How To Choose An Access Control System

Transcription

1 G Magic Quadrant for Network Access Control Published: 8 December 2011 Analyst(s): Lawrence Orans, John Pescatore The BYOD phenomenon is driving growth in the NAC market as organizations seek to apply policies specific to personally owned mobile devices. Vendors that can easily identify and enforce policies on non- Windows endpoints are positioned for success. What You Need to Know If your organization faces bring your own device (BYOD) challenges, consider solutions that can easily profile personally owned mobile devices and apply controls consistent with your organization's mobile device policies. Because there are multiple approaches for enforcing NAC policies (for example, virtual LANs, firewalls, access control lists and others), look for solutions that best fit your existing network infrastructure

2 Magic Quadrant Figure 1. Magic Quadrant for Network Access Control Source: Gartner (December 2011) Market Overview Enterprise interest in NAC has rebounded after several years of flat market performance, and BYOD has been the main driver. While there are a number of approaches for securely supporting the use of personally owned devices, Gartner believes NAC will emerge as one of the key mechanisms for providing a flexible approach to protecting the network against the risks of personally owned mobile devices. NAC policies have changed over time (see "Strategic Road Map for Network Access Control"). During the first wave of NAC adoption (2003 through 2006), policies were based on endpoint configuration (for example, whether Microsoft Windows patches and antivirus signatures are up-todate). Around 2007, during the second wave of NAC adoption, the focus shifted to simpler authentication-based controls to create a guest network for unmanaged devices. In 2011, NAC is in its third wave of adoption controls for provisioning a "limited access zone" for unmanaged or employee-owned devices, in addition to simple guest access. Gartner believes that this third wave of NAC adoption will be the strongest and will drive NAC to maturity on the Plateau of Productivity along the Hype Cycle (see "Hype Cycle for Infrastructure Protection, 2011"). Page 2 of 22 Gartner, Inc. G

3 To contain the risks of BYOD, organizations are beginning to create limited access zones, where personally owned mobile devices are isolated from the main network, and granted Internet access and access to a subset of corporate applications. Because the devices are personally owned, in many cases IT has little to no ability to mandate configuration policies, security agents and life cycle management tools. Isolating these devices to the limited access zone helps to protect the corporate network. An important component of building a limited access zone is the ability to discover and categorize endpoints (such as ipad, Android tablet, IP phone, printer and PC) as they access the network, otherwise known as "profiling." Once an endpoint has been profiled, it can be positioned in the appropriate network (corporate, guest or limited access zone) where NAC policies control access. Vendors that recognize the need to profile, isolate and apply a different set of policies to personally owned mobile devices were given higher scores for Completeness of Vision in this Magic Quadrant. Business demands to allow the use of personally owned laptops, smartphones and tablets have altered the NAC market. In many ways, businesses are beginning to look a lot like universities, where the end users (students) brings in their own devices and connect to the corporate (campus) network. Endpoint protection platform (EPP) vendors whose footprint on corporate laptops positioned them for success in the first wave of NAC adoption (where the focus was on endpoint compliance) lose this advantage in a BYOD world. EPP vendors have had to alter their NAC strategies to adjust to the BYOD phenomenon. Gartner has observed that Symantec and Sophos, which both entered the NAC market through acquisition (Symantec acquired Sygate in 2005, and Sophos acquired EndForce in 2007), are no longer actively selling their stand-alone NAC solutions, and we excluded them from this year's Magic Quadrant. They still own valuable NAC technology that will likely continue to be embedded in their EPP suites. The main purpose of the Symantec NAC solution will be to feed endpoint status information to other vendors' NAC systems, whereas Sophos will work on enhancing its own NAC technology. Market Definition/Description The NAC market consists of several categories: Infrastructure Vendors: Most enterprise-class LAN switch manufacturers offer NAC solutions. In the early days of the market, these vendors targeted their NAC offerings to their installed base of LAN switches. The BYOD phenomenon will make this a more difficult strategy, because policies now must be enforced across wired and wireless networks, and most switch manufacturers don't have strong wireless offerings. Several wireless LAN vendors can enforce basic policies on their wireless controllers, but can't enforce policies on switched Ethernet LANs. The ability to support NAC policies in wireless LANs will become more important during the BYOD era, but the wireless LAN (WLAN) vendors will be unable to penetrate the broader NAC market without support for wired LANs. Wired and wireless infrastructure vendors have had limited success in selling their NAC solutions outside of their installed bases and into their competitors' accounts. Network Security Vendors: A mix of intrusion prevention system (IPS), firewall and virtual private network (VPN) vendors offer NAC solutions. Because they already serve as enforcement Gartner, Inc. G Page 3 of 22

