Network Access Control 2014

Market Definition/Description

The BYOD phenomenon continues to be the primary driver for the adoption of network access control (NAC). Without NAC policies, corporate BYOD programs allow unchecked network access by a wide array of personally owned devices, thereby increasing the chances of security risks and network instability. To gain more visibility into the configuration of mobile devices, many organizations are integrating their enterprise mobility management (EMM) solutions with their NAC solutions. This is an important trend, and it enables network managers to enforce policies such as blocking devices (or limiting their network access) that are missing EMM agents. There is a wide discrepancy in the market between vendors that support multiple EMM partners (several support seven or more) and those that only support one or two. The ability to give customers choices for integrating with multiple EMM systems was an important factor this year in calculating Completeness of Vision scores.

Another important NAC trend is the integration with other security components, such as next-generation firewalls, advanced threat defense (ATD) solutions and security information and advanced management (SIEM) solutions. Forward-thinking NAC vendors have positioned their solutions as "warehouses of context" to share contextual information with third-party security components. For example, NAC systems can send user identification to a firewall so that it can apply fine-grained policies based on this information. Contextual information can also be shared with SIEMs, sandboxes and other ATD solutions, where it is mapped to an IP address to provide context for security operations teams that are responding to alerts. Some enterprises use NAC to automatically remove endpoints from the network, in response to alerts from ATD systems. This use case is limited to highly security conscious organizations. Integrating with network and security solutions is not a primary driver for adopting NAC, but enterprises are progressively implementing these integrations after the initial rollout of NAC.

Magic Quadrant

Figure 1. Magic Quadrant for Network Access Control

Source: Gartner (December 2014)

Vendor Strengths and Cautions

Aruba Networks

Aruba Networks, based in Sunnyvale, California, sells its ClearPass Access Management offering. It is a Remote Authentication Dial-In User Service (RADIUS)-based solution that is available in a family of hardware and virtual appliances. Aruba's customers should consider ClearPass.

Strengths

    • ClearPass provides integration capabilities through the ClearPass Exchange API promoting contextual sharing integration with third-party security solutions. Examples include SIEM, EMM and next-generation firewalls.

    • Aruba has a strong BYOD strategy. It integrates with AirWatch, MobileIron and several other EMM solutions.

    • The ClearPass Onboard module, which includes a certificate authority, supports more operating systems (seven) than any other onboarding module in the NAC market. In supporting Chrome OS and Ubuntu, ClearPass is a strong option for the education vertical.

    • ClearPass offers a strong guest network application. Granular policies allow employees to create Apple AirPrint and AirPlay and Google Chromecast dynamic policies for their guests. For example, printers and projectors can be shared with guests based on the time and location restrictions that are tied to that guest policy.

Cautions

    • In multivendor networks, ClearPass customers that have not implemented Aruba's Mobility Controllers lose advanced functionality, including Apple AirPlay visibility and support for Aruba's auto-sign-on feature.

    • Gartner rarely sees ClearPass in wired LAN environments. ClearPass sales are driven primarily by Aruba wireless customers.

Auconet

Auconet, a privately held company, moved its headquarters from Germany to the U.S. (San Francisco) in 2014. The research and development team is still based in Germany. Auconet has been delivering NAC solutions since 2005. It is deployed most commonly as an agentless solution, because its RADIUS-based policy server supports native 802.1X supplicants embedded in multiple operating systems. Its Business Infrastructure Control Solution (BICS) is available as a hardware appliance, virtual appliance and SaaS. Auconet also offers an optional permanent agent on Windows, Unix/Linux platforms and Mac OS. Organizations that need to apply NAC policies to industrial and supervisory control and data acquisition (SCADA) environments, or that would benefit from a multitenant NAC solution, should consider Auconet. Large enterprises should also consider Auconet. Historically, Auconet has targeted the European market. Organizations outside of Europe should verify Auconet's ability to provide service and support.

Strengths

    • BICS' support for large-scale multitenancy appeals to managed security service providers (MSSPs) that offer managed NAC services.

    • BICS enables NAC for industrial environments by implementing specific industrial protocols. For example, Siemens licenses BICS to help support SCADA environments that it manages.

    • Customer references consistently commented favorably on the solution's agentless approach and its ease of administration.

