In this guide, we showcase the industry’s leading network access control (NAC) solutions.
Impulse SafeConnect offers automatic device discovery and can support anywhere from 250 to 25,000 endpoints and up with its scalable appliance architecture. The company started in education and has expanded to government and corporate markets. This software collects real-time and historical context-aware device data to help IT teams make informed decisions when applying network access control policies. These policies can be based on identity, device type, location and ownership.
Twingate helps companies to easily implement a secure Zero Trust Network Access solution without compromising on usability or performance. Twingate replaces legacy VPNs with a modern Identity-First Networking solution that combines enterprise-grade security with a consumer-grade user experience. With the ability to support many thousands of users working from any number of locations, Twingate also works with all major cloud and identity providers and can be set up in less than 15 minutes.
ExtremeControl is popular with education, entertainment, hospitality and healthcare customers and can scale to 200,000 endpoints. It offers a rule-based architecture to automate access based on use cases. This solution is popular among education and healthcare in part due to its focus on maintaining regulatory compliance. It makes it easy to apply granular policies to BYOD and IoT devices from a centralized, intuitive dashboard.
Auconet Business Infrastructure Control Solution (BICS) offers network monitoring, asset management and other functions in addition to NAC. It plays well in large, complex implementations, with up to 60,000 devices identified per hour with 100% device discovery and implementations of more than 500,000 ports. BICS was designed for wide integration to fit with most existing security infrastructures, making it a good option for large organizations that currently use a slew of different products.
CounterACT plays well in regulated environments such as defense, finance, healthcare and retail. The company boasts implementations of more than a million endpoints, and the technology can protect medical devices too. ForeScout CounterACT is geared toward maintaining regulatory compliance, similar to Extreme Networks ExtremeControl. However, CounterACT can be implemented as an agentless solution to focus on flexibility when identifying all devices connecting to a network.
Ivanti purchased Pulse Policy Secure in late 2020, taking on a product that supports up to 50,000 concurrent users in multi-vendor environments with a focus on automation. It offers automatic deployment and threat intelligence options. It’s able to automatically detect, classify, profile and monitor network devices. Pulse Policy Secure can also be used to automate guest access and remediation patches for endpoint devices.
ClearPass is especially suited for high-volume authentication environments, offering more than 10 million authentications a day, as well as distributed environments requiring local authentication survivability across multiple geographies. This NAC tool is built to enforce adaptive policies for wireless, wired or VPN accessed devices based on in-depth contextual analysis. Aruba ClearPass may also be known as Avenda eTIPS after HPE acquired Avenda and its NAC solution in 2011.
Fortinet acquired Bradford Networks and is integrating Bradford’s Network Sentry with FortiNAC. It offers traditional NAC features as well as new capabilities tailored to the Internet of Things. FortiNAC is aimed at providing comprehensive visibility into all devices connected to a network and the ability to seamlessly control devices and users, including dynamic, automated responses.
Cisco ISE supports up to 500,000 concurrent sessions and 1.5 million endpoints per deployment. It offers adaptive intelligence engines, machine learning and automated detection and response. Cisco is leading the charge in adopting a zero trust security model with ISE using software-defined access and automated network segmentation to enable dynamic policy enforcement.
InfoExpress CyberGatekeeper automates discovery and audits devices before granting network access. It is popular with educational clients; one uses it to cover 100,000 users across 200 campuses. This on-premises solution consists of three main components: policy manager, policy server and a reporting server to enforce device access. CyberGatekeeper also offers a VPN and intrusion detection system.
What is NAC?
NAC is an effort to create order out of the chaos of connections from within and outside the organization. Personnel, customers, consultants, contractors and guests all need some level of access. In some cases, it is from within the campus and at other times access is remote. Adding to the complexity are bring your own device (BYOD) policies, the prevalence of smartphones and tablets, and the rise of the Internet of Things (IoT).
NAC was the highest IT security spending priority in eSecurity Planet’s 2019 State of IT Security survey – and is also one of the technologies users have the most confidence in.
According to Gartner, the minimum capabilities of NAC are:
- Dedicated policy management to define and administer security configuration requirements, and specify the access control actions for compliant and non-compliant endpoints
- Ability to conduct a security state baseline for any endpoint attempting to connect and determine the suitable level of access
- Access control so you can block, quarantine or grant varying degrees of access.
- The ability to manage guest access
- A profiling engine to discover, identify and monitor endpoints
- Some method of easy integration with other security applications and components
One trend to watch is the rise of zero trust security products. These new access control tools restrict access to just the data and applications users need rather than granting them access to the entire network, reducing the risk of lateral movement within the network. The market is still new, but Gartner expects sales of these products to begin to gain traction in 2021.
How to choose a NAC solution
Thie first thing to consider when deciding on an NAC solution is whether you want agent-based or agentless device support. Agent-based solutions rely on more detailed information for every device connected to a network to allow for more granular policies when authenticating devices. These NAC tools may deny device access based on factors like insufficient security software or prohibited apps installed on the device. The downside is that all devices on an agent-based system must be pre-enrolled on the NAC tool to apply policies.
Agentless solutions provide more flexibility when identifying and authenticating devices. These solutions will discover devices as they join a network and determine the proper policies to apply to them. Agentless systems are often integrated with other products, such as intrusion prevention systems to bolster authentication processes.
Ideal NAC tools will incorporate both agent-based and agentless systems. This combination of flexibility and certainty is vital for organizations that support a large number of devices.
Organizations likely have a suite of security tools in place besides an NAC solution, such as security information and event management (SIEM) systems and next-generation firewalls (NGFW). The key to implementing effective NAC software is for it to integrate well with other existing security tools. Make sure to verify NAC tools can integrate with your current security infrastructure.
As data privacy becomes an ever-growing concern, maintaining regulatory compliance needs to be a priority for every organization. Many NAC vendors build products to abide by regulatory standards, such as PCI DSS and NIST. However, some make it even more of a focus to maintain compliance for more specific standards, such as SOX and HIPAA. Ensure you know what compliance your organization requires, and that an NAC solution can help you maintain it.
NAC vendors offer varying levels of support. Determine how much NAC management you can handle in-house and how much vendor support you will need and compare it to what each vendor can reasonably provide.
This article was updated in March 2021 by Kyle Guercio.