IT professionals sometimes deride network access control (NAC) as a technology that never really took off, but some researchers see signs that the technology is maturing and vendors are winning converts. However, enterprises are adopting NAC in ways that were never envisioned by the technology's pioneers.
"Contrary to some press reports that show that network access control is not catching on, we see NAC as maturing," said Lawrence Orans, research director at Stamford, Conn.-based Gartner Inc. "There's a lot of misinterpretation because NAC today isn't being used as many had anticipated. Five years ago, when we were still fresh off of Sasser and Blaster [worm scares], the common wisdom was that it would be used to quarantine devices that weren't compliant. If you were missing a patch, or your antvirus signatures were out of date, then you would be kept off the network. Cooler heads prevailed. We realized that is oftentimes not the best approach. It does more harm than good to keep someone off the network in most cases."
Instead, Orans said, enterprises are deploying NAC for specific network security applications, such as guest network services, endpoint baselining, and identity-aware networking, monitoring and containment.
Having recognized signs of increasing maturity in the NAC market, Gartner published its first Magic Quadrant assessment of NAC this spring. Gartner's Magic Quadrant assessment tools identify four categories of vendors in a market. Market leaders are vendors that score highly on both of Gartner's general evaluation criteria – ability to execute and completeness of vision. Companies that score highly only for their ability to execute are classified as challengers, while companies that score highly only for their completeness of vision are classified as visionaries. All other vendors are labeled niche players.
Gartner says that the NAC market grew by 51% in 2008, generating $221 million in revenue in 2008. Despite this growth, Orans said, there were more telling signs of the market's growing maturity.
"The thing we see that reflects the maturing [of NAC] is the nature of calls we get from our clients," he said. "People are serious about deploying NAC now, and the ones who have deployed it already – many of them are expanding the scale by adding more endpoints or increasing the scope by adding more functionality."
The Magic Quadrant for NAC reveals a crowded and diverse market that offers a variety of flavors and deployment models. While there remain many pure-play NAC vendors such as Bradford Networks, ForeScout and Info-Express, vendors in adjacent markets are also moving into the NAC space.
In fact, the three leaders in the Magic Quadrant are companies that are not known primarily for their NAC offerings: Cisco Systems, Juniper Networks and Symantec.
Orans said that this reflects the fact that many different kinds of companies are starting to offer NAC functionality. In addition to the NAC specialists, many infrastructure vendors are offering NAC products – not only Cisco and Juniper but also Aruba, Nortel, Enterasys and 3Com. Endpoint protection vendors such as Symantec, Sophos and McAfee have also gotten into the game, as have network security vendors such as StillSecure and Insightix.
Microsoft was excluded from the Magic Quadrant despite Network Access Protection, the NAC functionality built into its operating systems. According to the Gartner Magic Quadrant report, Microsoft was excluded because it requires operating system upgrades in order to work. No other NAC vendors have this requirement, the report says.
Gartner recommends that enterprises which are interested in NAC should look at their existing installed vendors to see whether any of them offer a suitable NAC product. If not, these companies should consider looking at NAC specialists.
Adopting NAC from an incumbent vendor means that an enterprise will have one fewer vendor to manage, Orans said. "Some endpoint protection providers have integrated the NAC console with their existing antivirus or endpoint protection console, so not only is it about fewer vendors, but it can also be about fewer consoles and less management infrastructure as well."
Increasingly, NAC functionality is going to be embedded in other products, but despite the draw of going with a familiar vendor like Cisco or Symantec, Gartner points to the ongoing success of the pure-play NAC vendors as well. Three vendors have announced new rounds of venture capital funding in the last year or so: Bradford Networks raised $8 million, ConSentry Networks raised $9.4 million, and ForeScout raised $8 million.
"What NAC is all about is establishing policies for controlling which devices and -- in the future -- which users can gain access to a network," Orans said. "There is going to be more focus on helping answer the question: 'Who are you and what are you doing on my network?' "
The vendors that best answer this question, whether Cisco, Symantec or ConSentry, will enjoy continued success in the NAC market.
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor