Network access control (NAC) project managers should first look to see if their network and security vendors offer the NAC functionality that meets their goals. In cases where tactical solutions or NAC pure-play vendors are a better fit, develop a strategy where these solutions can ultimately be integrated with infrastructure (for example, 802.1X-based switches) or with other core security products (for example, intrusion prevention systems or antivirus). NAC can be deployed less expensively and more widely throughout the enterprise when it is an embedded feature versus a separate product, but security requirements should not be compromised.

The NAC market remains active, but fragmented. In this MarketScope, we analyze 17 vendors; approximately half are startup companies and the rest are larger and more-established security vendors that offer NAC as part of a broad portfolio of products. The market will remain fragmented in 2008 as a result of the following two trends:

• Slow adoption of infrastructure-based NAC — Given the reduction in the original motivation for deploying NAC (fast-spreading malware such as worms), many organizations will wait to implement NAC by enabling features that are provided via their infrastructure. The most common examples will be Cisco's Network Admission Control (CNAC), Microsoft's Network Access Protection (MNAP) or a joint implementation of both solutions. But the infrastructure-based approach has proven to be a nonstarter so far, and Gartner does not anticipate that momentum to change until the second half of 2009. Cisco continues to promote its appliance-based solution and Microsoft has only just started to deliver on MNAP, now that it is shipping Windows Server 2008. The standardization efforts of the Trusted Computing Group's Trusted Network Connect consortium, which are largely based on an infrastructure approach, have yet to make an impact among early NAC adopters.
• "Incremental NAC" widens the market — Many network and security vendors already have solutions that can be part of the NAC process (for example, access control [particularly guest access], endpoint baselining and intrusion prevention), and they can round out their NAC functionality by acquiring or licensing NAC technology. Two new entrants in this year's MarketScope, Aruba Networks and 3Com (TippingPoint), join several other established vendors in this category. Network discovery vendor Insightix is also a new entrant this year (its NAC capabilities are internally developed). Other network and security vendors will also adopt an incremental NAC strategy as their customers seek to implement NAC by building on their existing solution base.

In 2008, many of the smaller NAC vendors should be viewed tactically. These solutions will appeal to early adopters that seek advanced NAC functionality and more-mature manageability and reporting features. But the following factors will make it more difficult for smaller vendors to compete beyond 2009, when Gartner expects that the stand-alone NAC market will begin to consolidate:

• Embedding NAC in Endpoint Protection (EPP) Suites — The EPP suite vendors (primarily McAfee, Sophos and Symantec) are well positioned to gain share in the NAC market. All three offer NAC as an optional component of their endpoint agents (Trend Micro is the notable exception). These vendors pose the biggest threat to small NAC vendors that rely heavily on an endpoint agent.
• Momentum of Infrastructure-Based Solutions — Although Cisco and Microsoft have been slow to execute with infrastructure-based NAC, time and economics are on their side. As organizations go through the technology refresh cycle, they will be positioned to use the embedded NAC functionality in their infrastructure vendors' flagship products, or at least wait to see how others fare with these infrastructure-based solutions. The perception of cost and risk reduction of using NAC from large, established infrastructure vendors will be the largest factor driving NAC adoption into the mainstream.

Another important trend is guest networking, which typically involves limiting guests to Internet access only. Most Gartner clients that are planning to deploy NAC report that their first priority is to implement a guest network. In 2007, many security managers who viewed NAC as a strategic security process were able to use the near-term benefits of guest networking to justify getting started in NAC. All the NAC solutions in this MarketScope can be used to build a guest network, and we have noted those that are the most adaptable. Two vendors, Cisco and Identity Engines (which did not qualify for this year's MarketScope — see Note 1), offer purpose-built guest network applications with enhanced manageability and reporting functions. Aruba Networks also offers advanced guest-networking functions.

In "Network Access Control Decision Framework," Gartner identified the following approaches to implementing NAC: infrastructure, appliances or endpoint software. The infrastructure-based approach is still not yet mature and, by definition, generates little NAC-specific revenue to the overall market. In this MarketScope, Gartner has defined the NAC market to be those vendors that sell appliance-based or endpoint software-based NAC solutions. Gartner estimates that this market grew 87% from 2006 to a total of $225 million in 2007. Gartner anticipates that the market will grow approximately 100% in 2008.

Four vendors from the NAC 2007 MarketScope have exited the market. Caymas was acquired by Citrix (June 2007), which then discontinued the Caymas NAC solution. Trend Micro no longer actively markets its appliance-based approach to NAC. Vernier Networks has changed its name to Autonomic Networks and is repurposing its core technology to focus on the related area of identity-aware networking. In March 2008, Lockdown Networks announced that it was ceasing operations and is entertaining offers for its intellectual property.

In 2008, four vendors appear for the first time in the NAC MarketScope. Impulse Point is a NAC pure play that has focused on the higher education market. Aruba, Insightix and 3Com (TippingPoint) are also new to the MarketScope.

Vendor differentiation is challenging in the NAC market because some vendors have licensed their technology to multiple partners. Thus, the goal of these inclusion/exclusion criteria is to identify the vendors that own core NAC technology.

To be included in this MarketScope, the vendors' solutions must be composed of the policy, baseline and access control elements of NAC, as defined by the following criteria:

• Policy — The NAC solution must include a dedicated policy management server with a management interface for defining and administering security configuration requirements and for specifying the access control actions (for example, allow or quarantine) for compliant and noncompliant endpoints. The ability to report on the overall state of endpoint compliance is a critical component of the policy function. Because we expect policy administration and reporting functions to be a key area of NAC innovation and differentiation, vendors must own the core policy function to be included in this MarketScope.
• Baseline — A baseline determines the security state of an endpoint that is attempting a network connection (LAN or virtual private network [VPN]) so that a decision can be made about the level of access that will be allowed. Baselining must include the ability to assess policy compliance (for example, up-to-date patches and antivirus signatures) and may include the ability to detect installed malware. Various technologies may be used for the baseline function, including agentless solutions (such as vulnerability assessment scans), dynamic agents and persistent agents. NAC solutions must include a baseline function, but "reinventing the wheel" is not necessary. Baseline functionality may be obtained via an OEM or licensing partnership.
• Access control — The NAC solution must include the ability to quarantine or grant full or limited access to an endpoint. The solution must be flexible enough to enforce access control in a multivendor network infrastructure. Enforcement must be accomplished by the network infrastructure (for example, via 802.1X or via port-based reconfiguration) or via the vendor's NAC solution (for example, dropping/filtering packets). Dynamic Host Configuration Protocol (DHCP) enforcement qualifies for inclusion, provided that policy enforcement can be delivered via partnerships with two or more DHCP solutions. Vendors that rely solely on agent-based endpoint self-enforcement do not qualify as NAC solutions.

Additional criteria include:

• Mitigation — Solutions must link to remediation systems (for example, patch and configuration management), but they do not need to own core mitigation technology.
• The products with the required features and functions must have been shipping as of 1 December 2007.
• The vendor must have had at least $1 million in NAC sales during the 12 months leading up to 1 December 2007.
• The vendor must have supplied three customer references (paying customers) to Gartner for its NAC solution. The references must have deployed the solution in a production environment.

Several network infrastructure vendors (see Note 2) offer add-on solutions that enforce NAC policies via their own LAN switches. We have excluded these solutions from this analysis because they are optimized for the vendor's own infrastructure and have drawbacks when deployed in other vendors' environments.

Overall Market Rating: Promising

The NAC appliance vendors and the pure-play software vendors face a limited window of opportunity before the infrastructure solutions mature and before the network and security product vendors (particularly the endpoint security companies) gain momentum. However, as threats (such as targeted malware) and business trends (such as the consumerization of IT) continue to drive more need for security checks before allowing network access, innovative vendors will be able to stay ahead of (or be acquired by) the slower-moving infrastructure vendors. Based on the current opportunities for all NAC vendors, we rate the overall market as Promising.

Differentiators/strengths:

In early 2007, 3Com acquired the assets of Roving Planet, which had developed software for WLAN access point management, guest networking and NAC. The TippingPoint NAC solution consists of an NAC Policy Server that supports dissolvable and permanent agent-based endpoint baselining, and 802.1X and DHCP enforcement, as well as a NAC Policy Enforcer that can provide inline blocking and that can interoperate with any deployed TippingPoint IPS devices. Since many NAC deployments start with WLAN guest access, the Roving Planet technology provides a simple and low-cost starting point, while TippingPoint's background in IPS provides strong capabilities for threat detection and inline enforcement.