Cautions

    • Auconet's BYOD strategy is limited. At the time of this report, it had only integrated with Citrix and MobileIron EMM solutions. Integrations with third-party security solutions are limited. Auconet has not completed integrations with any firewall or advanced threat defense vendors.

    • Auconet has a limited geographic reach and only a small but growing presence in the U.S. Customers and prospects outside of Europe and Asia/Pacific may face challenges in obtaining presales and postsales support from the company.

Bradford Networks

Bradford Networks is a privately held company based in Boston, Massachusetts, that has been delivering NAC solutions since 2001. Its Network Sentry/NAC product is available in hardware appliances, in a virtual appliance and as a cloud service. The Network Sentry/RTR (Rapid Threat Response) is an additional application that shares contextual information about endpoints and provides tools for security analysts to respond to alerts from next-generation firewalls, advanced threat defense solutions and other security products (Network Sentry/RTR is sold separately). Network Sentry/RTR can also respond to alerts automatically by quarantining compromised endpoints. Consider Bradford Networks' NAC products for heterogeneous networks and wide mixes of endpoint devices.

Strengths

    • Bradford Networks has one of the broadest sets of integration partners in the NAC market. Network Sentry integrates with multiple solutions in each of the following categories: EMM, firewall, SIEM, advanced threat defense and other security solutions.

    • Bradford Networks partners with managed services providers (Windstream and DecisionOne) that offer the Network Sentry products as a cloud-based service.

    • Bradford Networks offers a unique cloud-based analytics service that helps its customers analyze trends about devices and users that connect to their networks. Customers use this information to develop network access policies and to plan for wireless LAN capacity.

    • Bradford has a strong presence in the education vertical. Network Sentry/NAC has several features (including device registration) and integrations (such as eduroam) that are important in education networks.

Cautions

    • The vast majority of Bradford Networks' customers are in North America. Prospective customers outside of North America should validate that its partners can provide an appropriate level of support in their respective regions.

    • Some reference customers requested improvements in the Network Sentry/NAC reporting capabilities. Bradford Networks claims these issues have been addressed in its 2014 reporting updates. Gartner clients are advised to validate these enhancements.

Cisco

Cisco is headquartered in San Jose, California. Its Identity Services Engine (ISE) policy server is RADIUS-based, which enables Cisco to support authentication in heterogeneous network infrastructure environments (although advanced NAC features will require Cisco components). ISE is available in hardware appliances and also as a virtual server. Cisco packages ISE software in several licensing options, including a mobility-only license. Cisco customers should consider ISE, especially when the Cisco AnyConnect endpoint client will be in use.

Strengths

    • Cisco has a strong BYOD strategy. ISE integrates with AirWatch, MobileIron and solutions from several other EMM vendors. Version 1.3 of ISE supports an optional onboarding module that includes a certificate authority. This feature simplifies BYOD implementations, since enterprises do not need to implement a third-party certificate authority.

    • ISE leverages technology that is embedded in Cisco network infrastructure components to provide unique benefits. For example, it uses endpoint profiling data collected from Cisco switches and wireless controllers, eliminating the need to deploy stand-alone profiling sensors. TrustSec enables granular identity-based policies on many Cisco LAN, WLAN and firewall products.

    • Cisco's pxGrid initiative enables network and security solutions to coordinate the sharing of contextual information (such as identity and location) through ISE. pxGrid also enables integrated technology partners to use ISE to execute mitigation actions in response to events. Early pxGrid partners include Splunk, Ping Identity, NetIQ, Tenable Network Security, Emulex and Bayshore Networks. Some Cisco Sourcefire products also support pxGrid.

    • ISE includes a strong guest administration module that is highly customizable.

Cautions

    • Cisco's status as a network security vendor is an obstacle when it comes to partnering with other network security vendors. For example, mainstream firewall vendors and third-party sandboxing vendors have not yet integrated with pxGrid.

    • ISE does not enforce advanced policies on Cisco Meraki wireless LAN access points (Meraki includes its own NAC functions). ISE is capable of enforcing basic authentication policies with Meraki.

    • Enterprises that are interested in implementing TrustSec's role-based identity policies should perform careful testing in a lab environment. Adoption of TrustSec has been slow, as some key Cisco products have only recently added TrustSec support (for example, TrustSec support for ASA Security Appliances was added in July 2014). With TrustSec deployments, network teams may encounter challenges typical of early adopters of new technology.

