Magic Quadrant for Network Access Control.pdf - WIT

Magic Quadrant for Network Access Control 

http://www.gartner.com/technology/media-products/reprints/j... 

1 of 18 19/8/2553 15:31 

2 July 2010 

Lawrence Orans, John Pescatore 

Gartner RAS Core Research Note G00201432 

The network access control market continued to mature, squeezing hype out of the market and intensifying the focus on 

ease of implementation and near-term payback. Several point solutions persist, with some continuing to provide 

differentiated value. 

What You Need to Know 

Network access control (NAC) will increasingly be used to help enterprises 

manage the consumerization trend, as more enterprises allow employees to "bring 

their own PC to work." NAC will enable network managers to gain back some 

control over their networks by allowing access to some devices, while denying 

access to others. When evaluating NAC solutions, look for vendors that 

understand the consumerization trend and support, or have plans to support, 

policies for managing the non-Microsoft endpoints that will inevitably attempt to 

connect to your network. 

Return to Top 

Vendors Added or Dropped 

We review and adjust our inclusion criteria for 

Magic Quadrants and MarketScopes as markets 

change. As a result of these adjustments, the 

mix of vendors in any Magic Quadrant or 

MarketScope may change over time. A vendor 

appearing in a Magic Quadrant or MarketScope 

one year and not the next does not necessarily 

indicate that we have changed our opinion of 

that vendor. This may be a reflection of a 

change in the market and, therefore, changed 

evaluation criteria, or a change of focus by a 

vendor. 

Evaluation Criteria Definitions 

Magic Quadrant 

Figure 1. Magic Quadrant for Network Access Control 

Ability to Execute 

Product/Service: Core goods and services 

offered by the vendor that compete in/serve the 

defined market. This includes current 

product/service capabilities, quality, feature sets 

and skills, whether offered natively or through 

OEM agreements/partnerships as defined in the 

market definition and detailed in the subcriteria. 

Overall Viability (Business Unit, Financial, 

Strategy, Organization): Viability includes an 

assessment of the overall organization's financial 

health, the financial and practical success of the 

business unit, and the likelihood that the 

individual business unit will continue investing in 

the product, will continue offering the product 

and will advance the state of the art within the 

organization's portfolio of products. 

Sales Execution/Pricing: The vendor's 

capabilities in all presales activities and the 

structure that supports them. This includes deal 

management, pricing and negotiation, presales 

support and the overall effectiveness of the 

sales channel. 

Market Responsiveness and Track Record: 

Ability to respond, change direction, be flexible 

and achieve competitive success as 

opportunities develop, competitors act, 

customer needs evolve and market dynamics 

change. This criterion also considers the 

vendor's history of responsiveness. 

Source: Gartner (July 2010) 

Marketing Execution: The clarity, quality, 

creativity and efficacy of programs designed to 

deliver the organization's message to influence 

the market, promote the brand and business, 

increase awareness of the products, and 

establish a positive identification with the 

product/brand and organization in the minds of 

buyers. This "mind share" can be driven by a 

combination of publicity, promotional initiatives, 

thought leadership, word-of-mouth and sales



2 of 18 19/8/2553 15:31 

Market Overview 

Return to Top 

Although NAC adoption increased (primarily to support guest networking) in 

2009, as we predicted in "Network Access Control Market Overview" in December 

2004, the increasing availability of NAC functionality in network infrastructure and 

endpoint protection (EPP) products put severe pressure on NAC revenue. In 2004, 

we said, "However, as organizations progress through the technology refresh 

cycle and upgrade to solutions with built-in NAC functions, many will no longer 

pay extra for independent NAC solutions." We saw many enterprises decide to 

look to their EPP vendors for embedded NAC capabilities, as well as many that 

decided to wait until they rolled out Windows 7 on desktops to make NAC 

decisions. Although this was partly driven by the economic slowdown, it mostly 

represents what will be the continuing market reality. 

This led to the exit of ConSentry Networks from the NAC market, while other NAC 

vendors attempted to broaden their products' appeal beyond NAC functionality. 