Challenges:

• Although TippingPoint has a large, installed IPS base, its strategic direction is in doubt because of the uncertainty around the sale of parent company 3Com. Gartner believes that TippingPoint's management attention and business focus will be affected until 3Com settles on its long-term strategy.
• Although many common elements occur between IPS and NAC, TippingPoint is primarily an IPS company. IPS is a very competitive market, which may pull TippingPoint in directions that are not optimal for NAC advancement.

Appropriate Use Cases:

• Users of TippingPoint IPS or Roving Planet Access Point Manager
• Businesses that value the additional protection of inline NAC and are willing to use inline devices

Rating: Promising

Differentiators/strengths:

The Aruba Endpoint Compliance System (ECS) is based on technology via an OEM arrangement from Bradford Network's and works with Aruba's inline Mobility Controllers to provide NAC capabilities. Aruba's strength comes from its position in second-generation wireless networking, where the Mobility Controller provides strong access control and inline security filtering for clients associating to WLAN access points. The addition of the ECS appliance combines the broad assessment and enforcement capabilities of Bradford with the inline capabilities of Aruba. Since Wi-Fi access is a common component for guest networking, Aruba ECS users report ease of implementation in wireless guest networking as a prime reason for selecting Aruba for NAC.

Challenges:

• Since Aruba depends on Bradford, a competitor acquiring Bradford could impact Aruba's capabilities.
• Aruba has limited visibility outside of the wireless network market.
• Although the Mobility Controller has inline firewall and IPS capabilities, Aruba does not compete in those markets and its inline capabilities are not competitive with those that do, such as Juniper and TippingPoint.

Appropriate Use Cases:

• Users of Aruba Mobility Controllers and access points
• Businesses that need to rapidly deploy wireless guest networking on the path to full NAC

Rating: Promising

Differentiators/strengths:

Bradford has primarily targeted the higher education market, where it claims more than 300 NAC customers for its Campus Manager solution. It is well-suited to the demands of university environments because of its ability to deal with heterogeneous, unmanaged endpoints (via a dissolvable agent or via a Nessus scan integrated with its policy server appliance). The Campus Manager solution has several manageability features that appeal to higher education institutions, including the ability for students to pre-register their PCs before arriving on campus. To maintain growth, Bradford has increasingly focused on the broader enterprise market. In the academic environment, Bradford gets high marks from users for customer support and responsiveness. Bradford supplies NAC technology to Aruba Networks via an OEM agreement.

Challenges:

• Bradford is a small company that will increasingly face pressure from embedded NAC solutions, particularly the EPP suite vendors that are adding NAC functionality to their agents (for example, McAfee, Sophos and Symantec).
• Microsoft's NAP (MNAP) solution and its embedded Quarantine Agent component in Vista also represent a threat to Bradford, although MNAP still needs to prove itself as a viable and mature solution.
• Bradford needs to achieve greater penetration outside the higher education vertical market. In 2007, it introduced a new appliance, the NAC Director, aimed at the broader enterprise market. NAC Director provides a high-availability option, but it only supports a limited subset of VPN gateways and it lacks automated remediation (Bradford states that automated remediation and advanced guest services will ship in the second quarter of 2008)

Appropriate Use Cases:

• Universities or similar environments that seek out-of-band NAC solutions with an emphasis on pre-connect device policies (Campus Manager also interoperates with authentication servers to support user-based policies).
• Gartner has rated Bradford Positive for university environments. Large enterprises that want tighter NAC/mitigation integration should evaluate other providers. Enterprises that are not making decisions until the second half of 2008 will be able to evaluate Bradford's remediation against other more-mature offerings.

Rating: Positive

Differentiators/strengths:

Check Point Software Technologies has long been a strong player in the personal firewall and VPN client software market. Its Check Point Endpoint Security client unifies NAC, VPN and personal firewall functionality in a single endpoint client. Check Point's NAC also offers a dissolvable agent. Since its client has strong local policy enforcement capabilities, Checkpoint's approach can greatly limit the damage a compromised machine can inflict on the network. For enforcement and mitigation support, Checkpoint largely depends on other Check Point products and its large OPSEC partner ecosystem for NAC-specific reporting, remediation support and for other advanced capabilities. For example, the Check Point firewall can be configured to only allow traffic from endpoints running the Endpoint Security client and that have passed baseline compliance checks. The firewall can quarantine or provide limited access to endpoints that do not meet these criteria. Check Point NAC users based their selection on ease of implementation in remote access applications.

