With so many employees working remotely, the importance of secure network access control (NAC) has never been higher. In this guide, we showcase the industry’s leading NAC solutions along with an overview of the network access control market and key features to look for in a NAC solution.
Comparison of the Top NAC Tools
eSecurity Planet reviewed the various NAC platforms and tools on the market. Here are some of the top vendors in this field in our analysis and evaluation.
Cisco Identity Services Engine (ISE) offers an automated approach to policy enforcement and network access and a foundation for software-defined access and network segmentation in IT and OT environments. ISE is the basis for policy control within Cisco’s DNA Center intent-based security and management dashboard.
- Works with network devices to create a comprehensive contextual identity with attributes such as user, time, location, threat, vulnerability, access type and business role
- Interface offers a detailed attribute history of all endpoints that connect to the network as well as users (including guests, employees and contractors). down to endpoint application details and firewall status
- Cisco TrustSec Security Group Tags (SGT) allow organizations to base access control on business rules and not IP addresses or network hierarchy, giving users and endpoints access on a least privilege basis as resources move across domains
- Improved efficiency in managing switch, router, and firewall rules
- Self-service device onboarding for BYOD or guest policies allows for automated device provisioning, profiling, and posturing in compliance with security policies
The FortiNAC product line includes hardware appliances and virtual machines. Each FortiNAC deployment requires both a Control and an Application server. If your deployment is larger than what a single server can support, you can stack servers for more capacity. The FortiNAC solution has no upper limit on the number of concurrent ports it can support.
- Scans the network to detect, classify and create an inventory of devices via agent or agentless (automated)
- Enforces dynamic network access control and enables network segmentation
- Automated onboarding process for a large number of endpoints, users and guests
- Assesses the risk of every endpoint on the network
- Centralized architecture for easier deployment and management
- Extensive support for third-party network devices
- Provides event reporting to SIEM with detailed contextual data
Extreme Networks ExtremeControl
Extreme Networks’ ExtremeControl for ExtremeCloud IQ—Site Engine delivers a single pane of glass solution with context-based network control and simple IoT (Internet of Things) device onboarding, enabling IT administrators to protect their network edge with endpoint security. It also enables centralized, in-depth visibility and granular control over all endpoints across wired and wireless networks—including physical, virtual, local, or VPN connected—through one easy-to-use dashboard. It allows users to centrally manage and define granular policies and roll out automatic policies, and it is integrated with most major enterprise platforms.
Single pane of glass for wired and wireless network infrastructure
Detailed profiling with network access and app analytics data
Enables administrators to create context-based policies and policies based on the security posture of specific IoT devices
Offers network management, network automation, and application visibility
Workflow manager feature enables customers to tailor automation. Periodic as well as event-driven tasks can be fully customized and automated, opening unlimited options for integrations and increasing efficiency
Aruba, a Hewlett Packard Enterprise company, offers ClearPass. It applies policy and granular security controls—such as where and how the associated traffic can navigate the network—to ensure that proper access is granted to those connected to both wired and wireless enterprise networks.
The ClearPass family comprises ClearPass Device Insight, which uses artificial intelligence (AI) to discover and profile IoT devices; ClearPass Policy Manager, which enables security teams to define business-level access policies; ClearPass OnGuard for agentless endpoint security assessment; and ClearPass OnBoard, which streamlines bring your own device (BYOD) connectivity.
- ClearPass Policy Manager allows IT staff to implement policies for how users and devices connect and what corporate data they can access
- Aruba Policy Enforcement Firewall dynamically segments traffic across wired, wireless, and WAN connections with the same policies and access rights
- Simplified access for authorized users using role-based policy and identity to authenticate users
- ClearPass is designated Cyber Catalyst by Marsh. This program, operated by eight of the largest cyber insurers, evaluates security products
- Automatically eliminates blind spots by finding and fingerprinting IoT devices with AI-based, cloud-delivered discovery and profiling
- Integrates with over 170 security and IT management solutions and can act as a clearing house for attack alerts
- Can propagate access policies for other vendors, including Cisco
- Supports authentication protocols including Radius, LDAP, and AD
- Common Criteria certified
The Forescout Platform (comprising product licenses eyeSight, eyeControl, eyeSegment, and eyeExtend) gives security and IT operations teams real-time visibility of all IP-connected devices when accessing the network. Users can choose from 20+ active and passive discovery and profiling methods to match to the business environment and ensure continuous network availability. More than 12 million device fingerprints in the Forescout Device Cloud offer device classification capabilities to determine device function, OS, vendor, and model.
