Standard Features

PacketFence is an open-source network access control (NAC) system which provides an impressive list of supported features. Among them, there are:

  • Registration
    PacketFence supports an optional registration mechanism similar to "captive portal" solutions. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it. The duration of a node registration can be a relative value (eg. "four weeks from first network access") or an absolute date (eg. "Thu Jan 20 20:00:00 EST 2009").

  • Detection of abnormal network activities
    Abnormal network activities (computer virus, worms, spyware, etc.) can be detected using local and remote Snort [External] sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.

  • Proactive vulnerability scans
    Nessus [External] vulnerability scans can be performed on a scheduled or ad-hoc basis. PacketFence correlates the Nessus vulnerability ID's of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.

  • Isolation of problematic devices
    PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.

  • Remediation through a captive portal
    Once trapped, all HTTP, IMAP and POP sessions are terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with removal instructions for the particular infection he/she has.

  • 802.1X
    802.1X is supported through a FreeRADIUS [External] module.

  • Wireless integration
    PacketFence intregrates perfectly with wireless networks through a FreeRADIUS [External] module. This allows you to secure your wired and wireless networks the same way.

  • DHCP fingerprinting
    DHCP fingerprinting can be used to automatically register specific device types (eg. VoIP phones) and to disallow network access to other device types (eg. game consoles).