As BYOD policies and the number of mobile devices accessing networks continue to proliferate, the enterprise attack surface grows wider, bringing in new security risks and vulnerabilities. It is therefore critical to have tools that provide improved network visibility and access management to protect devices and indeed the entire network from threats.
To address these challenges, Network Access Control (NAC) solutions are the answer. NAC solutions support network visibility and access control through policy enforcement on devices and users of corporate networks. It aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over which users and devices can go on a network, and what they can do.
A NAC application can be set up to assess the security posture of devices attempting to connect to your network to determine if they meet predefined standards such as device type, OS version, update, and antivirus status, among others. If it doesn’t, the user is either denied access or placed onto a quarantined network segment until problems are rectified.
When evaluating NAC software or appliances, you need to ensure that it has the right features and capabilities that address your security risks and policy requirements. Some of the key questions to consider include: What do you need a NAC solution for; to manage guests, BYOD, IoT devices, or a combination of those? Is the NAC software able to integrate with existing software and network infrastructure? Does it support all kinds of endpoint devices—PC, Mac, Linux, Android, etc? Does it contribute to achieving compliance requirements? Is vendor support available in your region, and to what extent? Other factors to consider include features, agent or agentless implementation, and of course total cost of ownership.
The best network access control software
With such a huge range of NAC applications out there, choosing the right one for your business and budget can be challenging. In this article, we’re going to review the six best NAC applications in the market. Hopefully, this will guide you as you decide on the right NAC solution for your business.
With the Cisco ISE software, IT administrators can exercise controls over who, what, when, where, and how endpoints are allowed on the network. ISE uses Cisco TrustSec software-defined segmentation and other technologies to enforce security policies, including BYOD policies. ISE integrates well with other Cisco products, which makes it a natural fit for Cisco infrastructure network environments. It has been named a 2020 Gartner Peer Insights Customers’ Choice.
ISE checks for device policy compliance and posture using the Cisco AnyConnect agent, which also doubles as a VPN client app for desktop and laptop checks. ISE is available as a physical or virtual appliance for VMware, Red Hat, and Microsoft hypervisors. It can also be used to create ISE clusters to support the high availability and failover requirements of a critical enterprise network. Some of the features and capabilities include, but are not limited to:
- Built-in AAA services and support for multiple identity and directory services such as Active Directory, LDAP, RADIUS, RSA, OTP, etc.
- Centralized policy management and role-based access control
- Integrated BYOD, mobility, and guest lifecycle management
- Customizable mobile and desktop guest portals
- Device profiling and endpoint posture service
There are four primary ISE licenses available to customers as shown in Figure 2.0. These licenses as well as technical support can be purchased directly from Cisco certified partners.
Cisco ISE is a great tool, but it is best suited for organizations that have invested in Cisco hardware. If your network infrastructure is made up of equipment from different vendors, you may want to consider a NAC solution that is more suitable for your environment.
Forescout NAC platform stands out among the rest in its space. It is a highly flexible and robust product that offers agentless detection and management of network devices ranging from IT to IoT and even operational technology (OT) devices. Forescout NAC solution is among the 2020 Gartner Peer Insights Customers’ Choice for NAC.
As noted earlier, the ability to integrate with existing software and network infrastructure is one of the factors to consider when evaluating NAC products. Forescout’s NAC software integrates well with most network security applications such as vulnerability assessment and SIEM tools, among others. Forescout’s solution places emphasis on device visibility, and with its access to millions of device profiles, it can seamlessly identify a variety of them. And through its security policy engine, it is able to provide network access control, segmentation, and even automatic incident response.
Forescout’s flagship product, ForeScout 8.2—a unified device visibility and control platform for IT and OT networks, dynamically identifies and evaluates network devices and applications as they connect to an organization’s network. It provides the basis for automating and enforcing a wide array of policy-based controls for network access, endpoint compliance, and mobile device security. Forescout even offers advice on how its products can be used to meet regulatory compliance for PCI DSS, SOX, HIPAA, and others. It can be deployed as physical software, or virtual appliance solution. Other related NAC component applications include:
- eyeSight—provides visibility into a network by discovering, classifying, and assessing devices as they establish a connection without requiring agents.
- eyeControl—helps to enforce and automate policy-based controls, as well as respond to incidents.