Extreme Networks

Extreme Networks, based in San Jose, California, acquired Enterasys in 2013 and began selling its NAC solution and the broader Enterasys security product portfolio. Extreme's NAC appliance and NetSight NAC management system are available as virtual appliances or hardware appliances. The primary use case for Extreme NAC is its wired and wireless customers, since they benefit from Extreme's integrated functionality. Also, the solution is capable of supporting non-Extreme environments.

Strengths

    • Extreme's NAC solution integrates with multiple solutions in each of the following categories: firewall, SIEM, advanced threat defense and other security solutions.

    • Extreme has a good strategy for pursuing the K-12 environment. Its NAC solution integrates with secure Web gateway (SWG) vendors iboss Network Security and Lightspeed Systems, both of which target the K-12 vertical.

    • Extreme has a good BYOD strategy. Its Mobile IAM component integrates with AirWatch, MobileIron and several other EMM solutions.

    • Extreme's NAC solution integrates with several nonsecurity solutions, including OpenStack and Microsoft Lync. The Lync integration enables Extreme to apply dynamic policies per call (for example, prioritize voice traffic over the data network).

Cautions

    • Policy enforcement is inconsistent across Extreme switches and Enterasys switches. Policy controls are more granular with the Enterasys switches.

    • Extreme Networks suffers from limited brand awareness in the NAC market. Gartner clients rarely include Extreme on their shortlists when evaluating NAC vendors.

ForeScout Technologies

ForeScout Technologies is a privately held company based in Campbell, California, that sells the CounterACT family of hardware and virtual appliances. Although ForeScout offers optional agents, its clientless approach eases the support of Windows, OS X and Linux endpoints. ForeScout also offers a series of integration modules (for an additional fee) that share contextual information about endpoints. These tools enable security analysts to respond to alerts from next-generation firewalls, advanced threat defense solutions and other security products. The integration modules utilize ForeScout's ControlFabric API and enable CounterACT to respond to alerts automatically and initiate mitigation actions. At the time of this writing, the company has an interim CEO (as of June 2014). ForeScout should be considered for midsize and large NAC deployments.

Strengths

    • ForeScout has one of the broadest sets of integration partners in the NAC market. Using the ControlFabric series of APIs, CounterACT integrates with multiple solutions in the following categories: firewall, SIEM, advanced threat defense and other security solutions.

    • ForeScout has a strong BYOD strategy. In addition to supporting integrations with several EMM vendors, it also sells a ForeScout-branded EMM solution (an OEM of IBM's offering), and it offers the ForeScout Mobile Security Module. The latter is an "EMM-lite" solution that enforces device policies and reports health and configuration status back to the CounterACT appliance.

    • Users continue to cite ease of deployment, flexible enforcement methods and network visibility as primary selection criteria.

    • ForeScout has some of the largest active deployments of all vendors.

Cautions

    • Obtaining postadmission threat protection (an optional feature) in distributed environments requires CounterACT appliances at each remote location, which drives up the cost of deployment. ForeScout customers have the option of implementing CounterACT appliances in a centralized approach, which is less expensive but reduces ForeScout's threat protection functionality.

    • In its most commonly implemented approach, CounterACT is positioned on Switched Port Analyzer (SPAN) or "mirror" ports on core network switches. Network administrators need to ensure the availability of these ports in their networks.

Impulse Point

Based in Lakeland, Florida, and founded in 2004, Impulse Point continues its focus on the higher education and K-12 markets. Impulse Point delivers its flagship SafeConnect solution as a managed service, which includes system monitoring, problem determination and resolution, updates to device type, antivirus and OS profiling recognition, and remote backup of policy configuration data. All Impulse Point products can be implemented as a hardware or virtual appliance. Education institutions should consider Impulse.

Strengths

    • SafeConnect integrates with a wide range of EMM, SIEM, bandwidth management, firewall and advanced threat solutions via its Contextual Intelligence Publisher module. Integrations with iboss Network Security, Exinda and Procera Networks strengthen Impulse's ability to target the education vertical.

    • Feedback from Impulse Point customers continues to indicate that SafeConnect can be quickly implemented. Its optional Layer 3 approach to enforcement eliminates the need to test compatibility at Layer 2 (at the LAN switch level).

    • Impulse Point customers consistently point to the company's service and support as strengths.