4 points in the network, these products can be easily repurposed to become NAC policy enforcement points. Pure-Play Vendors: BYOD has created new opportunities for these vendors, because today's heterogeneous endpoint environments sometimes require specialized policies. Gartner estimates that the size of the NAC market in 2011 will be approximately $206 million, an increase of approximately 3% over the market in For 2012, we expect market growth of approximately 10%. Note that the 2012 growth projection is higher than we predicted in "Competitive Landscape: Network Access Control Worldwide, 2011," published in March 2011, when we predicted 2012 market growth of only 3%. The trend of NAC adoption as a response to BYOD has been stronger than we originally anticipated, thus our revised market growth prediction. In previous versions of this Magic Quadrant, Gartner noted that the overall direction of the NAC market was toward embedding functionality in core network and security infrastructure. However, the BYOD phenomenon has shifted momentum to the NAC pure-play vendors, many of whom have added capabilities in support of personally owned mobile devices. The infrastructure and security vendors have been slower to react. The long-term direction will still be for infrastructure vendors to embed NAC capabilities in their solutions (BYOD has increased the need for flexible network policies), but the market for pure-play vendors will continue to grow through at least The need to support heterogeneous network environments (see "Debunking the Myth of the Single-Vendor Network") and the desire to avoid vendor lock-in will be key drivers for the growth of the pure-play market. Inclusion and Exclusion Criteria Some NAC vendors have licensed their technology to multiple partners. The goal of the inclusion/ exclusion criteria listed here is to identify those vendors that own core NAC technology. To be included in this Magic Quadrant, a vendor's solutions must include the policy, baseline and access control elements of NAC, as defined by these criteria: Policy The NAC solution must include a dedicated policy management server with a management interface for defining and administering security configuration requirements, and for specifying the access control actions (for example, allow or quarantine) for compliant and noncompliant endpoints. Because policy administration and reporting functions are key areas of NAC innovation and differentiation, vendors must own the core policy function to be included in this Magic Quadrant. Baseline A baseline determines the security state of an endpoint that is attempting a network connection, so that a decision can be made about the level of access that will be allowed. Baselining must include the ability to assess policy compliance (for example, up-to-date patches and antivirus signatures) and may include the ability to detect installed malware. Various technologies may be used for the baseline function, including agentless solutions (such as vulnerability assessment scans), dissolvable agents and persistent agents. NAC solutions must include a baseline function, but "reinventing the wheel" is not necessary. Baseline functionality may be obtained via an OEM or licensing partnership. Page 4 of 22 Gartner, Inc. G

5 Access control The NAC solution must include the ability to block, quarantine or grant full access to an endpoint. The solution must be flexible enough to enforce access control in a multivendor network infrastructure, and it must be able to enforce access in wired LANs, WLANs and VPN gateways. Enforcement must be accomplished via the network infrastructure (for example, 802.1X, VLANs, ACLs) or via the vendor's NAC solution (for example, dropping/ filtering packets or Address Resolution Protocol [ARP] spoofing). Dynamic Host Configuration Protocol (DHCP) enforcement qualifies for inclusion, provided that policy enforcement can be delivered via partnerships with two or more DHCP solutions. Vendors that rely solely on agentbased endpoint self-enforcement do not qualify as NAC solutions. Additional criteria include: Network infrastructure vendors must have demonstrated their ability in 2010 and 2011 to sell NAC solutions into new accounts (beyond their installed base of Ethernet switch customers). NAC vendors must consistently target and show wins at enterprises with at least 5,000 endpoints to be included. This Magic Quadrant does not analyze solutions that target the small and midsize business (SMB) market. Vendors must have an installed base of at least 100 customers or aggregate endpoint coverage of 500,000 endpoints. The NAC solution must generate revenue for the vendor. Solutions that include basic NAC functionality embedded in other products and services have been excluded from this analysis The vendor must have at least $3 million in NAC sales during the 12 months leading up to 1 September Solutions that do not directly generate revenue for the vendor, such as those that embed basic NAC functionality in other products at no extra charge, have been excluded from this analysis. The products with the required features and functions must be shipping as of 1 September Vendors Considered but Not Included in the 2011 Magic Quadrant LAN Switch Manufacturers LAN switch manufacturers that base critical components of their NAC solutions on OEM technology or that resell NAC solutions from other vendors have been excluded from this Magic Quadrant. This includes Alcatel-Lucent and Extreme Networks. Microsoft Microsoft embeds NAC functionality (branded as Microsoft Network Access Protection [NAP]) within its more recent operating systems (Windows 7, Vista and XP Service Pack 3), and within Windows Server Gartner has observed that Microsoft no longer actively markets its NAP solution, and we received very few questions from Gartner clients about Microsoft NAP. Its strategy is to provide a framework for transporting endpoint status and health information back to a third-party policy Gartner, Inc. G Page 5 of 22

