Network Access Control

Cisco NAC Appliance
Cisco has introduced a set of new appliances, chiefly with the goal of introducing FIPS compliance. This provides a broader, more secure set of deployment options for Cisco NAC customers. (3/31/2010)
| Client Access |

Juniper Networks Unified Access Control
Juniper UAC has not had a significant product revision in the last six months. The product, however, remains competitive in the space. (3/31/2010)
| Client Access |

McAfee NAC
McAfee NAC has not had a significant update in the last six months. (4/8/2010)
| Client Access |

StillSecure SafeAccess
StillSecure is a popular technology partner with network equipment vendors looking to jump start their NAC stories. The company did not significantly update its Safe Access product in the last six months. (3/31/2010)
| Client Access |

Symantec NAC 11.0
Symantec continues to work to better integrate its NAC solution with its broader suite of security and systems management products. The product has not had a significant upgrade in the last six months. (3/31/2010)
| Client Access |

Top

• Current Analysis Perspective
• Product Strengths & Weaknesses
• Product Point and Counterpoint
• Product Buying Criteria
• Product Metrics

• Pre-connect Host Posture Assessment
• Ability to determine the security state, or health, of each device as it attempts to authentication to the network. Typical software checks would include presence of updated AV software and OS patches. Configuration checks might include confirmation that AV and firewall software is turned on. Solutions should be able to create, manage and confirm compliance with policy on a per user or group level.
• Non-compliant Host Quarantine and Remediation
• Ability to place non-compliant devices into a restricted subnet where typically the only available resources are remediation servers and/or Internet access if additional third party remediation resources are also required. Solutions do not need to include patch management functionality but should integrate with existing patch management products.
• Identity Awareness
• Ability to capture authentication information and to link user identity to network traffic. NAC solutions are NOT expected to perform network authentication, rather they are expected to help enforce authentication by leveraging existing AAA and directory services and redirecting unmanaged devices (e.g., using captive portals) where identity information can be collected. Identity information can also provide an important overlay to network traffic data for audit and reporting capabilities. Ability to deliver policy driven access to network resources based on user identity. Solutions should be able to extract role data from existing identity databases and support role-based provisioning and access management based on corporate or regulatory access policy.
• Post-connection Threat Detection and Containment
• Ability to continuously monitor network traffic and react to threats in real time by leveraging NAC quarantine enforcement. Solutions typically employ behavioral anomaly techniques to detect unknown threats to the network. Enforcement and remediation are done through the same infrastructure that supports pre-admission NAC.
• Cost and Ease of Use
• Network access control is a complex, immature, and evolving concept. Ease of deployment and the associated issue of scalability are important buying criteria. Interoperability with network infrastructure, security products, both host-based and network based, and systems management solutions are also important considerations. And finally, given the scope of NAC deployments, cost is always an important consideration.

• Endpoint Detection
  • RADIUS Server
  • DHCP
  • 802.1x
  • Inline Appliance
  • Out of Band Appliance/Passive Scanner
  • IPSec VPN
  • SSL VPN
  • Other
• Posture Checking (Means)
  • Agent (Native or Third-party)
  • Temporary Agent (Native or Third-party)
  • Agentless
• Posture Checking (Depth)
  • OS Patches
  • Software Whitelists
  • Registry Settings
  • Personal Firewall
  • HIPS
  • Software Blacklists
  • Software Configurations
  • System/Policy Mgmt Agents
  • Patch Mgmt Agents
  • Microsoft Security Patches
• Quarantine Enforcement
  • VLANs
  • Endpoint
  • Switch
  • Router
  • DHCP
  • Network-based Inline
  • Network-based Out of Band
  • Other
• Remediation
  • Trouble Ticketing Systems
  • Patch Managers
  • Systems Mgmt Systems
  • Network Mgmt Systems
  • Vulnerability Mgmt Systems
  • Other
• Policy Mgmt & Reporting
  • Policy Creation Environment
  • Policy Templates
  • Reports by Industry Regulation
  • Aggregate Security Status Reports Tied to Policy
  • Reports by IP Address/MAC Address/User Name
  • Custom Reporting
• Identity-based Authentication
  • RADIUS
  • AD/LDAP
  • Windows Login
  • Web Login
  • Identity-aware DHCP
  • Other
• Network Resource Access Control
  • Role-based Provisioning
  • Extract Role Info from LDAP
  • Extract Role Info from Active Directory
  • Extract Role Info from RADIUS
  • Tie User to Traffic/Policy
  • Allow Segmented Access Based on Risk
  • Post-connect Security
  Post-connect Security
  • Continual Real-time Infection Detection
  • Firewall Policies
  • Anomaly Detection
  • Signature Matching
  • Other
• Continual Real-time Infection Detection
  • IPS
  • Firewall
  • Dedicated Appliance
  • Switch or Router-based Enforcement
  • Other
• Pricing
  • Priced per seat/box/etc.
  • Base List Price