2010-12-24 09:32:04 
阿炯
PacketFence是开源NAC (网络接入控制) 中的佼佼者,它可靠、容易配置,且构建于未修改的开源代码之上(Fedora, LAMP, Perl,Php and Snort)。PacketFence的设计目的是要在不同种类的环境中运行,并且它使用了“不可知厂商隔离”(vendor-agnostic isolation)技术,其中包括DHCP范围改变和ARP高速缓存处理技术(“被动”模式)等。
PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.
Features
* Out-of-band
PacketFence's operation is completely out of band which allows the solution to scale geographically and to be more resilient to failures. When using the right technology (like port security), a single PacketFence server can be used to secure hundreds of switches and many thousands nodes connected to them.
* Voice over IP (VoIP) support
Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge-Core, HP, LinkSys, Nortel Networks and many more).
* 802.1X
Wireless and wired 802.1X is supported through a FreeRADIUS [External] module.
* Wireless integration
PacketFence integrates perfectly with wireless networks through a FreeRADIUS [External] module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing Access Points (AP) vendors and Wireless Controllers is supported.
* Registration
PacketFence supports an optional registration mechanism similar to "captive portal" solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it.
* Detection of abnormal network activities
Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detected using local and remote Snort [External] sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.
* Proactive vulnerability scans
Nessus [External] vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the Nessus vulnerability ID's of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.
* Isolation of problematic devices
PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.
* Remediation through a captive portal
Once trapped, all network traffic is terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in, reducing costly help desk intervention.
* Command-line and Web-based management
Web-based and command-line interfaces for all management tasks. Web-based administration supports different permission-levels for users and authentication of users against Active Directory (AD).
最新版本:4.2
此版本包括了大量的新特性,更新内容如下:
hotspot-style enforcement 支持
新 captive portal 引擎,能更简单的进行自定义
大量面向 telco 的新特性(WRIX, inline layer 3, a status page to extend network access, etc.)
新 Android provisioning 代理
Enterasys, Huawei 和 Juniper 的新设备支持
改进了 Eduroam 集成
性能提升
最新版本:7.0
这是一个主要版本,具有新特性,增强功能和重要的错误修复。该版本可用于生产环境使用,强烈建议从旧版本升级。更多的详细说明请参考更改列表。
官方主页:http://www.packetfence.org/