Ivanti Policy Secure: NAC Product Review

As a spinoff of the network infrastructure leader, Juniper Networks, Ivanti’s Policy Secure provides effective network access control built on a foundation of deep understanding of networks. However, with three rebrandings since 2014, many potential customers may not recognize the product as a long-tenured competitor in the NAC market. This article will explore the product in depth and explore the features, pros, cons, pricing, and other key aspects of Ivanti’s NAC solution.

To compare Ivanti Policy Secure against their competition, see the complete list of top network access control (NAC) solutions.

Who Is Ivanti?

The Ivanti corporation formed through a series of mergers and acquisitions of component companies such as: AppSense, Cherwell, MobileIron, Pulse Secure, RiskSense, and Wavelink. Unified under the Ivanti brand, the component technologies provide solutions for unified endpoint management, service management, asset management, supply chain operations, patching solutions, and zero trust solutions. Ivanti maintains 36 offices in 23 nations globally and has 3,100 employees servicing more than 38,000 customers with the help of over 4,000 partners.

Policy Secure

Ivanti acquired Pulse Secure on December 1, 2020, from Siris Capital. Previously, Siris Capital had spun off Pulse Secure as a standalone entity after acquiring the company from the enterprise networking leader, Juniper Networks.

Ivanti NAC solution consists of four main components:

• Policy Secure: Central policy management server
• Enforcer: Enforcement points for user authentication
• Secure Access Client: Endpoint user authentication, device compliance, and virtual private network (VPN) connections
• Profiler: Ability to identify and classify endpoints

Additionally, Policy Secure integrates with other Ivanti tools to offer additional features related to network security such as:

• User behavior analytics (UEBA) tracking network data flow, user data, and device information available through integrations with the Ivanti One Management solution
• Secure virtual private network (VPN) access through Connect Secure
• Zero trust network access through Ivanti Neurons

Agents

Agent and agentless options are available with Ivanti. Agentless connections require using web browsers to make secure network connections using layer 3 controls.

Agents can be figured to download automatically to devices using Microsoft Windows. Host assessments by Policy Secure are performed through the endpoint security assessment plug-in (ESAP) agent installed on endpoints.

Applicable Metrics

Maximum concurrent users varies depending upon the appliance capabilities. Low-end physical and virtual appliances support up to 200 concurrent users and high-end appliances support up to 50,000 concurrent users.

Similarly, appliance size determines the expected login rate and max tunnel throughput. Users can perform between 20 and 122 logins per second. Max tunnel throughput will depend upon the mode — for encapsulating security payload (ESP) tunnel mode the tunnel throughput maximum will vary between 200 Mbps and 4.2 Gbps, and for secure socket layer (SSL) mode the tunnel throughput maximum will vary between 100 Mbps and 2.8 Gbps.

Appliances may be clustered for high availability (synchronized active and passive devices) or load balancing (all devices active). Using a license manager, clustering, and multiple devices can create a large, high volume instance. Ivanti does not disclose the maximum number of endpoints such an infrastructure can support.

Security Qualifications

Ivanti Policy Secure provides FIPS level 1 (FIPS 140-1 and 140-2) support and security certifications that support compliance with HIPAA, PCI DSS, ISO 27001, and other security standards.

Features

• Automated threat responses to indicators of compromise
• Centralized visibility and policy management of all endpoints — workstations, laptops, and internet of things (IoT) devices
• Bidirectional third party integration to improve security and auditing
  • Firewalls: Checkpoint, Fortinet, Juniper, Palo Alto Networks, etc.
  • Security information and event management (SIEM): IBM QRadar, Splunk, etc.
  • And more: Nozomi Guardian (industrial IOT and operational technology tracking), Trellix ePolicy Orchestrator, etc.
• Built-in behavior analytics trained during the Policy Secure learning period
• BYOD onboarding with third party enterprise mobile management integration or virtual Application Delivery Controller (vADC)
• Customizable user experience options such as custom logos, background colors, personalized greetings for users, etc.
• Dynamic network segmentation based on user role and device classification
• Granular assessment of endpoint security posture before allowing access
• Layer 2 NAC enforcement through 802.1x, MAC authentication, simple network management protocol (SNMP), and secure socket shell (SSH) protocol
• Layer 3 NAC enforcement through integration with firewalls, intrusion detection and prevention solutions, and ethernet switches
• RADIUS and TACACS+ support for device and other multi-factor authentication devices
• Self-service onboarding for devices and users in known identity and access management systems

Pros

• Customizable reports for key performance indicator tracking, auditing, and compliance
• Guest onboarding included with the basic license instead of an add-on module
• More than 2.3 million IoT device profiles included
• Potentially lower total cost of ownership (TCO) for organizations with less complicated needs when compared to higher-profile competitors
• Secure connections for local and remote users
• Simple implementation and connection for servers and network equipment
• Wide operating system compatibility — Windows, macOS, Linux, Android, and iOS
• Wizard-based deployment and setup ensures easy implementation and no missed steps