6 server. The BYOD era and the rapid growth of non-windows endpoints make it challenging for Microsoft NAP to compete in heterogeneous environments. Vendors Added Auconet Access Layers Vendors Dropped Network Infrastructure Vendors: Avaya and HP (3Com). Customers of Avaya's and HP's network infrastructure products should consider their respective NAC solutions. However, these vendors have not demonstrated a strong ability to sell NAC beyond their installed base of Ethernet switch customers, and, at this time, are not compelling alternatives for the broader market. Endpoint Protection Vendors: Check Point Systems, Sophos and Symantec. Gartner has observed that these vendors are not actively selling NAC as a separate product. Therefore, they did not meet the inclusion criteria for this Magic Quadrant. These vendors will need to gain dominant positions in the market for securing mobile devices for them to compete effectively again in the NAC market. Other Vendors: Insightix and Nevis Networks. These vendors have shifted their strategic direction and no longer meet the inclusion criteria for this Magic Quadrant. Insightix is pursuing the endpoint discovery market; Nevis is now targeting opportunities in data center security. Evaluation Criteria Ability to Execute The Ability to Execute (see Table 1) criteria are: Product/Service: An evaluation of the features and functions of the vendor's NAC solution. Due to the growing influence of the consumerization trend on NAC, this criterion heavily weights profiling and support for guest networking services, including support for mobile devices. Those solutions that support a variety of enforcement options (for example, virtual LAN [VLAN] steering, access control lists [ACLs], DHCP and others) will score higher than solutions with limited enforcement options. Overall Viability: Viability includes an assessment of the vendor's overall financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue to invest in an NAC solution. Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. The ability of a vendor to succeed in its target markets is important. Vendors should demonstrate success in winning NAC deals of 5,000 endpoints or more. Page 6 of 22 Gartner, Inc. G

7 Marketing Execution: This criterion assesses the effectiveness of the vendor's marketing programs and its ability to create awareness and "mind share" in the NAC market. Those vendors that frequently appear on client "shortlists" are succeeding in marketing execution. Customer Experience: Quality of the customer experience based on input from Gartner clients and vendor references. Input is gathered via reference calls and an online survey. Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product/Service Overall Viability (Business Unit, Financial, Strategy, Organization) Sales Execution/Pricing Market Responsiveness and Track Record Marketing Execution Customer Experience Operations Weighting High High Standard No rating Standard High No rating Source: Gartner (December 2011) Completeness of Vision Completeness of Vision (see Table 2) criteria are: Market Understanding: Ability of the vendor to understand buyers' needs and translate these needs into NAC products. The ability to anticipate market trends and to quickly adapt via partnerships, acquisitions or internal development. Marketing Strategy: This criterion analyzes whether the vendor's marketing strategy succeeds in differentiating its NAC solution from its competitors. Sales Strategy: The vendor's strategy for selling to its target audience, including an analysis of the appropriate mix of direct and indirect sales channels. Offering (Product) Strategy: An evaluation of the vendor's strategic product direction and its road map for NAC. The product strategy should address trends that are reflected in Gartner's client inquiries. Vertical/Industry Strategy: The vendor's strategy for meeting the specific needs of individual vertical markets and market segments. For example, does the vendor have an effective strategy for pursuing vertical markets that have been aggressive adopters of NAC, such as higher education and healthcare? Gartner, Inc. G Page 7 of 22