Aruba, which had been reselling a private-labeled version of Bradford Networks' 

NAC appliance, decided it made more sense to focus on selling rich wireless 

networking solutions with embedded NAC capabilities, rather than to pursue 

specific NAC revenue. 

The pressure on the NAC market and the failure of several NAC vendors have led 

to a common misconception that "NAC is dead" — classic Trough of 

Disillusionment behavior. However, in working with Gartner clients evaluating and 

deploying NAC during the past year, as well as in talking to the reference 

customers supplied by vendors as part of this Magic Quadrant analysis, we 

continue to see early adopters expanding beyond basic NAC functionality, while 

new NAC installations continue to focus on meeting immediate guest networking 

needs. The "consumerization of IT" trend is driving the need for guest networking 

to rapidly expand beyond contractors and visitors to employees using their own 

laptops or smartphones. To a large extent, many enterprises are starting to look 

more like the early adopters of NAC, college campuses, with an increasingly 

chaotic mix of managed and unmanaged IT on the corporate network. Because 

employee-owned laptops or smartphones will typically not have corporate 

endpoint security software on them, stand-alone NAC capabilities will see higher 

demand. 

As targeted botnet attacks (such as that suffered by Google and many other 

high-profile businesses in 2010) cause increasing damage, Gartner believes those 

initial guest networking implementations will be expanded to include the endpoint 

baselining/health check — provided that NAC vendors move beyond simple 

vulnerability checking and build in support for detecting whether an endpoint is 

dangerous versus just missing patches or being behind in antivirus signatures. 

The increasing publicity around targeted malware has also caused increased 

demand for post-connect containment capabilities, but we have seen very limited 

demand for advanced identity-aware NAC capabilities, outside of the traditional 

high-security "belt and suspenders" enterprises. We believe that NAC vendors that 

manage to grow in 2010 and beyond will be the ones that increase their 

capabilities for enterprises to safely allow unmanaged PCs and mobile devices to 

be used to meet business needs. 

activities. 

Customer Experience: Relationships, products 

and services/programs that enable clients to be 

successful with the products evaluated. 

Specifically, this includes the ways customers 

receive technical support or account support. 

This can also include ancillary tools, customer 

support programs (and the quality thereof), 

availability of user groups, service-level 

agreements and so on. 

Operations: The ability of the organization to 

meet its goals and commitments. Factors include 

the quality of the organizational structure, 

including skills, experiences, programs, systems 

and other vehicles that enable the organization 

to operate effectively and efficiently on an 

ongoing basis. 

Completeness of Vision 

Market Understanding: Ability of the vendor 

to understand buyers' wants and needs and to 

translate those into products and services. 

Vendors that show the highest degree of vision 

listen to and understand buyers' wants and 

needs, and can shape or enhance those with 

their added vision. 

Marketing Strategy: A clear, differentiated set 

of messages consistently communicated 

throughout the organization and externalized 

through the website, advertising, customer 

programs and positioning statements. 

Sales Strategy: The strategy for selling 

products that uses the appropriate network of 

direct and indirect sales, marketing, service and 

communication affiliates that extend the scope 

and depth of market reach, skills, expertise, 

technologies, services and the customer base. 

Offering (Product) Strategy: The vendor's 

approach to product development and delivery 

that emphasizes differentiation, functionality, 

methodology and feature sets as they map to 

current and future requirements. 

Business Model: The soundness and logic of 

the vendor's underlying business proposition. 

Vertical/Industry Strategy: The vendor's 

strategy to direct resources, skills and offerings 

to meet the specific needs of individual market 

segments, including vertical markets. 

Innovation: Direct, related, complementary and 

synergistic layouts of resources, expertise or 

capital for investment, consolidation, defensive 

or pre-emptive purposes. 

Geographic Strategy: The vendor's strategy 

to direct resources, skills and offerings to meet 

the specific needs of geographies outside the 

"home" or native geography, either directly or 

through partners, channels and subsidiaries as 

appropriate for that geography and market. 

