this protocol. The main limitation is that there is no way to validate that the client is healthy and running the necessary security software to safeguard both itself and the organization.

Organizations that are serious about internal network security must have policies that ensure this security. Examples of policies that assist in ensuring internal security might include:

• Clients must run a specific Windows version and Service Pack
• Clients must run specific Anti-Virus Software
• Clients must run specific personal firewall software
• Clients must run specific intrusion detection & prevention software
• Clients must run spyware/adware protection software

While these IT policies help to ensure the internal security of an organization, without policy enforcement they are simply guidelines rather than rules. To help enforce IT security policy and proactively ensure that clients connecting to the network are healthy and do not either accidentally or maliciously infect other systems in the network, Brocade has developed the industry's most scalable, standards based network admission control architecture. Together with our industry best-of-breed partners, Microsoft, Symantec and Check Point Software, Brocade delivers proactive network admission control solutions that easily layer onto existing 802.1x Radius based authentication systems, ensuring that IT policy is met before clients are allowed access to network resources.

The Brocade new security architecture insures clients meet IT policy before being given access to the production network, as well as providing guest user access, and quarantine VLAN/remediation service support so that clients that are valid users, but not complying with IT security policy, can quickly determine why and how to patch their systems to get production network access.

In this model, a number of new components are added to our Radius/802.1x security model to provide this health check capability. This includes a NAC (network admission control) client and NAC server. The NAC client is installed on each client that is to be health checked before gaining access to the internal network. The NAC server runs in conjunction with the Radius server, acting as a Radius proxy. In addition, remediation services are provided on the quarantine VLAN to support patching out of compliance clients.

Brocade, together with Microsoft, Symantec, and Check Point Software, have validated that our edge switch and wireless AP solutions are interoperable and easily deployable. Together Brocade and our partners products work to assist IT managers in maintaining and enforcing IT security policies to provide proactive security for their clients and networks.

Brocade is working directly with Microsoft to validate that our L2-L3 switches and routers are supported in the Network Admission Protection architecture that Microsoft will be releasing in their Windows Longhorn and Vista Server and Client releases.  Brocade is a member of the Microsoft Network Admission Protection Consortium and the Microsoft SecureIT Alliance.

Back to top

Related Products

Brocade provides a range of security solutions and partners that assist customers in building highly secure networking environments. These security solutions revolve around our award winning L2-3 switches and routers, wireless access points and switches, L4-7 traffic management solutions, and our L2-7 security products.

View all products

Back to top

Literature

White Papers

• Brocade IronShield 360 Security (PDF 1M)
• Brocade Network Admission Control Architecture (PDF 893K)

Joint Solution Briefs

• Impulse Point Partner Brief (PDF 388K)
• Q1 Labs Partner Brief (PDF 686K)
• StillSecure Partner Brief (PDF 483K)
• Symantec Partner Brief (PDF 733K)

Back to top