Despite the fact that network access control hasn't yet lived up to its initial promise, NAC is very much alive, as evidenced by the fact that 12 vendors participated in our NAC test, including industry leaders Microsoft, HP, Juniper, McAfee, Symantec and Alcatel-Lucent.
Despite the fact that network access control hasn't yet lived up to its initial promise, network access control is very much alive, as evidenced by the fact that 12 vendors participated in our network access control test, including industry leaders Microsoft, HP, Juniper, McAfee, Symantec and Alcatel-Lucent.
We tested each product on the key pieces of any full-strength network access control solution: authentication, access control enforcement and end-point security posture checking. We found 12 great products that were so different in the way they accomplished network access control that it was impossible to do a head-to-head comparison.
We did find products that fell into similar buckets. For example, if you were thinking of buying ForeScout CounterACT, you should also be looking at Trustwave NAC. If you were considering Avenda eTIPS, you definitely want to take a look at Juniper UAC.
Other products worked best if you already have that vendor's gear. HP ProCurve Identity Driven Manager is a great solution — but it really only works well in an HP environment. If you already have Symantec Endpoint Protection suite, you'll find its network access control solution a fantastic complement. Same with McAfee.
If you're looking for products not tied to specific hardware, the list includes Avenda eTIPS, Bradford Network Sentry, ForeScout CounterACT, Microsoft NAP and Trustwave NAC.
And you could certainly make good use of Juniper UAC or Enterasys NAC without any Juniper or Enterasys equipment in your network. Even Cisco's NAC Appliance and Alcatel-Lucent's Safe NAC could work with non-Cisco and non-Alcatel-Lucent switches.
We don't have a final answer on network access control. The product lines are growing and maturing, and many of the hard parts of network access control are moving into infrastructure, including switches, routers, and user operating systems.
But you will always need other pieces to make your network access control solution complete — end-point device profiling, policy management systems, and captive portals are all important parts of a network access control solution that you won't find built into your favorite switch or operating system.
But network access control is beginning to move away from a product and into a technology that you enable within your network, much like other advanced technologies, such as dynamic routing protocols or QoS enforcement.
To help you determine which network access control product is right for you, we sliced and diced our test results two ways – by product and by feature.
And although we don't have a traditional scorecard, we do we have some favorites. Since we're looking at network access control from a security point of view, approaches that leverage 802.1X well seem like good solutions to us. That puts Avenda eTIPS, Enterasys NAC and Juniper UAC on our short list. HP ProCurve Identity Driven Manager is in the same category, but will really only be interesting to HP shops.
Microsoft NAP, which leverages the client built-in to Windows, is an obvious winner, as is any solution that lets us build on what we get for free from Microsoft.
Some products seem to be still trying to figure out what they want to be and how they want to operate, such as the Alcatel-Lucent/InfoExpress alliance and Cisco NAC Appliance. That doesn't mean they don't work, but you should be prepared for change if you go down either of those paths.
Bradford Network Sentry, the grand old man of the network access control business, certainly worked fine in our testing, but at a level of complexity that will be overkill for many well-structured networks. However, if you have complex problems, they have solutions where many other vendors can't even get started.
Some products seem like they need a bit of time to settle down and work out a few kinks, like McAfee's N-450 NAC Appliance. We have doubts about the scalability and approach taken in ForeScout CounterACT and Trustwave NAC. These products might be better suited to branch offices and small networks. (Click on drop-down menu above to see product-by-product breakdowns.)
Snyder is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.