- eyeSegment—provides network segmentation or logical security zones across the enterprise.
Forescout makes its products available through a partner reseller network, which can assist with integration if required. There are three levels of support available to customers: ActiveCare Basic, ActiveCare Advanced, and Forescout Premium Care. Each includes access to an online support portal, email support, plugins, and software updates.
Forescout NAC platform is a great choice for organizations that have network equipment from different vendors, as it can easily gather information, and control different products from the same pane of glass. However, Forescout NAC is best suited for large organizations, due to its support for the most variety of devices and compliance modules.
FortiNAC is Fortinet’s NAC solution that provides visibility, profiling, control, and real-time automated response for everything that connects to the network including IoT devices. It also delivers network segmentation using dynamic role-based access control, and policy enforcement. FortiNAC performs device assessment to see if it matches approved profiles such as software updates and vulnerabilities patches. The assessment can be done actively or passively and can utilize permanent agents, dissolvable agents, or no agents.
FortiNAC is a flexible and scalable solution targeted at medium and large enterprises in areas like healthcare, education, IoT, and managed service providers. It can be deployed in virtual machines (VMWare/AWS/Azure/KVM) or on hardware appliances. FortiNAC is an ‘out of band’ solution, which means that it does not sit in-line with user traffic, and therefore poses little or no impact on network performance. There are three elements to the FortiNAC solution:
- Application and Control (required): Application and Control provide the visibility and configuration capabilities, as well as automated response features.
- Management (optional): The Management portion enables the sharing of concurrent users across a multi-server deployment.
- FortiAnalyzer for Reports (optional): FortiAnalyzer provides reports and analytics based on the information gathered from the network through FortiNAC.
FortiNAC offers three licensing options based on the features and functionalities your business requires. The three options are:
- BASE license: The BASE license level is appropriate for organizations that need to secure IoT and other network devices, but do not require advanced user/network controls or automated threat response.
- PLUS license: PLUS license is appropriate for organizations that want complete endpoint visibility and control, but do not require automated threat response.
- PRO license: The PRO license is appropriate for organizations that want complete endpoint visibility, control, and automated response.
FortiNAC is a powerful NAC solution for managing network devices, especially BYOD and IoT devices. Although it supports third-party network devices, it is however best suited for network environments that are mainly based on Fortinet network equipment such as firewalls, access points, and others.
ClearPass Policy Manager from HPE Aruba is listed in the 2020 Gartner Peer Insights Customers’ Choice for NAC. The solution which was acquired by HP in 2015 enables organizations to securely admit guests, onboard and manage devices, and enforce network policies. ClearPass provides role- and device-based secure network access control for corporate, IoT, and BYOD devices across any multi-vendor wired, wireless, and VPN infrastructure.
ClearPass employs self-care mechanisms such as guest self-registration portals and also leverages contextual data about user roles, devices, application use, location, and time stamp to deploy BYOD and streamline network operations across wireless, wired, and VPNs. ClearPass is available as either hardware or software virtual appliances. Key features and capabilities include:
- Comprehensive integration with third-party systems such as SIEM, IPS/IDS, and EMM/MDM.
- Supports multiple authentication/authorization sources (AD, LDAP, SQL) within one service.
- Self-service device onboarding with a built-in certificate authority (CA) for BYOD.
- Supports NAC and EMM/MDM integration for mobile device assessments.
- Role-based network access enforcement for heterogeneous networks
- Guest access with extensive customization and branding.
- Reporting of all user valid authentications and failures.
- Built-in profiling using DHCP and TCP fingerprinting.
ClearPass is composed of three different modules—OnBoard, OnGuard, and Guest. You can create separate profiles on each module.
- ClearPass Onboard provides automated provisioning of devices (Windows, iOS, Android, Linux, etc) via a self-guided portal. Network, device, and security settings are automatically configured on authorized devices.
- ClearPass OnGuard delivers endpoint posture assessments over wireless, wired, and VPN connections via flexible deployment options including agentless, dissolvable agents, and agent-based configuration.
- ClearPass Guest simplifies visitor workflow processes to enable non-technical staff such receptionists or HR staff to create temporary guest accounts for secure wireless and wired access which allows visitors to access the network for a specified period of time.