8 Innovation: This criterion includes product leadership and the ability to deliver NAC features and functions that distinguish the vendor from its competitors. Geographic Strategy: The vendor's strategy for penetrating geographies outside its home or native market. Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Market Understanding Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Weighting High Standard Standard High No rating Low Standard Low Source: Gartner (December 2011) Leaders Leaders are successful in selling large NAC implementations (10,000 nodes and greater) to multiple large enterprises. Leaders are pure-play NAC vendors or networking and/or security companies that that have been first to market with enhanced capabilities as the market matures. Leaders have the resources to maintain their commitment to NAC, have strong channel strength and have financial resources. They have also demonstrated a strong understanding of the future direction of NAC, including the impact of BYOD and guest networking. Leaders should not equate to a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant. Challengers Challengers are networking and/or security companies that have been successful in selling NAC to their installed bases, although they are generally unsuccessful in selling NAC to the broader market. Challengers are generally not NAC innovators, but are large enough and diversified enough to continue investing in their NAC strategies. They are able to withstand challenges and setbacks more easily than Niche Players. Page 8 of 22 Gartner, Inc. G

9 Visionaries Visionaries have led the market in product innovation and/or displayed an early understanding of market forces and trends. They are smaller pure-play NAC vendors or larger networking and/or security companies. A common theme in Visionary vendors is that they don't have significant channel strength in the NAC market and have not succeeded in building installed bases as large as the Leaders. Niche Players Niche Players are typically strong in strategic NAC verticals (for example, education and healthcare) and certain geographies. They don't often appear on Gartner clients' shortlists, but they are valid options for those organizations within those key geographies and vertical industries. Vendor Strengths and Cautions Access Layers Based in Israel and founded in 2007, Access Layers is a small pure-play NAC vendor making its first appearance in the Magic Quadrant. Its portnox solution is agentless and is based on endpoint discovery. After a device connects to the network, portnox checks the operating system type and then applies the appropriate policy to the network access point (for example, a port on a LAN switch, a WLAN controller or a VPN gateway). Organizations that can tolerate the risk of a startup and that are within the geographic range of Access Layers' service and support coverage should consider the portnox solution. Strengths The portnox solution deploys easily and can attach to any LAN switch port (it does not require a "mirror" or Switched Port Analyzer [SPAN] port). Flexible policies support the ability to govern access based on location, time, operating system, user and device. The solution ships with predefined templates for common endpoints. Custom templates can be built for nonstandard devices. Cautions The portnox authentication mechanism presents challenges for non-windows endpoints, and is not as secure as some competing solutions. Device authentication relies on Active Directory (AD). Mobile devices and other endpoints that are not part of an AD domain must be treated as exceptions. There is no support for certificate-based authentication on the endpoint. Endpoint baselining capabilities are weak. The management console does not easily reflect missing Windows patches. Access Layers has not partnered with any patch and configuration management vendors for remediating noncompliant endpoints. Gartner, Inc. G Page 9 of 22

10 Approximately 75% of the Access Layers customer base is in Israel. As a small company with limited resources, it has yet to develop a strong distribution channel outside of Israel and the United Kingdom. Auconet This is Auconet's first year qualifying for inclusion in the Magic Quadrant. The company was founded in 1998 as a system integrator and began shipping NAC solutions in It is a small, privately held company based in Germany, with offices in Austria and Switzerland. Auconet is deployed most commonly as an agentless solution, since its Remote Authentication Dial-In User Service (RADIUS)-based policy server supports native OS-based supplicants in 802.1X environments. Auconet also offers a permanent agent. Organizations within Auconet's geographic reach that have a heterogeneous network infrastructure should consider Auconet. Strengths For a small company, Auconet has several large customers, including some implementations with greater than 100,000 endpoints. The agentless-based solution is a good fit for BYOD environments. It provides good visibility into network traffic by capturing and displaying NetFlow records. Cautions The solution lacks a dissolvable agent, which is a common approach for supporting a guest network environment. The permanent agent is only available on Windows platforms. As a small company with limited resources, Auconet will face challenges in building distribution channels as it attempts to expand beyond its reach in Europe into other geographies. Avenda Systems (Aruba Networks) In November 2011, Aruba Networks announced its intent to purchase Avenda Systems, a privately held NAC vendor based in California. This analysis is based on the deal closing as planned (during 1Q12), because Gartner believes there is a strong likelihood that the acquisition will progress according to schedule. Founded in 2006, Avenda's flagship offering is the Enterprise Trust & Identity Policy System (etips), a RADIUS-based policy server. The company's ability to support Microsoft NAP-enabled endpoints (Windows 7, Vista and XP SP3) without requiring an agent, its support for non-microsoft endpoints (via agents), and a strong road map for profiling features has earned it a high score for Completeness of Vision. etips is largely complementary to Aruba's product family. It can act as a policy server for Aruba's wireless controllers, and it gives Aruba the opportunity to sell etips into wired LAN environments. Aruba's wireless customers and any enterprise that needs a policy server capable of supporting heterogeneous endpoints should consider Avenda's NAC offering. Page 10 of 22 Gartner, Inc. G

