Frequently Asked Questions

WHAT ARE THE BENEFITS?

Easy NAC provides the benefits of traditional network access control – awareness, enforcement, and policies – without agents or network configuration. With its layer-2 visibility, it’s also provides unique security features that traditional NAC solutions are unable to provide.The result is an easy deployment, simple management, and stronger security than traditional NAC solutions.

Some of the key benefits of Easy NAC include:

  • Real-time Visibility of all network devices
  • Restricts untrusted devices from joining the network (LAN, WLAN, and VPN)
  • Prevents the lateral spread of malware
  • Protects against MAC spoofing
  • Detects Hacking Activity ( Deception feature)
  • Provides Guest and BYOD registration
  • Limits BYOD / Consultants devices to approved resources
  • Validates managed devices are joined to the domain
  • Validates Anti-Virus is enabled and managed
  • Validates patch management is enabled and managed
  • Comprehensive and continuous host integrity checks with an optional agent
  • Provides Orchestration features to reduce the Mean Time to Response (MTTR)

CAN EASY NAC BE USED FOR ZERO TRUST?

Without needing to rearchitect the network, Easy NAC provides a comprehensive set of features that helps organizations implement a Zero Trust security model. These include full visibility and control, continuous compliance checks, device fingerprinting, multi-factor authentication, least-privilege access, monitoring, orchestration and reporting.

These flexible features work together to increase visibility, improve security, and simplify security management, which help organizations protect their networks from unauthorized access and reduce the risk of a security breach.

Download the whitepaper 

Access Control

HOW DOES EASY NAC CONTROL ACCESS?

Easy NAC uses ARP to restrict access to the network by default. ARP enforcement is an out-of-band enforcement method that doesn’t require network changes. It works with any network infrastructure, both managed and unmanaged switches. To quarantine a rogue device, the Easy NAC appliance will send ARP packets to direct the rogue’s traffic to the appliance. The appliance blocks the rogue’s traffic in accordance with policies and ACL’s. Trusted devices follow the normal path through the network and are unaffected.  

WHAT DEVICES CAN EASY NAC CONTROL?

Easy NAC is compatible with all network equipment and endpoint devices. Because it does not require changing or reconfiguring network equipment or endpoints, Easy NAC works with managed and unmanaged networking equipment, and all types of endpoints. 

WHERE IS EASY NAC PLACED ON THE NETWORK?

Easy NAC provides layer 2 visibility, protection, and access control on the subnets that it connects to. Easy NAC supports direct subnet connections, VLAN 802.1Q trunks, vLinks or Enforcer Sensors to extend protection to all locations.  

ARE THERE ANY SWITCH OR NETWORK REQUIREMENTS?

There are no special networking requirements to deploy Easy NAC. It works with any brand of switches, hubs, or wireless infrastructure.  Easy NAC uses standard networking protocols to detect, control, and manage devices to ensure the broadest compatibility. 

Comparison

WHAT MAKES EASY NAC DIFFERENT?

Easy NAC is a third generation plug and protect NAC solution that is easily deployed and affordably scales to many remote sites. Other products that focus on homogeneous networks with limited sites are harder to setup and maintain, especially when enabling quarantine functionality.

Easy NAC provides immediate visibility, response, and control, without network configuration changes or agents. Easy NAC blocks infected devices at the edge, where they reside, to prevent contact with any other devices. NAC solutions that check specific points on the network have limited control over endpoints on remote networks.

HOW DOES EASY NAC COMPARE TO THE COMPETITION?

Easy NAC is a third generation plug and protect NAC solution designed to be easily deployed and affordably scale to many remote sites. The competition’s products focus more on organizations with homogeneous networks with limited sites. Competitive NAC solutions are significantly more complex to setup and manage, especially when enabling quarantine functionality.

Easy NAC provides immediate visibility, and control, without network changes or agents. The use of ARP enforcement is easier to implement and provides stronger and more granular enforcement. With ARP Enforcement, infected devices on the LAN will not be able to communicate with other workstations on the same LAN, and thus not be able to spread the infection. Competitive solution provides limited or weak protection against malware spreading on the LAN. 

Easy NACSpanning port approachRADIUS based approach
Enforcement MethodsARP EnforcementBlock Port or
TCP reset (virtual FW)
Quarantine VLAN
Network requirementsNone- works with both unmanaged and managed switches and WLAN equipmentRequires available spanning port or mirror port. Require managed switches to block portRequires managed switches and re-architecting networks to support dynamic VLAN assignments
Ease of SetupEasy – no network changes required. Role-based control can also be enabled without changesModerate to extensive network changesExtensive changes to rearchitect network for dynamic VLAN assignments.
Quarantine Rogue DevicesReal-time detection and immediate protectionSlow detection and protection when using SNMP 10+ minute enforcement delay is commonOften requires the use of digital certificates for Immediate detection and protection
Quarantine GranularityStrong and flexible – many different ACL’s can be set based on policy. i.e., if AV is out-of-date, device can only access AV serverLimited – Port Blocking is not user friendly when AV is out-of-date. TCP reset does not isolate an infected machine or non-complaint machinesLimited – Using a quarantine VLAN for both infected machines and non-compliant machines puts non-compliant devices at risk
VisibilityYes – real-time detection with device profiling of OS’sYes – Good device profiling but, delay detecting rogue devicesYes – OS profiling may be optional
Manage BYOD \ Guest AccessYes – built-inYes – separate componentYes – separate component
AgentsOptional – Agents not required – typical compliance checks done by server integrationOptional – Agents are typically required to address compliance requirementsTypically Required
Integrations with 3rd party security solutionsEasy NAC provides Automated Threat Response with any solution that can send event-based Syslog or e-mail alertsAdd-on modules required $$Limited
Malware – Lateral Spread ProtectionYes – Easy NAC has layer-2 visibility on each VLAN it’s protecting Visibility only at the core, can’t see lateral movement on VLANNo layer-2 visibility, so can’t see lateral movement on VLAN
Deception – Hacking DetectionYes – Built inNo comparable featureNo comparable feature

Visibility

HOW DOES EASY NAC DETECT AND TRACK DEVICES?