- Coverage across all locations, networks, and device types (without blind spots) with or without 802.1X authentication
- Visibility into every IP-connected device
- Real-time asset inventory
- Automated security posture assessment and remediation
- Policy enforcement across heterogenous networks
- Zero trust security
- Workflow orchestration with existing tools
- Single platform for all managed, unmanaged, and unagentable devices—information technology (IT), IoT, Internet of Medical Things (IoMT), industrial control systems and operational technology (ICS/OT), and virtual/cloud instances
- Actionable three-dimensional classification taxonomy, which includes 20+ passive and active visibility techniques with passive-only options
- In-depth agentless assessment for Windows, macOS, Linux, and IoT devices
- Authorization of IoT and other unagentable devices based on identification, classification, and risk profile without relying on unsecure whitelists
- Unified policy engine for automating posture assessment, remediation, incident response, and network access workflows
- Works in multi-vendor environments across 30+ wired, wireless, and software-defined network infrastructure vendors with or without 802.1X
Portnox Core is an on-premises network access control solution that provides actionable network and device visibility as well as automating enforcement actions. This agentless, software-based, and vendor-agnostic product provides device intelligence, full network view, and full customization of remediation and action scripts.
- No network prep work required, and no appliance installations or infrastructure changes
- Web-based user interface (UI) with smart workflows, onboarding, and automated response actions
- No need to replace appliances when increasing the number of devices; cluster and backups done via software
- Visibility into Voice over Internet Protocol (VoIP), IoT, and BYOD
- Portnox Clear is a managed service that provides network visibility, continuous risk monitoring, and remediation of endpoints across all access layers
- Enhance remote access security for VPN, VDI, and enterprise cloud applications with continuous endpoint risk monitoring and device remediation
- Secure Wi-Fi access in the cloud no matter location or device type through the use of identity-based authentication that leverages personal credentials or digital certificates
InfoExpress offers a family of appliances to meet different NAC requirements. They support enforcement that secures access for mobile, desktop, and IoT devices without network changes. The enterprise version is the CGX server. It can be deployed as a virtual machine (VM) or appliance that provides a full suite of network access control applications to create a flexible and custom NAC solution.
- Optionally install agents to provide granular policy compliance and to deploy Dynamic NAC to control access
- Detect and enforce unknown devices on the network
- Limit guests to needed resources
- Support access for personal employee devices
- Manage compliance for corporate devices
- A policy builder can create custom rule sets using information about the user, directory membership, device, location, time, and more
- Policies can invoke operations, such as flagging devices, sending alerts, and restricting access
- Selective network access is provided based on the results of policy rules
- In-band enforcement is supported as part of the appliance. Out-of-band enforcement is supported by integrating with the existing wired or wireless network or through the dynamic NAC feature
- Additional applications can be hosted on the CGX server platform. These address additional needs, such as registering guests, managing employee devices, enhanced compliance, and mobile device management (MDM) integration.
Auconet BICS detects every endpoint, combining MAC-based authentication and 802.1X, for each type of device. It can leverage either or both in combination. Its multilayer approach to network security works with IT and industrial networks at the device and user levels. It can authorize users, devices, and ports, separately or in any combination or to block any of them, according to predefined policies.
- Auconet delivers a framework for MDM and BYOD
- Automatically detects attempts at unauthorized access, protecting sensitive data with an app-based VPN tunnel
- A central administrator console enables control over devices on mobile platforms, including the ability to block or wipe data from each device
- VLAN assignment, based on security policies to streamline the provisioning, authorization, and tracking of guests
- BICS discovers, recognizes, authorizes access for, and controls infrastructure
- Monitors and protects one or many networks from a single console
- Multi-tenant BICS implementations secure access to hundreds of separate networks at once
- Safeguards ATMs and cash-handling systems, including point-of-sale (POS) devices, such as cash registers and do-it-yourself ticket kiosks
Pulse Policy Secure
Pulse Policy Secure (PPS) provides visibility and NAC for local or remote endpoints. It enforces foundational security policies and controls network access for managed and unmanaged endpoints, including IoT. It uses zero trust principles to manage network access by validating the user and a device’s security posture and connects the device with least-privilege access policy. The platform integrates with a wide range of switching, Wi-Fi, and firewalls to enforce access policies.
