StillSecure Safe Access®

Safe Access is a complete NAC solution, delivering on the four vital areas of NAC:
pre-connect testing, post-connect monitoring, identity-based management, and remediation.



Safe Access key capabilities include:

• Fast pre-connect testing — does not interfere with your end-user experience
• Deep testing — ensures that endpoints are truly free from defects
• Flexible endpoint testing, enforcement, and remediation — works with your existing network and IT environment. No forklift upgrades required.
• Continuous post-connect monitoring — always delivering constant protection
• Windows OS and Mac OS X coverage — covering your highest risk devices
• Identity-based management controls through FreeRADIUS integration with Microsoft Active Directory
• Partnerships with the major NAC frameworks — extending your investment in Microsoft and TNC

Safe Access provides five enforcement options for quarantining endpoints. This enables Safe Access to enforce policy compliance across complex, heterogeneous networks. Enforcement options include:

• 802.1x enforcement
• DHCP enforcement
• Endpoint-based enforcement
• Inline enforcement for VPN and RAS connections

Multiple enforcement options can be blended within a Safe Access implementation and managed from a single Web-based console.

More about enforcement options »

Additionally, Safe Access offers three endpoint testing options. These options allow a full range of devices, both Windows and Macintosh (Power PC and Intel-based), to be tested thoroughly before being allowed into the network.

• Agentless testing (Windows only)
• Web-based, non-persistent testing (Windows only)
• Agent-based testing (Windows and Macintosh)

More about testing options »

The figure at left shows how this powerful combination of flexible testing and enforcement options allows all endpoints, including those belonging to LAN-connected users, remote users, contractors, visitors, and wireless users, to be thoroughly tested before being granted access.

Purpose-built for NAC

Safe Access is purpose-built for network access control. Its proprietary testing and enforcement engine provides deep, fast endpoint testing for both Windows and Macintosh. With testing taking only seconds, end-users are unaware of any delays in the login process unless they are quarantined because of failure to meet policy. Safe Access' numerous enforcement options allow you to mix and match for deployment throughout your network.

Unlike other so-called NAC solutions built on top of vulnerability scanners, personal firewalls, or re-purposed IDS/IPS products, Safe Access is not weighed down by irrelevant processes or constrained by limited testing capabilities. Additionally, unlike these other products, Safe Access thoroughly evaluates endpoint health before the device physically connects to the network — a key requirement for true network access control. This helps prevent unhealthy endpoints from spreading damage.

Advantages of Safe Access' purpose-built NAC engine:

• Extremely fast testing — testing is completely transparent to end-users whose devices are compliant
• Minimal test session data transfer: 35k avg.
• Minimal impact on end-user — if device fails testing, end-user is given clear instructions for remediation
• In-depth testing for specific NAC risks
• Integrates with your AD/LDAP system for importing user account data
• True pre-connect testing — prior to network access

Pre-connect Endpoint Testing

In pre-connect testing mode, Safe Access applies hundreds of health checks, or tests, that fully assess endpoint security posture. Safe Access can be configured to retest periodically to check that the health posture remains compliant.

Pre-connect testing categories include:

• OS Service Packs and Hotfixes
• Browser and OS security settings
• Bluetooth configuration
• Antivirus, installed and up-to-date
• Personal firewall, installed and up-to-date
• Anti-spyware, installed and up-to-date
• Spyware (presence of)
• Peer-to-peer applications (presence of)
• Worms, viruses, and Trojans (presence of)
• Required software, administrator defined
• Prohibited software, administrator defined

Safe Access tests are updated automatically and added on an on-going basis by the StillSecure® Security Alert Team™ (SAT). You may also script custom tests to meet organizational-specific needs.

View the complete list of Safe Access tests »

Post-connect Monitoring

Safe Access' open architecture allows for integration with StillSecure's own post-connect monitoring system and with third-party solutions. Safe Access integrates with StillSecure's Strata Guard® IDS/IPS solution to create continuous post-connect protection. Through Safe Access' APIs, third-party systems can also alert and quarantine devices based on malicious behavior.