Cautions

    • SafeConnect's dashboard console is not as customizable or flexible as some competing offerings.

    • SafeConnect's Layer 3-based enforcement technique does not meet the needs of most corporate environments. Customers have the option of using a new RADIUS-based 802.1X enforcement feature, although Impulse's RADIUS server is not as feature-rich as others in this market.

    • Impulse has been primarily targeting North American customers, and has only recently expanded into Europe. Customers and prospects outside of North America may face challenges obtaining presales and postsales support from the company.

InfoExpress

Founded in 1993, InfoExpress is a privately held company based in Mountain View, California, that is largely focused on the NAC market. Its CGX solution is available as a hardware appliance and a virtual appliance. Enterprises that need a scalable solution that doesn't require hardware at remote sites should consider InfoExpress.

Strengths

    • CGX correlates data from multiple sources (for example, InfoExpress endpoint agents, Syslogs, Nmap data and MobileIron) to enable more-granular NAC policies. By analyzing when devices change state, CGX can enforce the appropriate policy. For example, when a mobile device reported as stolen reappears on the network, CGX can quarantine the device.

    • InfoExpress offers endpoint agents for a wide variety of operating systems, including Windows, OS X, Apple iOS, Android and Linux.

    • InfoExpress does not require hardware at remote locations, due to its Dynamic NAC feature (an agent-based Address Resolution Protocol [ARP] enforcement solution).

Cautions

    • InfoExpress only integrates with one EMM vendor (MobileIron).

    • InfoExpress has limited integrations with third-party security components. For example, it does not share contextual data about network endpoints with third-party security components, such as firewalls, SIEM and advanced threat defense solutions.

    • InfoExpress' lack of marketing focus hampers its ability to differentiate its product and contributes to the company's low visibility among Gartner clients.

Portnox

Portnox moved its headquarters to the U.S. in 2014, and retained its research and development facilities in Israel. The company was founded in 2007 and is a pure-play NAC vendor. The Portnox solution is agentless and based on endpoint discovery. When a device connects to the network, Portnox checks the OS type and applies the appropriate policy to the network access point (LAN switch, WLAN controller or VPN gateway). Historically, the company has been focused on the EMEA region. Organizations that can tolerate the risk of a startup and that are within the geographic range of Portnox's service and support coverage should consider this vendor.

Strengths

    • Portnox has a good BYOD strategy. It integrates with AirWatch, MobileIron and several other EMM solutions.

    • Portnox integrates with a wide range of third-party firewall and advanced threat defense solutions.

    • The company's customers consistently report that the Portnox solution is easy to deploy and manage. It attaches to any LAN switch port and does not require a "mirror" or SPAN port.

    • Portnox can enforce NAC policies in a VMware environment. For example, it monitors and graphically represents the number of virtual machines (VMs) in use and enforces policies for these VMs by blocking or allowing access to virtual switches.

Cautions

    • To achieve the maximum benefits of Portnox at remote locations, the vendor suggests deployment of its Knoxer software (free of charge) at each location. Without Knoxer, the process of isolating and remediating endpoints may be inconsistent, as it will vary according to the infrastructure at the remote location.

    • Customization of Portnox may be required to enable special-purpose endpoints, such as security cameras or videoconferencing systems, to gain network access. Because endpoint discovery is at the core of the Portnox solution, all endpoints must be accurately profiled. Some customers commented that Portnox's library of profiled devices could be larger to avoid the customization effort required to identify nonstandard endpoints.

    • Portnox lacks a strong distribution channel in North America. Customers and prospects in North America may face challenges in obtaining presales and postsales support from the company.

Pulse Secure

Pulse Secure is a newly formed company that was created when private equity firm Siris Capital acquired the Junos Pulse business from Juniper Networks. In addition to its NAC solution, Pulse Secure also offers a VPN solution and a mobile security suite. In October 2014, Pulse Secure acquired MobileSpaces, a provider of virtual container technology for mobile devices. In the 2013 Network Access Control Magic Quadrant, Juniper was positioned in the Challengers section. This year, Pulse Secure is positioned in the Niche Players quadrant. The drop in Ability to Execute is due in part to the multiple challenges faced by establishing a new company, including branding, sales and distribution, and operational issues. Pulse Secure's NAC solution is based on a RADIUS platform and is available as a family of hardware and virtual appliances. Pulse Secure should be considered by Juniper and non-Juniper customers.