Challenges:

• Check Point primarily treats NAC as a feature of its other products and does not focus on competing in stand-alone NAC procurements.
• Check Point's strength in NAC depends on its ability to compete in the Endpoint Protection market against entrenched antivirus players. As individual desktop security products have evolved into combined Endpoint Protection Platforms (see "Magic Quadrant for Endpoint Protection Platforms, 2007"), Check Point is in a much weaker position.
• Limited capabilities for early-stage NAC applications such as Guest Networking.

Appropriate Use Cases:

• Users of Check Integrity Client or Check Point VPN

Rating: Promising

Differentiators/strengths:

Because of Cisco's size and its focus on NAC, it has the largest installed base of NAC customers. In 2007, Cisco responded quickly to market trends by introducing its NAC Guest Server appliance and its NAC Profiler appliance (both products are from OEM deals with small vendors). A single Guest Server communicates with multiple Cisco NAC appliances or Cisco wireless LAN controllers and provides the provisioning, management and reporting capabilities for the guest network. The NAC Profiler makes it easier to discover and monitor nonauthenticating devices (for example, IP phones and printers) in a NAC environment. In 2007, Cisco also introduced a NAC Appliance module for its ISR routers, which makes it easier and more cost-effective to implement NAC in remote offices.

The NAC appliance has the flexibility to be deployed in-band or out-of-band. The out-of-band positioning improves the scalability of the NAC appliance, but it is currently limited to implementations with Cisco Catalyst switches only. Endpoint baselining is accomplished via an optional endpoint agent (permanent or dissolvable) or via a scanning function (using Nessus signatures).

Challenges:

• Cisco's family of NAC appliances are expensive. Many Gartner clients have reported that proposals based on the NAC appliance/CCA are priced at more than twice the amount of competing solutions.
• Cisco has two deployment options for NAC — one-based on an all-Cisco approach (via its NAC Appliance family) and one based on its partnership with Microsoft (via CNAC/MNAP interoperability). Organizations that begin with the all-Cisco approach and foresee migrating to the combined CNAC/MNAP solution should recognize that they may need fewer NAC appliances in a CNAC/MNAP implementation. Some NAC functions performed by the NAC appliances (mainly endpoint baselining) can be performed with MNAP (for Windows endpoints). In a CNAC/MNAP environment, the Cisco NAC appliances and the Cisco ACS server can serve as a "bridge" to MNAP for non-Windows endpoints.
• Cisco needs to provide a more detailed road map for its authentication and NAC-related solutions. It needs to spell out how it will integrate its 802.1X solution (acquired from Meetinghouse), its NAC Appliances (acquired from Perfigo and also OEM deals) and its newly announced TrustSec initiative (see "Q&A on Cisco's TrustSec").

Appropriate Use Cases:

• Cisco customers that need to tactically add NAC to "pain points":
  • Selected locations
  • Specific access-methods (VPN, wireless, LAN)
• Cisco customers that need to build guest networks with advanced manageability, reporting and provisioning capabilities
• Cisco's NAC Appliance/CCA solutions are functional, but not ideal, for non-Cisco environments. If you are not already a Cisco customer, then you will find that most competing NAC solutions offer more flexibility (they will also support non-Cisco equipment and heterogeneous environments) at a lower price.

Rating: Positive

Differentiators/strengths:

ConSentry offers an inline approach to NAC via two options — Ethernet switches and LAN appliances that are positioned between an edge switch and a core switch. Both products are based on ConSentry's ASIC technology. Starting in 2007, ConSentry began to reposition itself as a LAN switch company with embedded NAC functionality. Competing in the LAN switch market is a risky endeavor for a startup, but it positions ConSentry to capitalize on a key market trend — that NAC will increasingly become an embedded feature of the network infrastructure. ConSentry's inline positioning gives it the ability to "snoop" the user authentication process and enforce user policies at a granular level, including file access controls. Inline positioning also enables ConSentry to block malware attacks via its anomaly detection algorithm. Most ConSentry customers have implemented only limited user-based policies so far, but many report benefits from the increased visibility into network and user traffic flows. Based on its increased market presence, ConSentry has moved up from its 2007 ranking in the Promising category to a Positive ranking in 2008.

