Open source vs. commercial network access control (NAC) products

There are now a number of free and open source network access control (NAC) products, but how do they stack up against the commercial options? Network professional Mike Chapple reviews the free alternatives, but also warns readers that a "stepping stone" approach to NAC may be a mistake for an enterprise.

There are now a number of free and open source network access control (NAC) products available. How do they typically...

differ from what would be offered in a commercial product? Should companies use them to get a sense of whether they would benefit from buying a commercial product?

There's nothing wrong with open source products. However, I'd be wary about using them as a stepping-stone product choice.

First, let's look at open source products and how they differ from their commercial counterparts. There are two major players in the open source NAC market right now: PacketFence's Zero Effort NAC (ZEN) and Swisscom's FreeNAC. Both of these products have rapidly growing feature sets and appeal to those trying to implement NAC on a shoestring budget. They offer enterprise-class features, such as integration with Active Directory, virtual machine support and reporting/monitoring. What they don't offer is the slick user interfaces and advanced support available from a commercial vendor. They do offer some limited integration with products like McAfee Inc.'s Epo, but neither product boasts the wide range of third-party vendor support available from a commercial product.

Both Zero Effort NAC and FreeNAC have professional support available, but it's not free. PacketFence will provide a quote if you wish non-standard support or product customization, while FreeNAC requires that you purchase their enterprise edition that begins at $5,000 along with Gold Support at $8-$12 per device per year.

Second, you should think carefully about whether a "stepping stone" approach is really in your best interests. Deploying NAC is a resource-intensive process that often requires a high degree of user involvement. Are you willing to go through that twice? If you feel that NAC is appropriate for your environment, you'd probably be better off carefully selecting the right product (rather than a "starter" product) and deploying it in a careful, methodical manner. If you want to float a trial balloon, I'd suggest considering a small-scale pilot with a carefully defined group of users.

More on this topic

This was last published in January 2008

Dig Deeper on Network Access Control technologies