After years of inertia, the market for network access control (NAC) solutions is in the midst of a genuine revival....
Mobility -- or rather the increase of employee-owned devices on enterprise networks -- is driving a new level of demand for NAC solutions.
These solutions employ a number of different mobile access control mechanisms, including authentication, access control enforcement and endpoint security. But generally, NAC solutions differ depending on a vendor’s particular strengths and focus. Today, there are several categories of NAC solution suppliers. These include network switching and routing providers, security companies that offer NAC technology either as standalone products or as part of a broader suite, and pure-play vendors that specialize in the technology.
Each vendor has its own bias about the best route to protecting the network from unknown and unwanted elements while still enabling mobility. In this NAC vendor comparison, SearchNetworking.com takes a closer look at how some of the top suppliers are approaching the NAC challenge in a Bring your own Device (BYOD) world. Findings show some dramatically different strategies as well as some similarities between vendors.
Five NAC solutions that enable mobility
Aruba Networks acquired Avenda Systems in November 2011, picking up the company’s eTIPS policy decision point (PDP), which sanctions or restricts access from devices to the network. Billed as an identity-aware NAC solution, eTIPS uses RADIUS and other protocols such as SNMP, SSH or TACACS, to direct routers and switches on how much access a device should be given. Access is based on enterprise policies with respect to the security configuration requirements for the device, as well as the role of the user trying to access the network. The solution consolidates management, monitoring and reporting within one central interface to handle authentication and authorization rights.
eTIPS taps into identity information from multiple data stores including Active Directory, LDAP and SQL. eTIPS then puts that information into context using data on characteristics such as location, date, time, and authentication type. The solution uses an agentless approach to assess the security state of the accessing device with regard to anti-virus, anti-spyware, firewall and other protections. The technology is particularly strong in multi-vendor environments, working with both wireline and wireless equipment from a host of vendors including Cisco, Enterasys and Juniper. eTIPS also communicates with a lengthy list of both managed and unmanaged devices which extend beyond conventional mobile devices to include manufacturing equipment, medical devices and cameras.
More on securing mobile devices and NAC solutions
Mobile device security best practices for BYOD
Video: Don Bailey on mobile device threats and device security policy
Enterprise mobile device and smartphone security best practices
Using NAC for smartphone security on a wireless LAN
Given the recent nature of the acquisition, clients can expect some integration work to come in the future. However, the technology should fit nicely into Aruba’s portfolio as a good complement to its wireless gear.
Cisco Systems’ agent-based Identity Services Engine (ISE) comes in two versions: a basic solution which provides 802.1x-based authentication and enforcement, and an advanced edition that checks device compliance with respect to patching, anti-virus and other corporate security configuration requirements. Cisco ISE routes traffic based on assigned user role, group, job location and authentication results.
The Radius-based appliance, which works with both Cisco and non-Cisco gear, can marshal traffic into a limited access guest zone, which is ideal in a BYOD environment. Cisco uses a subscription-based pricing model for the ISE solution which, in this case, may actually not be as cost-effective in the long-run when compared to a more traditional CapEx scheme.
ForeScout Technologies' CounterACT platform combines NAC with threat prevention and endpoint protection to provide large enterprises with a multi-faceted solution that works with a diverse device set. Using a single appliance and an agentless approach to reduce deployment time and work with more endpoints readily, the pure play security vendor targets the BYOD set in particular with features such as guest networking to allow contractor devices and other unmanaged endpoints limited access to resources. CounterACT can control access using a variety of methods including Port Disable, VLAN control, VPN disconnect, Access Control List (ACL) block at the networking device, wireless allow/deny, and quarantine, until remediation takes place.
Though ForeScout is a relatively small company, the vendor has thus far been successful in penetrating some big accounts. The agentless nature of its solution holds particular appeal for very dynamic, large enterprises that want to deploy a NAC solution quickly.
Juniper Networks’ agentless NAC solutions encompass several gateway appliances, each targeted toward mid-size, large and government clients with very specific compliance and scale requirements. Branded under the Unified Access Control (UAC) name, the Juniper products authenticate guest users and direct traffic across both wireless and wired networks, based on corporate policies around the user’s role and the device’s security profile. The UAC appliance facilitates Layer 2 bridge access to the corporate network, supplying the endpoint device with an enterprise-issued IP address. Juniper’s UAC appliances work with Apple devices including iPads and iPhones, courtesy of the Junos Apple iOS client. Since the UAC appliances are standards-based, they are a good fit for heterogeneous network environments. The UAC appliance is also very scalable, managing access for up to 200 users from one device.
McAfee supplies NAC both as a discrete product and as part of its endpoint protection suite, which also includes compliance auditing and endpoint security. Through specialized software, McAfee NAC products also work with McAfee’s IPS appliances. This allows those products to permit or deny entry to a device through the IPS based on corporate security mandates. The McAfee solution handles unmanaged devices through a secure guest access portal, which can then verify the equipment’s security posture to determine if it should be routed to requested resources, or quarantined until the device’s configuration can be updated.