- Bidirectional integration with third-party security solutions
- Automated responses to Indicators of Compromise (IoC) reduces remediation time
- Integrates with NGFWs such as Palo Alto Networks, Checkpoint, Juniper, and Fortinet as well as SIEM solutions such as IBM Qradar and Splunk
- Integration with McAfee ePolicy Orchestrator (McAfee ePO) fortifies endpoint management and automated threat response
- For OT/IIoT (industrial Internet of Things) visibility and control, PPS integrates with Nozomi Guardian
- PPS includes three components: Pulse Profiler identifies and classifies endpoint devices, including IoT, and provides end-to-end visibility, reporting, and behavior analytics; Pulse Policy Secure provides a policy engine that leverages contextual information from users, endpoints, and applications; and Pulse Client offers agent and agentless options for pre- and post-admission control, and it incorporates the Host Checker functionality, which verifies an endpoint’s security posture
- Centralized visibility and policy management of all endpoints, including IoT
- Granular assessment of endpoint security posture before allowing access
- Dynamic network segmentation based on user role and/or device class
- Roaming between remote and local, using Pulse Connect Secure Integration
Opswat acquired some of its NAC technology from Impulse. Opswat MetaAccess NAC ensures every network connection and endpoint device is visible, allowed, or blocked in real time. Agentless device identification and profiling provides visibility into detailed information for devices on username, IP address, MAC address, role, device type, location, time, and ownership. It uses heuristics and pattern analysis for device profiling.
- MetaAccess NAC discovers new IoT and user devices that attempt network access
- Either profile in a passive manner or quarantine the device until device type is explicitly known
- Deep Device Fingerprinting
- Web Browser User Agent Identification
- Control IoT or browser-less device access such as printers, VoIP phones, thermostats and lights, or industrial devices
- Consolidated view of traditional systems, mobile and IoT devices, and operational technology systems
- Option for SafeConnect to recognize certain device types and passively allow them access
- Option to whitelist a group of devices with the MAC address, ensuring only these specific MAC addresses will get on the network
- Windows, macOS, and mobile devices are checked with deep endpoint assessments prior to granting network access
What is Network Access Control (NAC)?
Network access control (NAC) helps enterprises implement policies for controlling device and user access to their networks. NAC can set policies based on resource, role, device, and location-based access and enforce security compliance with security and patch management policies, among other controls.
The goal is to bring order to the chaos of connections, whether they are internal or external. Those connections might be from in-house personnel, a remote workforce, customers, consultants, contractors, and guests. Each of these groups require access, although the kind of access varies from one person or group to another. Administrators require a different tier of control compared to lower-level workers, and groups such as guests or contractors are given limited access rights.
According to Gartner, the minimum capabilities of NAC solutions are:
- Dedicated policy management to define and administer security configuration requirements and specify the access control actions for compliant and non-compliant endpoints
- Ability to conduct a security state baseline for any endpoint attempting to connect and determine the suitable level of access
- Access control, so you can block, quarantine, or grant varying degrees of access
- The ability to manage guest access
- A profiling engine to discover, identify, and monitor endpoints
- Some method of easy integration with other security applications and components
One trend to watch is the rise of zero trust security products. These new access control tools restrict access to just the data and applications users need rather than granting them access to the entire network, reducing the risk of lateral movement within the network. The market is still new, but Gartner expects sales of these products to gain traction in 2021–22.
How to choose a NAC solution
Here are some factors to consider in selecting a NAC solution:
Agents or agentless?
The first thing to consider when deciding on a NAC solution is whether you want agent-based or agentless device support. Agent-based solutions rely on more detailed information for every device connected to a network to allow for more granular policies when authenticating devices. These NAC tools may deny device access based on factors like insufficient security software or prohibited apps installed on the device. The downside is that all devices on an agent-based system must be pre-enrolled on the NAC tool to apply policies.
Agentless solutions provide more flexibility when identifying and authenticating devices. These solutions will discover devices as they join a network and determine the proper policies to apply to them. Agentless systems are often integrated with other products, such as intrusion prevention systems, to bolster authentication processes.
Ideal NAC tools will incorporate both agent-based and agentless features. This combination of flexibility and certainty is vital for organizations that support a large number of devices.
Organizations likely have a suite of security tools in place besides a NAC solution, such as security information and event management (SIEM) systems and next-generation firewalls (NGFW). The key to implementing effective NAC software is for it to integrate well with other existing security tools. Make sure to verify that NAC tools can integrate with your current security infrastructure.
As data privacy becomes an ever-growing concern, maintaining regulatory compliance needs to be a priority for every organization. Many NAC vendors build products to abide by regulatory standards, such as PCI-DSS and NIST. However, some make it even more of a focus to maintain compliance for more specific standards, such as SOX and HIPAA. Ensure you know what compliance your organization requires and that an NAC solution can help you maintain it.
NAC vendors offer varying levels of support. Determine how much NAC management you can handle in-house and how much vendor support you will need, and compare it to what each vendor can reasonably provide.
- Best Identity and Access Management (IAM) Solutions
- Best Third-Party Risk Management (TPRM) Tools
- Best Privileged Access Management (PAM) Software
- Best Zero Trust Security Solutions
eSecurity Planet Editor Paul Shread contributed to this report