Cons

• Lengthy connection processes, according to customers
• Confusing licensing based upon reserved licenses, lease durations, license recall procedures, and surrendering licenses makes it difficult to predict costs in variable usage settings
• Instability for some virtual private network (VPN) users; however, this may be caused by incorrect setup where conflicts between incompatible session heartbeat intervals and host checker intervals create disconnections
• Host checking capabilities are significantly limited on devices running Linux, Solaris, and mobile devices and somewhat limited for macOS
• Not as expansive and robust as higher-profile competitors
• Poor brand recognition compared to its competitors

Intelligence

Ivanti Policy Secure, trained during a learning period, can perform basic behavior analytics. Secure also consumes threat intelligence information from third party sources such as firewalls and IDS systems or through additional Ivanti modules and products. Intelligence can be used to perform automated security responses.

Delivery

Ivanti Policy Secure can be deployed as physical appliances or installed as a virtual machine in local data centers or in the cloud. Devices can be clustered in two or more units to provide load balancing (all active) or high availability (some passive) benefits.

Wide area network (WAN) clusters are possible, but only on specific appliances.Devices can be deployed with attached licenses, or a server may be created to perform license management across multiple appliances.

Pricing

Organizations need to obtain appliances (virtual or physical), licenses for the servers based upon the number of expected users, and additional licenses for optional modules. Bundled pricing, volume discounts, and pricing discounts are likely, but no pricing is officially published by Ivanti, so organizations should contact Ivanti for quotes.

Some example partner pricing is listed, but organizations need to be sure of the currency (e.g., US dollars vs. Canadian dollars) and that the configurations are the same since some resellers quote appliances bundled with services while others sell the products separately.

Ivanti currently sells five different hardware models and three virtual appliance configurations.

• PSA300 Mini Appliance: 200 users max for smallest needs
• PSA3000 Rack Mountable Server (1RU): 200 users max for smallest needs
• PSA5000 Rack Mountable Server (1RU): 2,500 users max for small and medium enterprises
• PSA7000c Rack Mountable Server (2RU): 25,000 users max for enterprise needs, copper port connections
• PSA7000f Rack Mountable Server (2RU): 25,000 users max for enterprise needs, fiber port connections
• PSA3000-V Virtual Server: 200 users max for smallest needs
• PSA5000-V Virtual Server: 2,500 users max for small and medium enterprises
• PSA7000-V Virtual Server: 10,000 users max for enterprise needs

Users can download licenses from the Software Download Center using the same credentials as the Ivanti Community site. Licenses can be downloaded and managed by specific appliances or managed by a licensing server.

The appliances support four different types of licenses:

• Pulse Secure Evaluation license
• Pulse Secure Perpetual license (requires support subscription for future updates)
• Pulse Secure Subscription licenses
• Pulse Secure In-Case-of-Emergency (ICE) licenses to cover temporary surges in license demand

Perpetual licenses include 12 months of maintenance and support. Further maintenance contracts must be purchased to obtain future updates and support, including patches, updates, upgrades, and content feeds such as IoT profiles. Upon the expiration of maintenance, the appliance may be used as-is without upgrades.

Subscription or term licenses may be purchased for one, two, and three years and include software, updates, and support. At the expiration of a subscription, the appliance may no longer be used.

Lapsed licenses require a reinstatement fee based upon the annual fee. Renewal fees typically increase by 5% per year.

Ivanti offers four levels of support: Standard, Premium, Enterprise and Success Squad. All customers are automatically enrolled in standard support, which includes the customer community, a knowledge base, and a support response time of 2 hours (24×7) via the online portal or phone. Premium includes self-guided resources, one Advantage Learning License, a named support manager, and a support response time of one hour.

Enterprise support adds a designated customer service manager, success plan, expert coaching programs, quarterly business reviews, one virtual instructor-led class, and a designated enterprise support engineer. Success Squad adds personalized success plans, technical guidance and validation on upgrades, additional learning licenses and virtual instructor-led classes, go-live support, and health checks.

Bottom Line: Top Alternative to Higher-Priced Solutions

Ivanti Policy Secure does not contain as robust an IoT database or lengthy integration list compared with more prominent competitors in the NAC solution market. However, Policy Secure can deliver automated guest onboarding with the basic license when many larger, more expensive competitors require add-on modules to deliver the same capabilities.

Although Ivanti’s licensing model can be confusing, Policy Secure has the potential to deliver robust, fundamental network access control with a lower total cost of ownership. Enterprises with less complex needs and networks should include Ivanti Policy Secure on their evaluation list to ensure a low-cost comparison against other brands.

This article was originally written by Drew Robb on July 7, 2017, and was updated by Chad Kime on April 14, 2023.