The Strata Guard Post-Connect Sensor employs a continually expanding database of nearly 4,000 attack rules to detect harmful traffic plus powerful anomaly and protocol based detection. These rules are created, tested, and released by the StillSecure Security Alert Team (SAT), which operates on a 24x7 basis to help your network is protected — even from the latest 'zero-day' attacks.

Management and Administration

Regardless of the size or complexity of the network, Safe Access centrally consolidates the management of all testing and enforcement activities, providing a single-pane-of-glass view into endpoint security.

The user interface simplifies deployment and provides easy access to many functions usually reserved for backend configuration. GUI features include system management for backup and recovery, adding new Enforcement Servers, generating support packages, and setting a range of IP addresses that can be enforced, monitored or ignored.

A single Safe Access Management Server controls multiple Enforcement Servers (grouped together in 'clusters') as shown in the figure above. Enforcement Servers allow Safe Access to seamlessly accommodate dispersed geographic locations, heterogeneous network technologies, and the full range of endpoint connection types. The figure below shows how clusters are managed in the Safe Access interface.

Through the Management Server, custom tests and access policies can be distributed to all Enforcement Servers in a single operation. System monitoring and reporting are rolled up at the cluster and corporate levels. This architecture provides system administrators with access to the full range of information, from enterprise-wide security summaries to detailed compliance information on a single endpoint.

High Availability and Load Balancing

Safe Access has true active-active high availability and failover capabilities. A multi-server Safe Access deployment is mutually supporting. Should an Enforcement Server fail, other servers within a cluster will automatically provide coverage for the affected network segment. Likewise, a spike in testing activity directed at a single Enforcement Server is load balanced across the cluster.

Multi-User, Role-Based Access

Administrative access to the system is strictly controlled through user roles and cluster assignments. Safe Access ships with four default user roles:

• System administrator
• Cluster administrator
• Help desk user
• View-only user

Administrators may create additional roles using Safe Access' fine-grained permissions, shown in the figure at left. Devices and functions are exposed on a need-to-know basis. For example, a cluster administrator may only view data for endpoints within their assigned clusters

Integrated in the IT Environment

Safe Access includes StillSecure's Enterprise Integration Framework™ (EIF), an open architecture that allows for the import/export of data to/from Safe Access. Integration allows third-party systems to control Safe Access testing and quarantining functions, and it enables Safe Access to share endpoint security data with other IT systems, such as patch managers, intrusion detection/prevention systems (IDS/IPS), vulnerability managers, security information managers, trouble-ticketing, third-party reporting tools, etc. Also, Safe Access' EIF enables the support for a variety of network infrastructure manufacturers and devices.

Administrators have complete control over the depth and frequency with which end-users are informed of testing activities and results. Communication can be configured to be as visible or as invisible as necessary. End-users may be notified of device testing, test results, and the steps needed to bring the endpoint into compliance. Examples are shown in the figure at left.

Automated and Manual Endpoint Repair

Safe Access closes the loop within network access control by facilitating a variety of remediation options for endpoints that test non-compliant with your security policy:

• Automated remediation — Integration with BigFix®, Microsoft® SMS, and Citadel Hercules natively supported; additional patch management integrations in development and available on request.
• Self remediation — Users notified of where their devices are deficient and provided with the remediation instructions.
• Access 'grace period' — Provides administrator-defined window of access (e.g., 3 days) to non-compliant devices to facilitate remediation.

Reporting for Management and Auditors

Safe Access' robust reporting capabilities allow you to meet the needs of auditors, managers, and IT staff. Reports provide concise security status information on device compliance and access activity. Available reports include: Device list, Actions taken, Access policy results, Test details, Test results, Test results by device, Test results by user, Test results by IP address, and more.

Safe Access is available as software or as a preconfigured hardware appliance. We invite you to try a free demonstration.

Availability

StillSecure also offers Safe Access Lite,a free version of the industry's #1 award-winning NAC solution. Safe Access Lite is a non-disruptive, easy-to-install, monitor-only NAC product that tests up to 250 devices/computers/endpoints. For quick installation and ease-of-use, Safe Access Lite is offered as a pre-built, pre-configured and ready-to-run VMware download.