Easy NAC uses a combination of network monitoring and orchestration with third party software and services to learn and track devices without agents. Starting at layer 2, Easy NAC learns of all devices on the network. Information is collected using low level network protocols like ARP and DHCP, as well as application-level protocols.

To obtain higher level information, Easy NAC integrates with security software, enterprise software, and cloud services. This includes security software such as anti-virus, XDR, MDM and patch solutions. Through multiple sources, Easy NAC profiles each device on the network for reporting, tracking, and automatic trust and quarantine.

WHAT DEVICE PROFILING METHODS DOES EASY NAC USE?

Easy NAC protects, and automatically profiles devices using both passive and proactive profiling methods. Passive methods include listening to layer-2 network traffic (ARP, DHCP, etc). Proactive methods include: device scanning, network management queries, web scans, and integration with AD and other 3rd party security and software solutions.

CAN EASY NAC PROTECT AGAINST MAC SPOOFING?

Easy NAC goes beyond simple MAC detection by using a fingerprint feature to protect against MAC address spoofing.  Devices are profiled with a variety of information, which creates a digital fingerprint for the device.  If a device tries to spoof the MAC address, the fingerprint does not match and the device is restricted.

HOW DOES EASY NAC CHECK ANTI-VIRUS COMPLIANCE?

Easy NAC integrates with cloud or on-premise AV, EDR, and XDR servers to check the status of the endpoints. By leveraging the integration at the management server, Easy NAC can enforce compliance with security policies, without the use of agents. Devices out-of-compliance can be restricted and an administrator(s) alerted.

WHAT ENDPOINT INTEGRATIONS DOES EASY NAC SUPPORT?

Easy NAC integrates with Active Directory, Azure AD and supports many third party software integrations. Some of the more common ones are shown below, but please inquire for an updated list or for a specific integration.

• Bitdefender
• Carbon Black Endpoint Standard
CrowdStrike Falcon
• Cybereason
• Elastic Open XDR

 ESET Antivirus
FireEye HX
HCL BigFix
Ivanti Security Controls
Kaseya VSA
Kaspersky Antivirus Integration
ManageEngine Desktop Central
ManageEngine Patch Manager
Microsoft Defender
Microsoft Intune
Microsoft SCCM \ WSUS
Moscii StarCat
OKTA Verify
• Palo Alto Cortex XDR
• SentinelOne

Sophos Enterprise Console and Sophos Central
Symantec Endpoint Protection Manager
Trend Micro Apex One and Apex Central
Trellix ePolicy Orchestrator
Webroot

Easy NAC also supports optional agents that can provide compliance checks on any brand of endpoint security software.

Simplicity

WHAT MAKES EASY NAC SIMPLE TO USE?

Although NAC has a reputation of being expensive and difficult, Easy NAC is different because it is an agentless NAC solution that doesn’t require changes to the network. No switch configurations or spanning ports required. These attributes make Easy NAC the easiest NAC solution to deploy and manage, while offering strong security features.

HOW LONG DOES IT TYPICAL TAKE TO DEPLOY EASY NAC?

Each deployment will vary depending on the number of locations and the number of devices. Deployments can be as fast as a few days, but a more conservative deployment would take about two weeks, with most of the time spent in monitoring mode. Larger distributed networks normally take 1-2 months.

Since there will be no changes to the existing network, operations will not be affected during the deployment, and after-hours work is not required. Typically, a three-stage deployment is recommended:  

Phase 1 – Infrastructure setup (1-5 days)

  • Installation of CGX appliances, vLinks, Enforcer Sensors at necessary sites
  • Setup software integrations and policies
  • Configure and fine tune Access Control Lists for Restricted, IOT, BYOD, Consultants and Guests

Phase 2 –Monitor mode – (1-2 weeks)

  • Educate staff on how to register guests
  • Monitor networks for devices that need to be whitelisted or tagged
  • Configure auto device profiling rules
  • Add tags and allow-lists configurations as appropriate

Phase 3 – Protection Enabled (1-2 days per site)

  • Enable enforcement

Licensing

HOW IS EASY NAC LICENSED?

Easy NAC is licensed either as a perpetual license with annual support or on a subscription basis. The pricing for both depends on the number of appliances deployed and number of devices being managed.

Please contact your authorized partner or InfoExpress for up-to-date information on licensing.

HOW DO I SIZE A LICENSE?

Easy NAC can protect the entire network or only specific vLANS. If the requirements are to protect only the end-user subnets, the license should cover all the devices expected on these networks.

Common devices include computers, laptops, printers, IOT devices, switches, and VOIP phones. The license should be sized to cover the networks that Easy NAC will protect. Of course, licenses are not required for networks that are not being monitored.

Platform

IS EASY NAC SOFTWARE OR HARDWARE SOLUTION?

Easy NAC is a family of appliances to provide advanced Network Access Control. The appliances are available in a hardware form factor or as a Virtual Machine software appliance.

Refer to Products for an  overview, or contact sales for detailed information.

For additional questions download the Easy NAC FAQ document

logo-easynac-512
This website uses cookies to give you the best experience on our site. Your continued use indicates your consent.