Challenges:

• ConSentry's ability to implement pre-connect NAC device policies is limited. It lacks a permanent agent and an agentless scanning capability. Endpoints may be baselined by automatically downloading a dissolvable agent.
• ConSentry is a small company, and its new positioning places it in a head-on competition with Cisco and other large LAN switch manufacturers. Its sales force, distribution channel and support team all need to demonstrate that they can succeed in large LAN opportunities.
• At the time of this MarketScope's publication, ConSentry had an interim CEO. ConSentry needs a CEO with the experience and skills to grow the company to be a competitor in the LAN switch market.

Appropriate Use Cases:

• Environments that require NAC user-based policies
• Implementing guest networks (due to ConSentry's ability to snoop authentication, network managers can implement guest networks without involvement from the desktop team)
• "Greenfield" LAN opportunities (for organizations that can accept the risk that comes with any startup company)
• Environments with a high percentage of unmanaged PCs (for example, universities) that require IPS capabilities in the LAN

Rating: Positive

Differentiators/strengths:

ForeScout's CounterACT NAC product is an out-of-band NAC appliance that baselines endpoints with a persistent or dissolvable agent, or by using credentialed access. It provides a broad combination of pre-connect and post-connect analysis capabilities. CounterACT supports VLAN and VPN server enforcement and has integration with a number of remediation vendors, such as Lumension and Microsoft Operation Manager (MOM). CounterACT includes an embedded Remote Authentication Dial-In User Service (RADIUS) proxy for 802.1X support, and it interfaces with multiple directory solutions to enforce user-based policies. ForeScout users report ease of installation, competitive pricing and responsive support as the primary reasons for selecting ForeScout, with several citing the ease of meeting short-term requirements for guest access as a key decision factor.

Challenges:

• CounterACT lacks some enforcement mechanisms. It does not allow DHCP-based enforcement (it does not interface with DHCP servers) and it has no inline (packet filtering) capabilities.
• ForeScout's distribution channel lacks a partnership where it licenses its technology (via an OEM agreement) to a large vendor. Several other small NAC vendors benefit from this type of partnership.

Appropriate Use Cases:

• Existing users of ForeScout ActiveScout
• Enterprises where a rapid demonstration of supporting guest networking can provide leverage for a larger-scale NAC implementation
• Enterprises with a high percentage of unmanaged endpoints (due to ForeScout's agentless scan capability)

Rating: Promising

Differentiators/strengths:

Impulse Point's Safe Connect provides a scalable and relatively inexpensive approach for NAC solutions based on pre-connect device policies. These characteristics appeal to the higher education market (which comprises about 50% of Impulse Point's revenue). Endpoint baselining is provided via an agent (permanent or dissolvable), which can also provide self-enforcement. The agent runs continuously on the endpoints and can immediately detect endpoint configuration changes (most endpoint-software NAC solutions require scheduled agent scans). The agent can be programmed to send safety alerts and other messages to students on campus. With Safe Connect, enforcing access control is more commonly implemented via ACLs on routers or Layer 3 switches. The Safe Connect policy server embeds a RADIUS server, so it participates in 802.1X authentication. The policy server also implements role-based policies by interfacing with common directory service solutions. Impulse Point delivers its solution as a managed service, whereby it manages updates (patch and antivirus status) to its policy server and also houses daily policy configuration backups. Safe Connect is available as an appliance or via software (it is certified to run in a virtualized VMware environment).

Challenges:

• SafeConnect has limitations with its access control architecture. When enforcement is provided via Layer 3 ACLs, devices can freely access the LAN via Layer 2 switches. Most organizations require LAN-based NAC enforcement.
• Outside of the higher education market, Impulse Point suffers from low market visibility (due to its small size and its limited resources).
• Impulse Point Customers have expressed that its graphical reporting capabilities are lacking (although log information can be exported to external database stores and customized).

