Symantec Network Access Control, like most similar offerings, uses a server-and-agent architecture in which an agent is installed on each endpoint on the network and administrators handle policy creation and enforcement from a central console. When a protected device connects to the network, the agent performs a series of integrity checks on it to determine whether it is complies with corporate policy. Readers gave the product high marks for its enforcement options, ability to integrate with the existing infrastructure, as well as its logging and reporting capabilities.

Administrators can design policies that require certain patch levels, antivirus signature versions and personal firewall settings before access is granted. Symantec Network Access Control also ships with some canned policy templates. If a device is found to be noncompliant, the system can bring the machine into compliance by applying required patches or other protections before allowing it full access to the corporate network.

Symantec NAC also has the ability to enforce policy on machines even when they're not connected to the network. And when an unknown device attempts to connect to the network via an SSL VPN, Web application or wireless switch, the system can install an on-demand agent to ensure the machine is within the accepted policy. Symantec NAC also includes support for 802.1x authentication over wired and wireless networks, as well as DHCP for LANs and wireless LANs. Interestingly, Symantec also has included support for Cisco's Network Admission Control agent.

The Symantec system gives customers the flexibility to use either a software and hardware approach or go with software only. The hybrid option requires the Symantec Sygate Policy Manager software and the Symantec Enforcer appliance, a 1U rack-mountable box that runs on a hardened version of Red Hat Linux ES 3.