Comparing the best network access control products

Expert Rob Shapland takes a look at the best network access control products on the market today and examines the features and capabilities that distinguish the top vendors in this space.

The need for organizations to have greater control over their network perimeter, especially in the age of BYOD, means network access control is demonstrating a distinct upturn in its fortunes compared to when it was first introduced to the market. Today, network access control fills an important security role of automating the type of access a new device requires, providing granular control over what resources can be accessed. This role was previously filled by IT security staff, but without automation, that can be time-consuming and can lead to mistakes.

When an organization is looking for the best network access control product for its needs, there are several factors to consider. Not all products fit all types of organizations,  however, with some more targeted at larger firms -- with the associated cost -- while others are more targeted toward smaller businesses that do not need to support a large number of new devices of varying types. This article reviews the best network access control products available today. For the purposes of this article, we considered the following leading vendors: ForeScout Technologies, Bradford Networks, Cisco, Aruba Networks, Trustwave, Extreme Networks and Pulse Secure.

Device support

The key criterion to consider when it comes to device support is agent-based versus agentless network access control (NAC). NAC agents supply detailed information on connected devices, allowing policies to be accurately applied. This can include restricting devices that do not have up-to-date antivirus or that have prohibited applications installed. However, agents rely on these devices being enrolled in the NAC system. NAC agents can be further divided into persistent and dissolvable -- persistent agents are installed on the target device, whereas dissolvable agents provide one-time authentication of the device, and are then deleted.

Agentless NAC products give greater flexibility in terms of identifying any type of device that is connected to the network and applying the suitable policies. This can either be implemented through Active Directory -- through which the agentless NAC code assesses the device when a user joins the domain -- or by integrating it with other security products, such as intrusion prevention systems or network behavior analysis. The ideal product combines agents and agentless systems, defaulting to the agent report when available, and using the agentless solution as a fallback. This provides the greatest combination of accuracy and flexibility, a key requirement in a large network that needs to handle many different device types, such as BYOD.

NAC technology fills an important security role of automating the type of access that a new device requires.

Cisco is one of the top two players in the NAC market, mostly due to its market share in the network infrastructure space. In many cases, organizations find it simpler to roll out NAC products from the same manufacturer rather than go through their procurement process with another provider. Cisco's Clean Access product is capable of identifying devices using agentless methods, but is best deployed on a network already heavily invested in other Cisco products. If your network infrastructure uses different manufacturers, there are other NAC systems that may be better suited or less expensive.

The other top player in the NAC market is ForeScout CounterACT, a highly flexible product that offers good agentless detection of new devices joining the network. This allows it to identify a large number of device types and apply policies based on these. In terms of device detection and support, ForeScout provides an excellent solution.

Bradford Networks products are flexible in terms of device support, and allow for both persistent and dissolvable agents, as well as agentless NAC implemented at the Active Directory level, or in combination with security devices.

Slightly less flexible in this area are Aruba and Trustwave. Aruba is a key player in the wireless market, and its NAC product is therefore very good for BYOD, but can also be used for wired networks. The Aruba NAC product provides a number of different options for provisioning of services once devices connect, though it doesn't support true agentless implementation. Trustwave offer agentless and dissolvable agent products.

Integration

Ensuring that a chosen NAC system integrates with existing systems is one of the most important factors in choosing a suitable product. Many organizations have already invested heavily in products such as MDM, SIEM, vulnerability assessment, endpoint security and next-generation firewalls. NAC products will be less effective if they cannot integrate with these other security solutions. Before investigating in NAC systems, make a list of all the existing systems on your network that it would need to integrate with, and filter your search appropriately.

In terms of integration, the current winner appears to be ForeScout's CounterACT, with excellent partnerships with key players that sell various synergistic security products. It integrates with all the key vulnerability management tools, and provides support for most SIEM products that use standard messaging formats. There are also integrations with MDM and advanced threat detection products.

Another clear winner in this area is Bradford Networks' Network Sentry. The company has made it one of its policies to provide integration with as many products as possible -- its list of supported integrations is extensive, and include the major manufacturers. However, the downside is that many of these integration features add additional costs, which makes it one of the more expensive options. The other providers all have various different integrations, but none quite as extensive as the aforementioned two.

Regulatory compliance

NAC vendors are increasingly positioning themselves as great solutions for regulatory compliance with standards such as PCI DSS, ISO 27002 and NIST. Correctly implemented, NAC can help achieve compliance with these standards, but some vendors have better positioned themselves to do so more easily. The best in this area are Bradford Networks, Extreme Networks and ForeScout, all of which offer advice on how its products can be used for compliance.

ForeScout is particularly strong in this area through its Compliance Platform. This offers specific policies and reporting for compliance, including PCI DSS, SOX and HIPAA.

Support

Once your organization has chosen a NAC product, the next step is implementing and supporting it. For NAC to be effective, it needs to be managed by dedicated staff, or at least be made part of a staff member's responsibilities. It's important to consider what support is offered by the individual provider, and if that support is offered in your geographical location.

Support varies across the board in terms of costs and levels. In all cases, detailed technical support is an added extra that can considerably increase the cost of implementation. NAC products also have an end-of-life policy where the vendor stops supporting them, so the cost and frequency of upgrading the system will need to be considered.

Bradford Networks, for example, offers different levels of support with different costs. However, this support is primarily U.S.-centric, and therefore customers in other locations do not have access to the same level of support. Before investing in its product it would be prudent to assess its partners' ability to provide support. ForeScout also offers two levels of support, both of which come at a premium.

Evaluating the best network access control products

ForeScout is a good NAC product for large organizations with a similarly large budget, as it supports the most variety of devices and compliance modules. However, the integrations offered through its ControlFabric architecture -- such as SIEM integration -- often come as additional extras, and the product can cost significantly more than anticipated. Bradford Networks also offers a very versatile product, with excellent integrations and compliance support, but is limited in its ability to operate outside of the U.S. Cisco's product is primarily aimed at organizations that have invested in its hardware. The same is true of Pulse Secure's Policy Manager.

Next Steps

In part one of this series, learn about the basics of network access control in the enterprise

In part two of this series, read more on the business cases for NAC products

In part three of this series, discover the five questions to ask before buying NAC products

Dig Deeper on Network security

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close