ClearPass is fairly cost-effective especially in relation to other NAC software, but to really take advantage of it you should consider purchasing all or most of the feature sets. However, this can become very pricey for SMBs.
Pulse Policy Secure (PPS) NAC solution enables organizations to gain visibility, understand their security posture, and enforce role-based access and endpoint security policy for network users, guests, and IoT devices. The PPS NAC solution enables organizations to meet numerous industry regulatory requirements from the government to healthcare to finance. It can streamline endpoint compliance and remediation, BYOD onboarding, and IoT security, as well as automated threat response.
PPS can be deployed on physical, virtual, and cloud platforms, and it integrates well with a wide range of network hardware such as NGFWs, IPS, and SIEM from different manufacturers. The Pulse Policy Secure solution is made up of three main components:
- Pulse Profiler: This provides network visibility, endpoint identification, and classification, reporting, and behavior analytics.
- Pulse Policy Secure: This provides a unified policy engine that leverages contextual information from users, endpoints, and applications.
- Pulse Client: Pulse client offers agent and agentless options for pre- and post-admission control and endpoint’s security posture verification.
Some of the key capabilities and features of PPS include, but are not limited to:
- Interoperability – enables easy integration with third-party network and security devices
- A wizard-based configuration that takes the complexity out of setting up a NAC solution
- A Pulse Profiler that identifies and classifies endpoint devices, including IoT
- A Host Checker that identifies the security posture of the device
- Self-service guest access support
- Centralized policy management
- RADIUS and TACACS+ support
- Automated threat response
The following are the licensing options available for Pulse Policy Secure:
- Common Access Licenses: Common access licenses are available as user licenses which can either be used for Pulse Policy Secure (NAC) user sessions, or Pulse Connect Secure (SSL VPN) user sessions.
- Enterprise Licenses: This can be either perpetual or subscription-based. Perpetual licenses feature a one time charge; while subscription licenses offer a more flexible and overall valuable option with one, two, or three-year terms.
- Other licensing options are Role-based licenses, Pulse Secure Profiler licenses, IF-MAP server licenses, and OAC-ADD-UAC licenses.
Similarly, Pulse Policy Secure offers different levels of support based on your needs. Some of the available options are:
- Gold Support: Pulse Secure Gold Support includes any time, any day access to our Global Support Centers by phone or online.
- Platinum Support: Pulse Secure Platinum Support includes all the services in the Gold Support tier, plus access to a dedicated team of senior engineers who will handle all your support cases.
- Partner Branded Support (PAR): Customers who have purchased this support option will contact their partner when they need to open a support case instead of contacting Pulse Secure.
SafeConnect NAC solution was acquired by OPSWAT in 2019. The solution ensures that every device (wired or wireless) connected to your network is visible, automatically checked that it meets prescribed security standards, and then either granted or denied access in real-time based on predefined security standards or policy requirements. SafeConnect agentless identifies, profiles, and provides access control for devices connecting to your network.
SafeConnect is an “out-of-line” solution, which means that it poses little or no impact on network performance. Like most NAC solutions, it can be deployed as an on-premises physical or software virtual appliance. Each SafeConnect appliance scales up to thousands of concurrent endpoints and can be assembled into a cluster for larger environments. This makes it particularly attractive in the education sector where thousands of students onboard at the same time with all sorts of devices.
As noted earlier, one of the key factors to consider when evaluating NAC solutions is its ability to support organizations in meeting regulatory compliance. The SafeConnect NAC solution helps organizations achieve security certification and regulatory compliance including HIPAA, PCI DSS, SOX, GDPR, and ISO-27001. Some of the key features and capabilities include:
- Automatic software updates/upgrades and daily remote backups
- Application usage policies and Acceptable User Policy (AUP) enforcement
- Role-based access control and port level control
- Flexible network integration options
- Contextual Intelligence Publishing
- Guest and IoT self-registration
- Agentless device profiling
- Customization of policies
SafeConnect licensing can be either perpetual, subscription, or modularly priced based on customer needs. It is budget-friendly, and that makes it attractive to SMBs with low budgets and heterogeneous network environments. One of the main concerns with SafeConnect is the fact that updates/upgrades on the appliances can only be performed by the vendor. This can be a turn-off for organizations that want a bit more control when applying updates to a system.