The four most common uses for NAC are: 

Guest network services: Isolating guests and visitors from the corporate 

network and providing them with limited connectivity — typically, Internet 

access only. Guest networking was the primary driver in approximately 75% 

of NAC deployments. Most organizations are starting with wireless guest 

access and are planning to extend guest networking capabilities to the 

wired network. 

Endpoint baselining: Determining whether endpoints on the corporate 

network are compliant with device configuration policies (for example, 

up-to-date patches and antivirus signatures). Endpoint baselining was the 

primary driver in approximately 15% of NAC deployments. 

Quarantine/containment: Restricting network access either when 

endpoints are noncompliant with configuration policies, or when suspicious 

traffic from the endpoint presents a risk to the network or to other 

endpoints. Quarantining noncompliant endpoints is common in educational 

environments (where schools often don't control the endpoints); however, 

in other environments, it is only the primary driver in approximately 5% of 

deployments. Remediating noncompliant endpoints and "dangerous" 

endpoints is an important aspect of this use case. 

Identity-aware networking: Providing greater visibility and control over



3 of 18 19/8/2553 15:31 

user behavior on the network. Organizations add identity awareness to the 

network to monitor user traffic and enforce access to critical resources. 

Identity-aware networking was the primary driver in approximately 5% of 

NAC deployments. 

Return to Top 

Market Definition/Description 

The NAC market consists of several categories, as outlined below: 

Infrastructure: Most enterprise-class LAN switch manufacturers offer NAC 

solutions. Seven of the eight vendors analyzed in "Magic Quadrant for 

Enterprise LAN (Global)," sell NAC products. The LAN switch vendors 

primarily target their NAC solutions to their installed base. That is a good 

strategy, because network managers, who are the buyers of LAN switches, 

are usually the buyers of NAC solutions. Infrastructure vendors have had 

limited success in selling their NAC solutions outside of their installed bases 

and into their competitors' accounts. 

EPP: Some vendors that sell EPP suites also offer NAC solutions (for 

example, Check Point Software Technologies, McAfee, Sophos and 

Symantec). All these vendors benefit from their existing desktop "footprint," 

which gives them an advantage in the endpoint baselining usage case. 

Network security vendors: A mix of intrusion prevention system (IPS), 

firewall and virtual private network (VPN) vendors offer NAC solutions. 

Because they already serve as enforcement points in the network, these 

products can be easily repurposed to become NAC policy enforcement 

points. 

Pure-play vendors: Several vendors are pure-play NAC vendors or 

vendors with multifunctional offerings whose primary focus is NAC (for 

example, Avenda Systems, Bradford Networks, ForeScout, Impulse Point, 

InfoExpress and Nevis Networks). The pure-play vendors face the biggest 

challenges, as vendors in the other three categories continue to enhance 

their NAC offerings. 

When measured by annual revenue, the NAC market is declining. Gartner 

estimates that the size of the NAC market in 2009 was approximately $199 

million, a decrease of approximately 10% over the market in 2008. We had 

anticipated a slowdown in market growth to 25%, but market factors detailed 

above and the severity of the economic slump contributed to the shrinking 

market. Also, some vendors exited the market, and others entered, but the overall 

effect was a net loss in market size. As we predicted back in 2004, the NAC 

capabilities existing or promised in network infrastructure, EPP platforms and the 

latest Windows desktop operating system impacted the growth of NAC-specific 

revenue, even as NAC "seats" increased. For 2010, we expect a flat market, with 

total revenue of approximately $200 million. Positive NAC demand factors, such 

as support for consumerization, will be offset by embedded NAC and a focus on 

inexpensive authentication, particularly 802.1X. 

Return to Top 

Inclusion and Exclusion Criteria 

The goal of the inclusion/exclusion criteria listed below is to identify those 

vendors that own core NAC technology. Vendors whose solutions are based 

heavily on technology that is licensed from original equipment manufacturers 

have been excluded from this Magic Quadrant. 