11 Strengths Once the deal closes, Avenda immediately benefits from Aruba's strong sales and distribution channel. Support for the Trusted Network Connect's (TNC's) Statement of Health protocol (and Internet Engineering Task Force's [IETF] requests for changes [RFCs]) enables Avenda to provide endpoint baselining for Microsoft NAP-enabled endpoints (Windows 7, Vista and XP SP3) without requiring an additional agent. Avenda also provides agents that can baseline endpoints running Apple OS X and Linux operating systems. Customer references of Avenda commented favorably on its flexible policy engine and its strong reporting capabilities. Avenda's Quick 1X tool simplifies the configuration of a broad set of supplicants, including supplicants native to Windows and Linux. It also supports supplicants on Mac OS X, iphone/ ipad and Android operating systems. Cautions Aruba will face product integration challenges as it adds Avenda's solutions into its product family. In particular, there is strong overlap between Aruba's guest networking application (via the Amigopod acquisition of 2010) and Avenda's guest networking application. Aruba will need to demonstrate proficiency in wired networking for it to sell NAC into switched LAN environments. Now that Avenda will be losing its independent pure-play status, a combined Aruba-Avenda is a bigger threat to Cisco and will face greater challenges selling into Cisco Aironet wireless customers. Bradford Networks Bradford Networks, a small, privately held company based in Cambridge, Massachusetts, became one of the first NAC vendors by meeting the NAC needs of universities as they dealt with the security problems of student-owned devices connecting to campus networks. Its NAC products are branded as the Network Sentry Family. In 2009, Bradford brought on a new CEO to drive growth, and attempted to broaden beyond its focus on NAC. This strategy did not succeed, and in June 2011, Bradford replaced its CEO again and refocused on NAC. Bradford Networks' NAC products should be considered by enterprises with heterogeneous networks and wide mixes of endpoint devices. Strengths Users cite Bradford's broad support for multivendor network and endpoint devices as the primary selection factor. Gartner, Inc. G Page 11 of 22

12 Visibility and profiling capabilities are strong, and users continue to give high marks for ease of deployment. Bradford's new management has emphasized focus on the NAC market and taken steps to address weaknesses in channel support. Cautions Based on inquiries with Gartner clients, Bradford's visibility outside of the education vertical has never been high, and its change in direction in 2010 further lowered it. Also, Bradford is facing increased competition from Impulse Point and others in the higher education vertical, its core market. Bradford needs to prove that it can grow its international channel, and its North American channel remains a work in process, although progress has been made. In previous versions, Bradford users consistently requested improvements in Network Sentry's administrative interface and reporting. While Bradford claims these issues have been addressed in version 5.x, the current version, clients are advised to validate these enhancements. Cisco In May 2011, Cisco began shipping its new NAC solution, the Identity Services Engine (ISE), a RADIUS-based policy server. ISE is available in two versions. The Basic package supports 802.1Xbased authentication and enforcement. The Advanced package performs endpoint profiling and baselining (checks for compliance with patching, antivirus and other policies) and supports Cisco's identity tagging feature (as noted in the Strengths section). With ISE, Cisco now owns technology that it was formerly dependent on via OEM deals from partners. It developed a basic profiling solution, and it acquired the intellectual property for its guest management and provisioning application. Cisco customers should consider ISE. Non-Cisco customers can also consider ISE, because it is standards-based and interoperable with other vendors' equipment. However, Gartner believes that, as ISE matures, it will become a more Cisco-specific platform. Strengths ISE's 802.1X-based support is a strong complement to Cisco's installed base of switches and wireless LAN components. Most Cisco customers will be able to use their existing wired and wireless infrastructures to enforce NAC policies (customers with older equipment may require software upgrades). Cisco customers are well-positioned to implement a "limited access zone" in BYOD environments, since ISE can apply policies to Cisco Adaptive Security Appliance (ASA) firewalls and other Cisco policy enforcement points (for example, wireless controllers, Integrated Services Routers (ISRs) and a broad family of Cisco switches). Cisco's commitment to profiling technology should ultimately lead to a competitive advantage. By developing its profiling technology in-house, Cisco has removed its dependency on its previous OEM supplier. Cisco is porting the profiling function to its switches and wireless Page 12 of 22 Gartner, Inc. G

