NAC alternatives hit the mark

Network-access control is a buzzword of epic proportion. And as is the case with much of larger-than-life industry vernacular, products with even the slightest aspect of access control are being pitched by their makers as integral components of the NAC fray.

In April, we assessed the role that more than 30 NAC products play in the larger NAC schemes defined by Cisco's Network Admission Control (CNAC) initiative or the Trusted Network Connect (TNC) working group of the Trusted Computing Group (see "What can NAC do for you now?").

We found that the basic functions of NAC can be carried out within CNAC or TNC, but not all IT shops have the time, inclination, network infrastructure or resources to deploy a full-blown NAC framework.

Enter the all-in-one approach to NAC -- single products that provide authentication and authorization, endpoint-security assessment, NAC policy enforcement and overall management.

We tested 13 products from Bradford Networks, Check Point Software, Cisco, ConSentry Networks, ForeScout Technologies, InfoExpress, Juniper Networks, Lockdown Networks, McAfee, StillSecure, Symantec, Trend Micro and Vernier Networks.

To ensure continuity between our previous assessment of NAC architectures and these all-in-one NAC products, our testing was based on the same methodology. Authentication and authorization testing homed in on the options available for connecting to the network physically, the authentication options supported and how each product handles authorization.

While deploying NAC in an environment with standard 802.1X authentication was a focal point of our NAC-architecture testing, in this round we deployed products using other authentication options -- for example, facilitating inline monitoring, controlling an installed network switch and acting as the access-layer switch itself -- because many organizations will want to deploy NAC before they can do so using the 802.1X standard. All the vendors tested offer at least one alternative approach, so the good news is that there is no shortage of options.

Our environmental-information evaluation -- sometimes referred to as an endpoint-security assessment -- looked at how effectively each product gathers pertinent information from endpoints. The details collected range from general machine information to specific security settings, and all are used to enforce policy decisions.

The enforcement piece of this test evaluated the options available for handling offending systems once assessment is complete and the applicable policy identified. The final management section looked at the tools available for keeping the whole NAC system running, including defining new policies, receiving alerts and reporting, all within an accessible and usable interface (see a full test-methodology guidance on testing these NAC products in your own environment).

The good news is that these products consistently functioned as advertised. Pretty much across the board, they identified, authorized (or blocked, as required) and helped remediate failed systems as their makers said they would. However, they carried out these measures in different ways and to varying degrees, so to help determine which product is the best fit for you, you'll need to have a clear understanding of which areas covered by these NAC products are the most critical for your own environment (see "6 tips for selecting the right all-in-one NAC product").

Symantec came out on top as the best-all-around all-in-one NAC product. Although other products performed better in single categories, we found that Symantec's Network Access Control provided the most solid NAC functions across the board. ForeScout, Lockdown and Juniper rounded out the top finishers.