To be included in this Magic Quadrant, the vendors' solutions must include the 

policy, baseline and access control elements of NAC, as defined by the following 

criteria: 

Policy: The NAC solution must include a dedicated policy management 

server with a management interface for defining and administering security 

configuration requirements and for specifying the access control actions 

(for example, allow or quarantine) for compliant and noncompliant 

endpoints. The ability to report on the overall state of endpoint compliance 

is a critical component of the policy function. Because policy administration 

and reporting functions are key areas of NAC innovation and differentiation, 

vendors must own the core policy function to be included in this Magic 

Quadrant. 

Baseline: A baseline determines the security state of an endpoint that is 

attempting a network connection (LAN, wireless LAN or VPN) so that a 

decision can be made about the level of access that will be allowed. 

Baselining must include the ability to assess policy compliance (for



4 of 18 19/8/2553 15:31 

example, up-to-date patches and antivirus signatures) and may include the 

ability to detect installed malware. Various technologies may be used for 

the baseline function, including agentless solutions (such as vulnerability 

assessment scans), dissolvable agents and persistent agents. NAC solutions 

must include a baseline function, but "reinventing the wheel" is not 

necessary. Baseline functionality may be obtained via an OEM or licensing 

partnership. 

Access control: The NAC solution must include the ability to block, 

quarantine or grant full access to an endpoint. The solution must be flexible 

enough to enforce access control in a multivendor network infrastructure, 

and it must be able to enforce access in both LAN and remote-access 

environments. Enforcement must be accomplished either via the network 

infrastructure — for example, 802.1X, virtual LANs (VLANs), access control 

lists (ACLs) — or via the vendor's NAC solution — for example, 

dropping/filtering packets or Address Resolution Protocol (ARP) spoofing. 

Dynamic Host Configuration Protocol (DHCP) enforcement qualifies for 

inclusion, provided that policy enforcement can be delivered via 

partnerships with two or more DHCP solutions. Vendors that rely solely on 

agent-based endpoint self-enforcement do not qualify as NAC solutions. 

Additional criteria: 

Solutions must link to remediation systems (for example, patch and 

configuration management), but they do not need to own core mitigation 

technology. 

The products with the required features and functions must be shipping as 

of 1 February 2010. 

The vendor must have at least $2 million in NAC sales during the 12 months 

leading up to 1 February 2010. 

Vendors Considered but Not Included in the 2010 Magic Quadrant 

LAN Switch Manufacturers 

LAN switch manufacturers that base critical components of their NAC solutions on 

OEM technology or that resell NAC solutions from other vendors have been 

excluded from this Magic Quadrant. For example, Extreme Networks has not been 

included in our analysis, because its Sentriant AG200 NAC solution is based on 

StillSecure's Safe Access product. Alcatel-Lucent has not been included, because 

its approach to NAC is to resell the CyberGatekeeper solution from InfoExpress. 

Small or Midsize Business (SMB) Vendors 

SMB vendors that lack enterprise-class features and functions have been excluded 

from this Magic Quadrant. For example, NetClarity is a vendor that targets SMBs. 

Its NetClarity family of NACwall appliances use an agentless (no additional 

software on the PCs) approach to baseline the health of the endpoints. NACwalls 

are deployed out of band in LANs, so they install easily and are not in the line of 

traffic (no additional latency to the network). NACwall appliances interface with 

existing switches and firewalls to enforce access control. ARP manipulation can 

also be used to enforce access. Napera Networks, an SMB-focused vendor that 

previously sold a family of switches with embedded support for Microsoft Network 

Access Protection (NAP), has shifted its strategy to offer a cloud-based 

subscription service that performs endpoint baselining. 

Microsoft 

Microsoft embeds NAC functionality (branded as Microsoft NAP) within its more 

recent operating systems (Windows 7, Vista and XP Service Pack 3) and within 

Windows Server 2008. Consistent with our practice from 2009, we did not include 

Microsoft in this year's Magic Quadrant because of the requirement that 

organizations need to upgrade to the required Microsoft products. None of the 

other solutions in this Magic Quadrant require a desktop operating system update. 

However, we will re-evaluate Microsoft and the market penetration of Microsoft 

NAP-ready endpoints in 2011. 

