PORTNOX PLATFORM NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL Portnox s Network Access Control Platform traverses across all network layers, whether physical, virtual or in the cloud to illuminate, visualizes, analyze and control all connected devices and users. Its unmatched ability to reach every fragment of the network regardless of layer or location results in the most accurate and real-time view of any network, allowing organizations to make smarter, more efficient and more secure decisions. Portnox.com 3/6
Portnox Key Features agentless, port-level monitoring & enforcement integrates with managed & unmanaged access layers; supports standard protocols (SNMP, SSH, HTTP) no traffic manipulation, no changes to topology Integration of corporate directories, domain & PBX databases 100% access coverage. supports all the various access layers using multiple authentication profiles software based solution (Win2008 R2) fail open architecture role based access control for the UI deployment driven seamless clustering & high availability How Portnox Communicates with Managed Switches: Portnox uses SNMP version 1, 2 or 3 to communicate, gather and display basic information of the connected network devices of your switch infrastructure. Through the addition of SNMP Traps we get a real time view of what is connected to the ports, which ports are currently active along with their status. We can view also additional information for each port such as the VLAN configuration. With the help of a layer 3 device (such as a router or firewall), we can start retrieving the IP addresses from the Arp table of each device which is connected to the switching infrastructure. With this information we can also display information of the device such as the MAC address, hostname and operating system. Portnox does not require port mirroring or routing changes in order to implement NAC capabilities. 4/6
How Portnox communicates with wireless network equipment: Portnox is capable of providing 100% coverage of the wireless network to allow a full scale NAC solution to the client. Portnox is able to integrate with all Cisco Wireless controllers, along with their associated access points, offering the ability to view the wireless devices connected to these. All the access point information is automatically retrieved from the controller. Portnox can also integrate with other uncontrolled access points via a generic wireless module which provides syslog and/or SSH capabilities to perform illumination and enforcement on connected devices. How Portnox covers unmanaged parts of the network: In some cases, various parts of the network are considered unmanaged. This is usually due to unmanaged network switch infrastructure or when administrative access is denied to a managed switch due to other limitations. In such cases, portnox will construct a virtual switch (a virtual representation of the IP scope defined), for which portnox performs layer 3 and layer 2 scans to fully illuminate devices on this layer. Portnox will also be able to enforce policies on such devices using ARP poisoning techniques or on the fly configuration of ACL on routers if applicable. How Portnox authenticate devices: Portnox uses a wide array of authentication methods for devices including; Windows authentication, Domain Authentication, SSH and telnet. This combined with the ability to correlate these authentication methods to a specific time period, Geographic location, group of devices and specific vlan gives the ability to enforce incredibly granular policies. Portnox also uses an inbuilt fingerprint tool to collect more extensive information on the devices connected to your switches. We are able to see information of the device, in addition to the port configuration it is connected to. If the device is part of the domain, we can integrate with an active directory to identify which user is currently logged onto that device. For IP phones we can display the extension numbers for each IP phone by integrating with the corporate PBX database. 5/6
How Portnox check compliance level of devices: Portnox is an agentless NAC solution all compliance checks are performed via standard WMI and remote registry capabilities. Detailed compliancy checks (running services, processes, file systems and registry checks) can be run on Windows machines. Compliance policies can be created based on either black or white lists as required. This provides the ability to act upon systems that do not meet a certain system baseline, for example, up to date corporate AV or the corporate software deployment tool. Portnox provides dozens of preconfigured compliance checks. How Portnox enforces NAC policy on devices: If a device fails authentication because it is not a corporate device or is a guest device, Portnox can either alert the appropriate personnel / helpdesk or shutdown the device s port altogether. Portnox can also move the device onto an isolated vlan we call a Phase vlan eg: guest vlan with only internet access. The Phase vlan is normally an isolated guest vlan. This is used to fix devices that have failed compliance checks or to isolate unknown devices from the network. Portnox additionally offers a Captive Portal. When a device has been moved to the Phase vlan, the Captive Portal (a web page) appears and can be customised by the customer. Using a Captive Portal we induce the user to undergo Captive Authentication where authorised users need to enter their credentials to allow their guest device onto the corporate network for a specified amount of time. Users are authorised based on a corporate directory such as Active-Directory / compliant directory or with any other local user DB store. How Portnox performs device remediation: If a device fails authentication by not passing the authentication scheme or failed a compliancy check, we can move this device onto an isolated vlan. For example, if a device fails the AV compliancy check since it is out of date, Portnox will move the device onto a remediation vlan for updates, then move it back onto its correct vlan when Portnox attempts to re-authenticate the device. 6/6
Portnox can than alert the 3rd party server about the device which requires remediation by sending a syslog message or executing an action script to trigger the process. The time intervals in which Portnox re-checks a device that has failed a certain policy can be configured. Additional resolutions provided by Portnox NAC: Portnox supports both layer 2 and layer 3 and has the ability to employ policies per vlan and even per specific devices. Portnox also allows grouping of specific ports from various switches to a location which can have different policies as well. An example could be a location set to all ports representing conference rooms which usually have different (stricter) NAC enforcement policies or any other public ports which might be more exposed to foreign access. Portnox also allows setting different policies per different types of device (e.g. operating system of a specific version). Portnox can produce dynamic vlan rules configuration based on; type of device (specific OS type, printer, voice IP phone, logical grouping of devices etc) or user logged into device. This enables both security and management capabilities based on predefined corporate policies. User Experience: The end user (both wired and wireless) experience will depend on the situation. During the process of authentication the user will not notice anything different. If they pass authentication, the user will be able to work as normal. If the device fails authentication for whatever reason, they will notice the following depending on configuration: Failed Authentication: Port Blocked The user will lose network access. Failed Authentication or compliance: portnox display a customized popup balloon on windows OS to inform the user of current situation and/or further action required. 7/6
Failed Authentication or compliance: Phase The user s device will be moved to an isolated vlan. This could be a remediation vlan or a guest vlan with just internet access. Captive Portal Alternatively the user will be presented with a captive portal web page. This can be altered and changed to suit the customer. The user will typically see a message displayed that their device has moved to the isolated/guest vlan due to authentication failure. This can also include a help desk number. Captive Authentication The user will be able to enter authorized domain credentials to authenticate and allow the device onto the network. 2013 Portnox Access Layers. all rights reserved 8/6