Appropriate Use Cases:

• Organizations seeking a cost-effective approach to NAC (at 10,000 nodes and above Impulse Point's pricing model are the most favorable)

Rating: Caution

Differentiators/strengths:

InfoExpress provides VPNs, personal firewalls and NAC technology. InfoExpress CyberGatekeeper is a pre-connect NAC solution that implements endpoint agent and network-based enforcement. Persistent or dynamic agents can be used to baseline endpoints. It provides flexible enforcement options in-band and out-of-band, making it suitable for LAN-based and VPN-based NAC. Its unique Dynamic NAC product uses persistent agents to implement ARP-based enforcement for noncompliant hosts on a LAN segment.

Challenges:

• The primary challenge for InfoExpress is its size relative to other endpoint security vendors that provide NAC. Although it can sell its NAC solution to its VPN and personal firewall customers, this potential customer base is small when compared with major endpoint security vendors (that also have NAC solutions).
• Although customer satisfaction with InfoExpress remains high, the company's technology differentiation has eroded as large competitors such as McAfee and Symantec have expanded their endpoint security solutions to include better personal firewalls (PFWs) and NAC support.
• InfoExpress does not enable DHCP-based enforcement (its solution does not integrate with any DHCP servers).

Appropriate Use Cases:

• Users of InfoExpress VPN and PFW technology
• Organizations that want to implement access control without the use of network equipment and that want to enforce devices that are not running a client, such as printers, PDAs and unauthorized devices (via the software-based Dynamic NAC solution)
• Organizations that have many sparsely populated branch offices (Dynamic NAC is cost-effective for this approach)

Rating: Promising

Differentiators/strengths:

Insightix is a startup company with a new software-based NAC product. Insightix NAC is designed around Insightix Visibility — the company's core network discovery and monitoring technology that provides dynamic endpoint profiling. By packaging NAC functions with its Visibility offering, Insightix's solution knows whether a device is managed or unmanaged before it connects to the network. The Insightix NAC solution is composed of a policy server, and a network monitor detects new connections, drives endpoint baselining activity and implements quarantine functions via ARP cache manipulation. Managed endpoints are baselined over the network, and unmanaged endpoints are baselined with a dissolvable agent.

Challenges:

• Insightix needs to mature its NAC offering. Insightix customer references report that they were early in the deployment process. Some faced usability and stability issues that are typical with early products, but report that these problems have since been resolved.
• Insightix is a small company with limited resources for competing with large NAC providers and point-solution vendors with more-mature offerings.
• Remediation support is limited to dialogue boxes (Insightix plans to release expanded support during 2008).
• VPN support is not yet available. Insightix needs to integrate its out-of-band solution with VPN gateways to enforce remote access NAC.

Appropriate Use Cases:

• Customers of Insightix's network discovery solution that want to add basic NAC functionality

Rating: Caution

Differentiators/strengths:

Juniper's Unified Access Control (UAC) NAC product builds on Juniper's strength in the SSL VPN and inline network IPS markets, and on its acquisition of Funk Software's Radius and 802.1X products. Juniper UAC provides a wide array of enforcement options, lacking only DHCP enforcement. In UAC 2.1, Juniper used Shavilk's NetChkProtect patch-level assessment technology and increased the number of remediation partners working with UAC. Juniper has been a driver of open standards for NAC and its entry into the enterprise switching market enables it to provide strong infrastructure-based NAC solutions in the future. Based on product improvements and some large customer wins, Juniper has moved up from the 2007 ranking of Promising to Positive in 2008.

Challenges:

• Some Juniper UAC users report some conflict issues between the Juniper client software and other client software, such as BMC/Marimba's application management client.
• Juniper has not been aggressive with UAC pricing in selling to its installed Neoteris SSL VPN base.
• Direct competition with Cisco in enterprise switching may dilute Juniper's focus on UAC.

Appropriate Use Cases:

• Existing users of Juniper IPS, SSL VPN or Odyssey 802.1X products
• Mixed network infrastructure environments where broad enforcement capabilities are needed

Rating: Positive

Differentiators/strengths:

Unlike endpoint security competitors Symantec and Sophos, both of which acquired NAC startup companies, McAfee has chosen to build its own NAC capabilities. Its NAC functionality was designed to be integrated as an extension to ePolicy Orchestrator (ePO) endpoint and policy management components. For baselining endpoints, it provides permanent or dissolvable agents, as well as agentless scanning (via its Foundstone product). Access control is provided via agent-based enforcement or via port-based VLANs on Cisco switches. Later in 2008, McAfee is planning to add NAC functionality to its Intrushield IPS solution, which will give it additional options for authentication and for enforcing access control. McAfee is well-positioned as a long-term NAC player because of its installed base in the endpoint protection market, although it is playing catch-up in several key areas noted below.