Strengths

    • The Pulse Secure solution remains tightly integrated with Juniper's core security products (firewall, intrusion prevention system [IPS] and Secure Sockets Layer [SSL] VPN), network infrastructure offerings (LAN switches) and SIEM solution. When implemented with Pulse Secure, Juniper's network and security components provide strong support for identity-based policies (role-based policies).

    • Pulse Secure's Unified Mobility Client reduces the number of agents required for network access by integrating an SSL VPN client and a NAC agent. The NAC component provides authentication and endpoint configuration assessment.

    • Pulse Secure has established full FIPS compliance and EAL3 certification for its NAC products. These certifications provide an advantage in government procurements, because most other NAC vendors have yet to meet these qualifications.

Cautions

    • Pulse Secure lags many competitors in its ability to integrate with solutions from other security vendors. The Policy Secure policy server does not integrate with non-Juniper firewalls, and it does not integrate with any network-based advanced threat detection solutions (for example, sandboxes).

    • Pulse Secure does not own device profiling technology. It relies on an OEM partner for this functionality.

    • Pulse Secure only provides two options for third-party EMM integration — AirWatch or MobileIron.

    • Pulse Secure is missing some features that are important in 802.1X environments. It lacks a standards-based approach for Change of Authorization (CoA), a feature that enables a policy server to communicate policy changes to the network infrastructure. Also, Pulse Secure does not offer an embedded certificate authority. Customers must implement an external certificate authority to enable 802.1X-based device authentication.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

None

Dropped

StillSecure — After being acquired by private equity firm Versata in 2013, StillSecure shifted its focus to the small-to-midsize market business segment. The company still retains support for its legacy U.S. Department of Defense customers.

Inclusion and Exclusion Criteria

To be included in this Magic Quadrant, a vendor's solution must be able to enforce NAC policies in a heterogeneous infrastructure environment. In addition, vendors' solutions must include the policy, baseline and access control elements of NAC, as defined by the following criteria:

    • Policy — The NAC solution must include a dedicated policy management server with a management interface for defining and administering security configuration requirements, and for specifying the access control actions (for example, allow or quarantine) for compliant and noncompliant endpoints. Because policy administration and reporting functions are key areas of NAC innovation and differentiation, vendors must own the core policy function to be included in this Magic Quadrant.

    • Baseline — A baseline determines the security state of an endpoint that is attempting a network connection, so that a decision can be made about the level of access that will be allowed. Baselining must work in heterogeneous endpoint environments (for example, Windows, Mac OS X, Apple iOS and Android). It must include the ability to assess policy compliance (for example, up-to-date patches and antivirus signatures for Windows PCs, or the presence of an EMM agent for mobile devices). Various technologies may be used for the baseline function, including agentless solutions (such as vulnerability assessment scans), dissolvable agents and persistent agents. NAC solutions must include a baseline function, but "reinventing the wheel" is not necessary. Baseline functionality may be obtained via an OEM or licensing partnership.

    • Access control — The NAC solution must include the ability to block, quarantine or grant partial (limited access) or full access to an endpoint. The solution must be flexible enough to enforce access control in a multivendor network infrastructure, and it must be able to enforce access in wired LAN, wireless LAN and remote access environments. Enforcement must be accomplished either via the network infrastructure (for example, 802.1X, virtual LANs or access control lists [ACLs]) or via the vendor's NAC solution (for example, dropping/filtering packets or ARP spoofing). Vendors that rely solely on agent-based endpoint self-enforcement do not qualify as NAC solutions.

Additional criteria include:

    • Vendors must integrate with one or more EMM solutions.

    • Network infrastructure vendors must have demonstrated their ability in 2013 and 2014 to sell NAC solutions beyond their installed base of infrastructure customers.

    • NAC vendors must consistently target and show wins at enterprises with 5,000 endpoints and above to be included. This Magic Quadrant does not analyze solutions that only target the small to midsize (SMB) market.

    • Vendors must have an installed base of at least 100 customers or an aggregate endpoint coverage of 500,000 endpoints.

    • The vendor must have at least $5 million in NAC sales during the 12 months leading up to 1 November 2014. Solutions that do not directly generate revenue for the vendor, such as those that embed basic NAC functionality in other products at no extra charge, have been excluded from this analysis.

The NAC solutions had to be generally available as of 1 November 2014.