Return to Top 

Added 

Avaya (via its acquisition of Nortel's Enterprise Solutions unit). 

Avenda Systems 

HP (via its acquisition of 3Com) 

Nevis Networks 

Return to Top



5 of 18 19/8/2553 15:31 

Dropped 

Aruba has terminated its licensing agreement with Bradford Networks, 

which was the OEM of Aruba's Endpoint Compliance Systems appliance. 

Aruba is re-evaluating its NAC strategy. 

ConSentry effectively went out of business in August 2009 (although its 

website, at the time of this Magic Quadrant's publication, is still operational 

and makes no mention of the company's change in status). 

Return to Top 

Evaluation Criteria 

Ability to Execute 

The Ability to Execute criteria are: 

Product/Service: An evaluation of the features and functions of the 

vendor's NAC solution. Because the most common usage case for NAC is 

guest networking (blocking unmanaged endpoints from the main network, 

and granting them limited access or Internet access only), those solutions 

with strong support for guest networking will score strongly. Support for 

endpoint baselining and, to a lesser extent, identity-aware networking is 

also an important part of this criterion. Ease of use and the overall quality 

of the management and reporting features will be important considerations. 

Those solutions that support a variety of enforcement options (for example, 

VLAN steering, ACLs, DHCP and others) will score more highly than 

solutions with limited enforcement options. 

Overall Viability: Viability includes an assessment of the vendor's overall 

financial health, the financial and practical success of the business unit, and 

the likelihood of the individual business unit to continue to invest in an NAC 

solution. 

Sales Execution/Pricing: The vendors' capabilities in all presales 

activities and the structure that supports them. The ability of vendors to 

succeed in their target markets is important. Vendors that target large 

enterprises should demonstrate success in winning NAC deals of 10,000 

endpoints and more. Vendors that target SMBs should demonstrate a high 

volume of smaller and midsize deals. 

Market Responsiveness and Track Record: Ability to respond, change 

direction and be flexible as market dynamics vary. This criterion also 

considers the vendor's history of responsiveness, including how quickly it 

responded when the primary focus on NAC shifted from endpoint baselining 

to guest networking. 

Marketing Execution: This criterion assesses the effectiveness of the 

vendor's marketing programs and its ability to create awareness and "mind 

share" in the NAC market. Those vendors that frequently appear on client 

shortlists are succeeding in marketing execution. 

Customer Experience: Quality of the customer experience based on 

reference calls and input from Gartner clients. 

Operations: The ability of the organization to meet its goals and 

commitments in an efficient manner. Past performance is weighted heavily. 

Note — this criterion will not be evaluated for the NAC Magic Quadrant. 

Table 1. Ability to Execute Evaluation Criteria 


Weighting 

Product/Service 

High 

Overall Viability (Business Unit, Financial, Strategy, Organization) High 

Sales Execution/Pricing 

Standard 

Market Responsiveness and Track Record 

Standard 

Marketing Execution 

Standard 

Customer Experience 

High 

Operations 

No rating 


Return to Top 

Completeness of Vision



6 of 18 19/8/2553 15:31 

Completeness of Vision criteria are: 

Market Understanding: Ability of the vendor to understand buyers' needs 

and translate these needs into NAC products. This includes the ability to 

anticipate market trends and to quickly adapt via partnerships, acquisitions 

or internal development. 

Marketing Strategy: This criterion analyzes whether the vendor's 

marketing strategy succeeds in differentiating its NAC solution from its 

competitors. 

Sales Strategy: The vendor's strategy for selling to its target audience, 

including an analysis of the appropriate mix of direct and indirect sales 

channels. 

Offering (Product) Strategy: An evaluation of the vendor's strategic 

product direction and its road map for NAC. The product strategy should 

address the NAC trends reflected in Gartner's client inquiries. 

Business Model: The soundness and logic of the vendor's underlying value 

proposition. How well will the vendors' NAC strategy succeed in an 

environment where NAC is increasingly becoming a feature of broader 

network and security solutions. 