Challenges:

• McAfee is behind its competitors in important areas of NAC functionality, namely access control enforcement and user-based authentication. Its lack of RADIUS support prevents its ability to participate in the 802.1X authentication process (which applies to user and device policies). McAfee's solution also does not interface with Active Directory or other authentication stores, nor does it interface with DHCP servers (for DHCP-based enforcement).
• McAfee's limitations with authentication make it a weak choice for building guest networks.
• McAfee's LAN-based enforcement is limited to Cisco switches (VLANs only).
• Like its competitors in the endpoint security market, McAfee's sales force is challenged to generate demand within its endpoint security buying center for NAC.

Appropriate Use Cases:

• McAfee customers that use ePO and Total Protection Suite can implement NAC with common agent technology and policy management functions.
• McAfee customers that use its vulnerability assessment and remediation solutions.

Rating: Promising

Differentiators/strengths:

Mirage Networks provides an out-of-band appliance that is optimized to enable post-connect NAC. Its Endpoint Control NAC appliance monitors endpoints for anomalous traffic patterns and uses Address Resolution Protocol (ARP) manipulation to isolate suspect endpoints. This ARP manipulation technique enables the EndPoint Control appliance to selectively insert itself in-line and filter packets. This feature is helpful for authenticating users before they gain network access — it enables the Mirage appliance to remain in an in-line state until the user authenticates and/or performs a compliance scan. Mirage benefits from a partnership with AT&T, which has built a managed service around the Endpoint Control appliance. Mirage's solution is one of the least expensive in the market.

Challenges:

• Mirage's dependence on ARP-based enforcement limits its ability to enforce NAC policies in an secure sockets layer (SSL) VPN environment.
• Mirage does not offer a permanent agent or an agentless scanning ability (although it does offer an optional dissolvable agent for pre-connect endpoint baselining).
• Mirage is a small company that primarily targets midsize organizations. It will need to expand its sales and distribution channels to win more large accounts.

Appropriate Use Cases:

• Organizations that want to quickly implement guest networks. The Mirage appliance's ability to temporarily insert itself inline (via ARP manipulation) and monitor the user authentication process is often an easier alternative to virtual LAN (VLAN) or ACL-based guest networks. Organizations can then extend Mirage's capabilities to provide broader NAC functions.
• Environments with a high percentage of unmanaged endpoints that require the ability to detect and contain malicious traffic patterns.

Rating: Promising

Differentiators/strengths:

Nevis offers an inline approach to NAC via two options — an Ethernet switch and a LAN appliance that is positioned between an edge switch and a core switch. Both products are based on Nevis's ASIC technology, which has enabled it to cost-effectively integrate IPS capabilities (signature detection and anomaly detection) in the LAN. Nevis's inline positioning enables it to enforce granular user-based policies by dropping and filtering packets — a flexible approach for enabling the network to control role-based access. Customers report that they like the visibility into user behavior and network traffic patterns provided by Nevis, which helps them with forensic analysis, troubleshooting and planning additional user-based policies. Based on growth in its customer base, Nevis moved up from a Caution ranking in the 2007 NAC MarketScope to a Promising rating in 2008.

Challenges

• Nevis is a small company that, despite progress in 2007, continues to battle low-market visibility among Gartner's client base.
• At the time of publication, Nevis had an interim CEO. Since the previous CEO's departure (fourth quarter of 2006), the board has not filled the position. Nevis needs a CEO with the experience to guide it beyond the early startup stage.
• Nevis is a likely acquisition target. Possible acquirers include LAN switching vendors that would buy the company for its application-specific integrated circuit (ASIC) and then repackage it in their switches. If it is not acquired, then Nevis will likely be challenged to compete against the larger vendors in the LAN switch market.

