NAC is back. And better than ever

We review 5 of the leading network access control products.

nac 1

A NAC for security

For this review, we were able to bring the following five vendors together: Enterasys/Extreme Networks Mobile IAM, Hexis Cyber Solutions NetBeat NAC, Impulse Point SafeConnect NAC, Pulse Policy Secure and Portnox NAC. Overall Portnox was the best NAC unit we tested, with Extreme coming in a close second. Portnox had better reporting than Extreme, while Extreme had better device detection capabilities. (Read the full review.)

nac 2

Extreme Networks Mobile IAM

Extreme has a complex NAC solution and sent us three pieces of hardware. Extreme depends on RADIUS to discover and control network access and can manage large networks with ease. Extreme was the only vendor that could handle self-remediation. Extreme integrates with a number of MDM vendors, so you can share policy and control information with AirWatch, MobileIron, Fiberlink, etc. Extreme was also the most widely integrated in handling a virtual switch fabric of VMware, Hyper-V and Citrix Xen hypervisors. Extreme’s biggest weakness is its reports, which are scattered among various tabs within the Web UI. Extreme costs $10,000 for 500 devices that appear over any 24-hour period.

nac 3

Hexis NetBeat (formerly NetClarity)

Hexis sent us a 1U hardware box that is managed with a Web browser. Once the appliance is connected to your network, it will attempt to discover network resources. Untrusted devices are highlighted in yellow bars, making them easy to spot. NetBeat had a harder time than its competitors figuring out our unmanaged switches and VMs running on our test network. But it does support managed switches from Extreme, Cisco, 3Com and HP. It has a very interesting assembly of 26 pre-set best practice compliance documents. You can use these as starting points to compose your own documents. Reports are this product’s biggest weakness. At $5,500 plus another $600 a year for a support contract NetBeat was the least expensive unit we tested, half what the next pricier unit went for.

nac 4

Impulse Point SafeConnect NAC

Impulse Point has several components, including a hardware management device that sits on your local network and a series of software tools that are accessed through a Web browser. To discover your endpoints, they make use of a variety of tools, including Netflow, syslogs from DHCP servers, and RADIUS. They can discover a wide range of routers and switches, but not VMware virtual ones. Once you have logged in and installed your certificate, your security posture is checked. If you don’t meet the policy requirements, you have to remediate. SafeConnect has copious reports; the hard part is getting them setup to show you meaningful information. One option is to export historical information to either a syslog or MySQL server for some more advance reporting. Impulse Point can be pricey at $24,000 per year to secure 500 users.

nac 5

Juniper/Pulse Policy Secure

Pulse Secure, formerly known as Junos Pulse, was spun out of Juniper to a private equity firm last summer. It comes as an appliance or a VM and can integrate with a variety of Juniper equipment and MDM tools. You can connect Pulse Secure to authentication sources including LDAP and RADIUS servers and SiteMinder, as well as Windows and Mac agents. Getting things setup is a long process, hampered by the use of a variety of Web and command-line user configuration interfaces. Pulse Secure accomplished some of our test cases, however, it fails to recognize VM sessions. Reports could be more useful. There are six basic ones that show devices and users but they have the least amount of information of any of the vendors tested.

Pulse Secure for 500 user licenses lists at $26,000, but discounts can cut this to nearly half this price.

nac 6

Portnox

The Portnox product consists of software that runs on a Microsoft Windows Server with both Web and native Windows interfaces to manage it. The software installs IIS and SQL Express along with .Net framework, so it is deeply Microsoft-based. Portnox supports managed/unmanaged switches, wired/wireless networks and Windows/non-Windows clients. Portnox was one of the best products at figuring out what was on our network. One nice feature is being able to see inside VMware’s vSwitches and operate directly on the virtual ports that makeup that switch fabric.

Once we got everything up and running, Portnox was able to figure out all of our use cases. Portnox’ user interface could be snappier and clearer. Reports are less than illuminating and more akin to log files. Portnox charges per port for its product; 500 ports sell for $13,500.