13 controllers, eliminating the need for Cisco customers to purchase separate profiling probes. Cisco has plans to build a third-party device profile library by providing APIs and support to device manufacturers (printers, badge readers, security cameras, etc.) so that Cisco can accurately identify their network endpoints. Cisco's support of identity tags (Security Group Access tokens) in the Ethernet frame (via the IEEE 802.1AE standard) enables its more advanced customers to plan to implement identitybased policies (apply policies based on a user's role in the organization). This feature requires infrastructure updates, and full Cisco support is likely to be at least two to three years away. Cautions Cisco has introduced a subscription-based pricing model that is unique to the NAC market, and, in some scenarios, may equate to a more expensive solution. Customers receive a continual feed of updates (which includes new profile templates), and subscriptions are available in three-year and five-year plans. When comparing prices of NAC solutions, Cisco customers should extend their analyses past the term of the contract. For example, for a threeyear contract, analyze the cost for a possible fourth year (most other NAC pricing models are based on the purchase price of the solution, so a "fourth year" would only include maintenance charges). Cisco offers two endpoint agents. The Advanced package requires the Cisco NAC Agent for endpoint baselining use cases (checks to see if the endpoint is compliant with patching, antivirus and other policies). ISE supports Cisco's AnyConnect supplicant, as well as native OSbased supplicants. Cisco plans to integrate the NAC Agent with the AnyConnect client in the 2H12. Cisco now offers two RADIUS servers, ISE and ACS. Organizations that use Cisco's TACACS+ will still need to use ACS. Cisco positions ISE for customers that require RADIUS functionality for wired, wireless or VPN authentication. Cisco has a road map (which extends into 2013) for consolidating ACS, ISE and its older NAC Appliance. Until the consolidation has been completed, some organizations will likely find that they require two RADIUS servers from Cisco. Unlike some competing RADIUS/802.1X-based solutions, Cisco lacks a cross-platform 802.1Xbased supplicant configuration tool. Enterasys Networks Enterasys Networks is a networking infrastructure company that is an arm of Siemens Enterprise Communications. In addition to NAC, it provides IPS, and security information and event management (SIEM) solutions. The NAC offering includes out-of-band (NAC Gateway) and in-line (NAC Controller) components. The primary use case for Enterasys NAC is Enterasys switch and wireless LAN customers, although the solution is capable of supporting non-enterasys environments. Gartner, Inc. G Page 13 of 22

14 Strengths Enterasys' tight integration of its NAC solution with its LAN switch product family enables granular policy enforcement. Policies may permit, deny, rate limit and apply other controls to traffic based on user identity, time, location, end system and user groups. The 4.0 release of Enterasys NAC strengthened its RADIUS support. The NAC Appliance can now be deployed as a fully featured RADIUS server. Enterasys made several enhancements to support an already strong profiling capability. Through integration with Palo Alto Networks, Enterasys NAC shows applications running per IP address. For example, it could highlight Netflix usage and other possibly undesirable applications. Cautions Enterasys lacks a large security-focused value-added reseller (VAR) partner with a North American reach, and it faces a similar challenge in Europe. Enterasys suffers from a lack of brand awareness, and its market share for LAN switches (its core product offering) remains at 1% to 2%. Unlike some competing RADIUS/802.1X solutions, Enterasys lacks a cross-platform 802.1Xbased supplicant configuration tool. ForeScout ForeScout is a small, privately held company based in California that sells the CounterACT family of appliances for NAC and intrusion detection. While ForeScout offers an optional agent, its clientless approach eases the support of a wide variety of endpoints, particularly in BYOD environments. In 2011, ForeScout greatly expanded its list of channel partners, with strong emphasis in Europe, and also announced integration with the HP ArcSight SIEM product. ForeScout moved into the Leaders quadrant this year, in part due to its consistent record of growing faster than the NAC market and its proven ability to win large deals. ForeScout should be considered for large-scale NAC deployments with diverse endpoint populations. Strengths ForeScout has the highest visibility of pure-play NAC vendors, particularly in the government and finance sectors. ForeScout gets strong marks for scalability and has some of the largest active deployments of all vendors. Users continue to cite ease of deployment and flexible enforcement methods as primary selection criteria. Page 14 of 22 Gartner, Inc. G