Appropriate Use Cases:

• Organizations that seek to implement guest networks without deploying desktop agents.
• Networks that need to monitor and enforce role-based access
• "Greenfield" LAN opportunities (for organizations that can accept the risk that comes with any startup company).
• Environments with a high percentage of unmanaged PCs (for example, universities) that require IPS capabilities in the LAN.
• Nevis is not an optimal solution for implementing pre-connect device policies. It has a dissolvable agent (developed in-house) and is working on a permanent agent. It lacks an agentless endpoint scanning ability.

Rating: Promising

Differentiators/strengths:

Sophos has many endpoint security customers that are natural prospects for its NAC Advanced offering. NAC Advanced is comprised of agent-based NAC technology from the early 2007 acquisition of Endforce. The solution is optimized for pre-connect NAC, and provides access control enforcement via DHCP, agent-based, 802.1X and multiple VPN gateways. The policy server can function as a RADIUS authentication server or as a RADIUS proxy. In the second quarter of 2008, Sophos plans to release an endpoint security suite that integrates its endpoint security and NAC agents. At the same time, Sophos plans to release an integrated management console to unify NAC and endpoint protection policy controls. A successful integration should deliver NAC deployment and manageability benefits for Sophos customers.

Challenges:

• Sophos is behind its major endpoint protection suite competitors (McAfee and Symantec) in delivering an integrated NAC and endpoint protection policy console.
• Sophos and its endpoint security competitors share a common challenge in marshalling support for NAC acquisition within its endpoint security buying center.
• The Sophos endpoint security customer base is much smaller than its primary endpoint security competitors (Symantec and McAfee).

Appropriate Use Cases:

• Existing Sophos endpoint security customers that seek to add NAC via a unified agent (when it becomes available).
• Non-Sophos customers can also implement Sophos's independent NAC solution.

Rating: Positive

Differentiators/strengths:

StillSecure's Safe Access solution has broad pre-connect NAC support for device policies. Baselining can be achieved via a persistent agent, a dynamic agent or an agentless scan. Access control can be achieved via DHCP (Safe Access integrates with multiple DHCP servers), agent-based self-enforcement, VLANs or ACLs. SafeAccess can also be deployed in-line behind a VPN concentrator where it can filter packets to enforce NAC policies. StillSecure is primarily pursuing an OEM strategy by licensing NAC technology to its partners. It is an OEM provider to Extreme Networks, Novell (Senforce) and one other LAN switch vendor.

Challenges:

• StillSecure is a small company that struggles with low visibility and market awareness, which hampers its direct sales efforts. In 2007, StillSecure announced that it was providing free downloads for SA Lite, a NAC "teaser" product (monitoring, but no enforcement). This announcement resulted in limited interest from Gartner's client base.
• Limited capabilities for guest networking.

Appropriate Use Cases:

• Organizations that seek a flexible solution (multiple baselining and enforcement options) for pre-connect NAC device policies.
• Users of StillSecure's IPS solution. StillSecure has integrated its IPS solution with Safe Access, so that it can quarantine endpoints that its IPS identifies as suspicious.

Rating: Positive

Differentiators/strengths:

Symantec Endpoint protection release 11 implements a common agent architecture for malicious code protection, intrusion prevention and NAC. Endpoint baselining is provided via permanent or dissolvable agents, or via an agentless scanning option. Access control is provided via appliances, with separate models for 802.1X, DHCP and in-line (packet filtering) enforcement — a good option for enforcing NAC for VPN access. A DHCP "plug-in" is available for Microsoft's DHCP server, and Symantec's persistent NAC agent also provides self-enforcement. Symantec plans to integrate with Altiris PC life cycle management technology (Symantec acquired Altiris in 2007) to provide additional automated mitigation options. Symantec is well-positioned in the NAC market, because it can target its large installed base of endpoint protection customers to upgrade to NAC.

Challenges:

• Like its competitors in the endpoint security market, Symantec's challenge is to get the attention of the network team that typically makes the NAC decision.
• Symantec's solution lacks post-connect malware detection and containment functions.

Appropriate Use Cases:

• Symantec Endpoint Protection customers can implement NAC for managed endpoints and use a common policy and agent infrastructure.
• Non-Symantec customers can also implement Symantec's independent NAC solution, which provides much of the same functionality as the integrated solution.

Rating: Positive