When ConSentry Networks quietly went out of business last month the field of independent network access control (NAC) vendors shrank yet again and
Indeed, why should you invest in an independent NAC vendor when providers like Cisco Systems and Juniper Networks are writing NAC capabilities directly into their network infrastructure, and endpoint security vendors like Symantec and McAfee are writing it into their desktop protection products?
Some organizations make the investment in order to have more than one line of network defense.@66413
"I think you've got to have different layers of defense and backup that support each other because it enhances all your defenses. If you put it on one appliance and that goes down, boom! You don't have any defense because it's all in one box," said Todd Frazier, systems administrator for Culpeper County Government in Virginia.
Culpeper County uses a NAC appliance from independent vendor ForeScout Technologies to manage access and monitor for rogue access points. Initially it looked at Aruba Networks for rogue access point protection, but that solution involved buying wireless LAN infrastructure. Frazier said the county wasn't interested in moving into wireless LAN.
The County also looked at infrastructure vendors like Cisco, but the implementation was too complex. An independent NAC vendor with a single appliance seemed a simpler approach.
"Overall [ForeScout] was a device that did not require a forklift upgrade of all our switches," said Anthony Soucek, Culpeper County's network administrator. "Every new piece of equipment is a battle with the board of supervisors, so it had to work with our existing infrastructure. It fit in with Microsoft very well and it works with all our existing Cisco switches.
Which NAC appliance vendors will remain standing?
As the market shrinks, a few independent NAC vendors will clearly remain to serve the small group of enterprises that opt for third-party providers, said John Pescatore, vice president and distinguished analyst for Gartner.
"One of the biggest verticals that does independent NAC is college and university campuses," he said. "They have a really heterogeneous environment. They're not just Cisco. They're not just Windows. They can't dictate Symantec on every student's desktop. Any heterogeneous environment like that is going to go with an independent NAC vendor."
High security enterprises, such as government agencies and financial services companies, also remain interested in independent network access control vendors because they have a strong division between their network operations teams and their information security teams, Pescatore added.
"These are companies where typically over the years they have not used security capabilities that are built into their infrastructure because they like to have a strong separation between their operational system and their security controls. Otherwise, what happens is whoever administers the operational systems can accidentally or on purpose turn off some security controls," Pescatore said.
Ultimately, though, the number of organizations seeking independent players will shrink, especially as it becomes less clear which vendors will survive and who to invest in.
" 2010 is the year when growth in the overall NAC market will flatten because of all the people who can just use their infrastructure vendor or their endpoint protection vendor," said Pescatore. "When you look at NAC, it's like any other market. If there's 17 vendors, that's too many, and if there's zero that's too few. Three or four independent NAC vendors are enough to deal with that market."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor