The network access control market is highly competitive, and potential buyers have a number of options. This means it can be difficult to differentiate between the products and choose a vendor most suited to an organization's network and requirements.
Vendors offer different integrations with third-party products and different specializations; some are suited to specific networks with existing infrastructure from one vendor, while others are better suited to networks with myriad devices. NAC buying options can be broadly categorized into two areas: pure play NAC vendors, who offer NAC as their main product, and infrastructure vendors, who offer it as a support product to their existing network infrastructure platforms.
Pure play NAC vendors
Forescout Technologies Inc.
Designed for users with a network that uses technologies from multiple vendors, Forescout Technologies falls under pure play NAC vendors, and its CounterAct NAC system offers a wide range of integrations. These include SIEM, enterprise mobility management (EMM), vulnerability management, advanced threat detection and integration with vulnerability assessment tools. However, EMM, next-generation firewalls (NGFWs), advanced threat detection and vulnerability management are delivered via CounterAct's Extended Module, which incurs additional cost.
Forescout CounterAct systems can be deployed as either physical or virtual appliances, and these are managed by a central console known as CounterAct Enterprise Manager, capable of handling up to 1 million devices. It also offers guest integration. Guests are automatically segmented into a quarantined virtual LAN (VLAN), and then can access the internet through self-registration. Employees and contractors using their own devices can gain network access using their Active Directory credentials, and the system can granularly control the level of access based on policies.
CounterAct offers the capability to secure a modern network without a tangible perimeter, using an agentless approach to allow assessment and categorization of internet of things (IoT) and BYOD devices, as well as the standard devices such as servers, workstations and printers. Devices that are not compliant with predefined policies can be handled in a number of different ways, such as informing the user about the issue or enforcing an installation of patches or antivirus updates or even completely disallowing access if desired. CounterAct also provides policies and reporting for compliance with various standards, such as PCI DSS and HIPAA.
Bradford Networks, another NAC vendor, offers Network Sentry, a product that was is considered one of the original pure play NAC systems. Using Remote Authentication Dial-In User Service (RADIUS)-based authentication, Network Sentry is offered via hardware, virtual appliance or cloud-based service. The product is split into three offerings:
- Secure Enterprise Advanced offers the standard NAC suite of tools -- secure provisioning of network access based on defined policies, guest integration and visibility into every device connected to the network.
- Secure Enterprise Professional adds integration with firewalls and threat detection tools to centralize management of alerts and reporting.
- Secure Enterprise Response combines the two previous modules to provide reports on threats using contextual information gathered from each device.
Network Sentry is strong on integration and has one of the most comprehensive lists of third-party products. It interfaces with these popular EMM, endpoint protection, vulnerability assessment, and management and network infrastructure products via its SmartEdge integration service.
Bradford Networks sees Network Sentry, marketed as a Security Automation and Orchestration platform, as the next evolution of NAC to address the needs of IoT and BYOD, though in practice this is similar to what other vendors are offering in that space.
Pulse Secure LLC
The Pulse Policy Secure NAC tool is another product that is suited to a network that uses devices from multiple vendors, though it does have its best integrations with the Juniper line of products, since the system is based on technology acquired from Juniper Pulse.
Similar to Forescout's CounterAct, Pulse Policy Secure uses an agentless approach to scan and identify new devices, and quarantines them as required, based on policies defined by the administrator. It also supports guest integration. The current version of the product, 5.3R5, offers more compliance options and support for Hyper-V. Pulse has, however, been attempting to expand its options in terms of supporting many different types of devices, so you can get the most from the product you want. This product is also marketed as IoT- and BYOD-focused.
Auconet Business Infrastructure Control Solution is another product best suited to heterogeneous network environments, and is able to enforce authentication via Layer-2 MAC and via 802.1x. This also means it is able to manage not only IoT and BYOD, but also supervisory control and data acquisition-based networks, a capability that Auconet noted differentiates its product from competitors.
It is well-suited to large networks, using an agentless approach to scan and identify many different types of devices. Managed by a central GUI, it can be deployed as a hardware appliance, virtual machine or SaaS.
It is also geared toward managing large-scale, multi-tenancy deployments, such as those used by managed security service providers. Guest access is managed by a captive portal, which then directs unrecognized devices to a specific VLAN, keeping data on the main corporate network separate.
Infrastructure NAC vendors
Cisco's Identity Service Engine (ISE) product is ideal for a network already built on Cisco infrastructure. Many of the system's features require information that can be provided only by Cisco's infrastructure devices, such as routers and switches, although it can also be deployed in heterogeneous networks. The product can be deployed via either hardware or a virtual appliance. ISE's integrations are delivered via its Platform Exchange Grid system, which allows it to interact with firewalls, threat detection and other products.
Device detection and categorization are done via an agentless tool, or via its optional NAC agent that is delivered along with its AnyConnect software -- used for remote network access. Guest access is delivered via a self-registration portal.
Extreme Networks Inc.
Extreme Networks offers its ExtremeControl NAC manager product primarily for networks with Extreme hardware, but it can also work in a heterogeneous environment. The product allows greater control of quarantined devices when using Extreme switches. It can be deployed as either hardware or a virtual appliance -- known as Identity and Access Solution, which is a RADIUS-based tool. It does not offer assessment of the security profile of devices, but is available as an added extra either as an agent-based or agentless deployment.
The product offers standard guest integration services, including a self-registration portal. The Extreme Connect API offers integration with a selection of different third parties, such as AirWatch and MobileIron for mobile device management (MDM). Compliance with various standards is delivered via the Information Governance Engine as an add-on module. Extreme also recently acquired Zebra's Access Control product, incorporating its wireless capabilities into the NAC product.
Extreme Networks is also focusing its NAC product on BYOD and IoT (particularly industrial), and sees this as the next major evolution in NAC.
Hewlett Packard Enterprise (HPE) Aruba Networks
Hewlett-Packard, now HPE, acquired Aruba Networks in 2015, including its NAC product ClearPass Policy Manager. The platform is suited to networks running HPE and Aruba hardware, though its recent targeting of the BYOD and IoT market makes it a possible choice for heterogeneous networks as well.
ClearPass is available as either hardware or a virtual appliance and offers the standard suite of NAC utilities.
Guest provisioning is done via ClearPass Guest, device integration by ClearPass Onboard and the assessment of connected devices for threats is via ClearPass OnGuard. Integrations, managed by ClearPass Exchange, include the standard list of MDM, EMM, next-gen firewalls and SIEM.
HPE Aruba offers a stand-alone tool called ClearPass Universal Profiler for organizations that do not want or need a full NAC package. The Universal Profiler is specifically designed to meet the challenges of profiling BYOD and IoT devices. It is a cut-down version of the main ClearPass Policy Manager product, offered via a virtual appliance, and designed to be up-and-running quickly.
The system uses a dashboard to allow the status of all connected devices to be visible, categorized by type of device. It also offers a migration path to the full ClearPass Policy Manager product. This would be particularly useful for organizations that deploy a large number of IoT devices, such as in manufacturing.
Since 2015, the main change in the NAC market has been a heavy focus on management of both IoT and BYOD, with NAC vendors pitching their products as a way of managing and providing network access to these devices in a controlled manner. However, it's easy to lose track of what devices are connected to the network.
NAC vendors help by offering the latest NAC products that provide visibility into connected devices of all types and then allow granular control of their level of network access. They also offer integrations with other mainstream security products, such as MDM, EMM, SIEM and NGFW. It is important to understand what other products you need to integrate with before choosing a particular NAC vendor.