15 Cautions The need to connect CounterACT appliances to span or "mirror" ports may drive up deployment costs in organizations with multiple remote offices and other distributed environments (could require more appliances). As NAC matures, and if the wired/wireless infrastructure vendors are able to catch up and offer "good enough" NAC functionality, ForeScout's architectural model of distributing specialpurpose NAC appliances may limit its appeal to the mass market. Impulse Point Based in Tampa Bay, Florida, Impulse Point continues its focus on the higher education market, and has also made progress in the K-12 education sector. Enforcement is provided via ACLs at Layer 3, or via firewall policies. Impulse Point delivers its SafeConnect solution as a managed service, which includes managing updates (patches and antivirus status) to its policy server, updates to device and OS profiling templates, and remote backup of policy configuration. Education institutions should consider Impulse Point. Business environments will likely find its policy enforcement architecture is not strong enough for wired networks (see Cautions section). Strengths Feedback from Impulse Point customers indicates that SafeConnect can be quickly implemented. Its Layer 3 approach to enforcement eliminates the need to test compatibility at Layer 2 (at the LAN switch level). SafeConnect is a highly scalable solution that contributes to its cost-effectiveness in large environments. Each SafeConnect Policy Enforcer appliance can manage up 10,000 concurrent endpoint devices (many NAC appliances only support 2,000 to 2,500 endpoints). Impulse Point's integration with Aruba's Policy Enforcement Firewall (PEF) APIs simplifies NAC implementation to Aruba wireless networks. Impulse Point customers consistently highlight the company's service and support as strengths. Cautions SafeConnect's product architecture limits its ability to penetrate the corporate environment. Its Layer 3-based enforcement mechanism (ACLs) make it a poor choice in wired corporate environments that may require switch-based (Layer 2) enforcement. Impulse doesn't provide tight integration with patch and configuration management solutions. Outside its chosen higher education and K-12 markets, Impulse Point suffers from low market visibility because of its small size and limited resources. Gartner, Inc. G Page 15 of 22

16 InfoExpress InfoExpress, a small privately held company, is largely focused on the NAC market, although it also offers a personal firewall product. Founded in 1993, it has never needed to raise money from venture capitalists. In 2009, InfoExpress partnered with Alcatel-Lucent and integrated its technology with Alcatel-Lucent's LAN switches and its VitalQIP Suite (which enables DHCP-based enforcement). Alcatel-Lucent is now a global reseller of InfoExpress solutions. Enterprises should evaluate InfoExpress' capabilities when NAC requirements are driven by diverse IT environments. Strengths InfoExpress has deep support for iphones and ipad use, providing a broad array of mechanisms to allow secure use of these devices on corporate networks. Dynamic NAC and multiple enforcement techniques make CyberGatekeeper easy to implement across complex networks. InfoExpress' integration with Aruba's Policy Enforcement Firewall (PEF) APIs simplifies NAC implementation to Aruba wireless networks. Users continue to give InfoExpress high marks for support and responsiveness. Cautions InfoExpress' visibility and profiling features lag behind competitors. While it supports MAC address-based device identification, it lacks more-advanced techniques, such as DHCP fingerprinting or active scanning (for example, Nmap). While InfoExpress has added some high-end channel partners, it lacks a large security VAR partner with broad reach in North America, and it faces a similar challenge in Europe. This contributes to the company's low visibility to Gartner clients. Support for self-service registration and provisioning of guest access lags competitors. For example, the solution lacks support for time-based access policies, and it cannot automatically provision user credentials. Juniper Juniper is a large network infrastructure and network security vendor that has focused on open standards as a key element in competing with Cisco. This has resulted in Juniper being a driving factor behind several NAC standards efforts. Juniper's NAC product line is branded as Unified Access Control (UAC) and consists of a range of appliances, including one that uses FIPS certified cryptography. In 2011, Juniper introduced the Junos Pulse client for Apple's ios, allowing UAC to be extended to iphone and ipad products. Juniper UAC should be considered where Juniper IPS, SSL VPN gateway and firewall products are in use, and where enterprises seek an 802.1X standards-based solution. Page 16 of 22 Gartner, Inc. G

