The Sophos NAC Advanced product is a well-designed offering which balances the need for ease of administration with network protection. It uses a Windows 2003 Server with SQL installed as a platform for the software-based offering. There are two ways to deploy the NAC tool. First is an agent-based install where a client is loaded onto each machine. The second method uses a web browser and an ActiveX control. If the client uses the dissolvable (web) agent or the software agent, the policy is pulled from the Sophos configuration interface, which resides on the Windows 2003 server.
Setting up policies is quite easy. A sample policy might require Windows XP to have Service Pack 2 installed with all of the associated hotfixes, the Sophos Anti-Virus 6 running, and with updated DAT files, and also the Sophos personal firewall installed and running. If the client fails to meet those criteria, the machine can be placed in either a partially compliant state, or, if more controls are missing, the device will be placed in a non-compliant state.
The tool has three methods for enforcing the network policy should a device be placed into a non-compliant state. The first is to work with a Microsoft or Lucent Dynamic Host Configuration Protocol (DHCP) server to assign an address, which only allows the client to have access to the remediation server and the internet. The second is to use 802.1x to assign the non-compliant machine to a VLAN, which places the machine in quarantine. The third is to work with the Cisco NAC platform to further restrict access.
Sophos includes 24/7/365 support to all users with no additional charge.
Pricing is based on per seat licensing. The per-seat fees are $14 per user per year with a minimum of 1,000 seats. This places the offering in the middle to upper range in this Group Test, but when free lifetime support is added, the offering is very affordable.