17 Strengths Juniper's focus on open standards enables it to support heterogeneous network environments and helps to keep the pressure on other NAC vendors to minimize vendor proprietary features. Juniper UAC integration across its IPS, SSL VPN, firewall, SIEM and Junos Pulse offerings is strong. Juniper is a large, publicly traded company that is seen as a safe procurement by most large enterprises and government agencies. Cautions Juniper's management console user interface is harder to use and more complex than many of its competitors' offerings. For example, to view the patch status of Windows systems, administrators must apply filters to log data (many NAC offerings provide easier access to endpoint patch status). For a RADIUS-based solution, UAC lacks strong operational support tools. For example, it doesn't offer a cross-platform 802.1X-based supplicant configuration tool for native OS-based supplicants, and details about failed authentications are buried in logs. (Juniper does provide configuration support for its own supplicant, the Odyssey Client.) Juniper relies on Great Bay Software, a small company, to profile unmanaged assets. Any change to Great Bay's independent status could negatively impact Juniper. McAfee McAfee, now operating as a fully owned subsidiary of Intel, embeds NAC functionality into its EPP suites and also offers NAC as a stand-alone network component. An optional software module for McAfee's IPS appliances enables it to enforce NAC policies. Non-IPS customers have the option of purchasing a stand-alone NAC appliance, which runs the same software, but without the IPS functionality. McAfee customers should evaluate its NAC solution. McAfee's endpoint NAC software is not a strong option for non-mcafee customers. However, its NAC Appliance can be deployed in any network, particularly as a solution for enforcing identity-based policies. Strengths McAfee's strategy of integrating the monitoring of its network security components (IPS, NetFlow probes) and NAC into a unified console provides strong visibility into the security status of the network. Because of its integration with epolicy Orchestrator, McAfee NAC provides strong autoremediation capabilities. For McAfee IPS customers, in-line enforcement provides flexible policy controls, and the NAC software module is a cost-effective add-on. Gartner, Inc. G Page 17 of 22

18 Cautions McAfee's heritage as an EPP player has hampered its vision for supporting BYOD environments. For example, it lacks profiling technology (other than a basic ability to recognize a device based on its MAC address). The N-450 NAC appliance is available in only one size, and it is not cost-effective for small environments or small remote sites. McAfee's NAC solution lacks the ability to enforce policy by configuring ACLs on LAN switches, a common feature in competing offerings. McAfee has yet to integrate its firewalls as policy enforcement points for its NAC solution. StillSecure Founded in 2000, Colorado-based StillSecure is a small, privately held company that sells managed security services and NAC, as well as vulnerability management products. The NAC product is branded as Safe Access and supports a wide range of endpoint baselining methods. Safe Access should be considered in NAC deployments where heterogeneous networks are in use and where the flexibility of agent or agentless baselining options is required. Strengths StillSecure's FIPS and Common Criteria certifications provide an advantage in government procurements, since most other NAC vendors have yet to achieve these certifications. Safe Access provides in-depth baselining of endpoint health status. StillSecure continues to get high marks for customer support and ease of Safe Access integration to LAN infrastructures. Cautions In addition to NAC, StillSecure offers managed security services and a vulnerability management solution. StillSecure is a small company with limited resources, and Gartner believes that these other product and service offerings may make it challenging for StillSecure to balance its resources and maintain its focus on NAC. Outside of the government vertical, StillSecure's channel support and visibility to Gartner clients are low. Trustwave Based in Chicago, Trustwave has grown rapidly as a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and security service provider. Trustwave has developed and acquired a wide range of security products. It entered the NAC market in 2009, via its acquisition of Mirage Networks, which had focused on postconnect NAC using ARP manipulation. Trustwave NAC should be Page 18 of 22 Gartner, Inc. G

19 considered by enterprises looking to use NAC in PCI environments, as well as where a low cost of entry and/or as-a-service delivery is required. Strengths Trustwave's agentless approach for discovery and baselining, along with ARP manipulation for enforcement, simplify deployment in heterogeneous environments. Trustwave's management console and user interface are easy to use and provide a logical workflow path. Common Criteria certification of Trustwave NAC eases procurement for defense and government agencies. Cautions Trustwave NAC's support for guest networking is limited, and provides little automation of registering and provisioning guests. Trustwave has very little channel support outside of the PCI and payment processing verticals. Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market" "Strategic Road Map for Network Access Control" "Case Study: 802.1X-Based Guest Network for a Wired LAN" Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Gartner, Inc. G Page 19 of 22

20 Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor that compete in/ serve the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/ partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision. Page 20 of 22 Gartner, Inc. G

21 Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market. Gartner, Inc. G Page 21 of 22

22 Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT USA European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, ombudsman/omb_guide2.jsp. Page 22 of 22 Gartner, Inc. G