Vertical/Industry Strategy: The vendor's strategy for meeting the 

specific needs of individual vertical markets and market segments (for 

example, higher education). 

Innovation: This criterion includes product leadership and the ability to 

deliver NAC features and functions that distinguish the vendor from its 

competitors. 

Geographic Strategy: The vendor's strategy for penetrating geographies 

outside its home or native market. 

Table 2. Completeness of Vision 


Evaluation Criteria Weighting 

Market Understanding High 

Marketing Strategy Standard 

Sales Strategy 

Standard 

Offering (Product) Strategy High 

Business Model 

Standard 

Vertical/Industry Strategy Low 

Innovation 

Standard 

Geographic Strategy Low 


Return to Top 

Leaders 

Leaders are successful in selling large NAC implementations (10,000 nodes and 

above) to multiple large enterprises as a primary offering. Leaders are networking 

and/or security companies that recognized early on that NAC would be an 

important component of their overall product portfolios and have been first to 

market with enhanced capabilities as the market matures. Leaders have the 

resources to maintain their commitment to NAC, have strong channel strength and 

have financial resources. They have also demonstrated a strong understanding of 

the future direction of NAC, including market demand for inexpensive guest 

network and authentication solutions. Leaders should not equate to a default 

choice for every buyer, and clients should not assume that they must buy only 

from vendors in the Leaders quadrant. 

Return to Top 

Challengers 

Challengers are networking and/or security companies that have been successful 

in selling NAC to their installed bases, although they are generally unsuccessful in 

selling NAC to the broader market. Challengers are generally not NAC innovators, 

but are large enough and diversified enough to continue investing in their NAC 

strategy. They are able to withstand challenges and setbacks more easily than 

Niche Players.



7 of 18 19/8/2553 15:31 

Return to Top 

Visionaries 

Visionaries have led the market in product innovation and/or displayed an early 

understanding of market forces and trends. They are either smaller pure-play NAC 

vendors or larger networking and/or security companies. A common theme in 

visionary vendors is that they don't have significant channel strength and have not 

succeeded in building installed bases as large as the leaders. Pure-play vendors in 

the Visionaries quadrant face challenges in moving into the Leaders quadrant, due 

to the trend of network and security companies embedding NAC functionality in 

their existing solutions. 

Return to Top 

Niche Players 

Niche Players represent a mix of small and large companies. The large companies 

are network and/or security vendors that have had some success in selling NAC to 

their traditional installed base, but typically face stiff competition from other NAC 

vendors. Large Niche Players have generally struggled to sell NAC to the broader 

market. Small Niche Players don't appear often on Gartner clients' shortlists, but 

some of them are successful in addressing subsets of the overall market. Niche 

Players are valid suppliers in the market and often provide solutions targeted to 

the needs of a particular vertical industry. 

Return to Top 

Vendor Strengths and Cautions 

Avaya 

Avaya appears in the NAC Magic Quadrant for the first time, as a result of its 

acquisition of Nortel's Enterprise Solutions unit. The key component in Avaya's 

NAC strategy is its RADIUS-based policy server, known as the Ignition Server, 

which is part of a solution that Nortel gained by acquiring key intellectual 

property of Identity Engines. The Ignition Server is available only as a virtual 

machine on VMware. The Avaya Health Agent is capable of baselining Windows 

endpoints. The primary use case for Avaya's NAC solution is the installed base of 

Nortel switch and wireless LAN customers, although the Ignition Server is capable 

of supporting non-Nortel environments. 

Return to Top 

Strengths 

Support for Microsoft NAP makes the Ignition Server a good choice in 

all-Microsoft environments. 

The Identity Engines offering provides a strong guest networking solution 

that is complete with user provisioning, reporting and management 

capabilities. 

Avaya has strong multivendor 802.1X support and operational tools (for 

example, authentication reports) for easing the operational challenges of 

managing an 802.1X environment. 

Return to Top 

Cautions 

Avaya's NAC solution does not include permanent agents for baselining OS 

X, Linux or other non-Microsoft endpoints. It also does not offer an 

agentless scanning option. 

The Avaya installed base of network infrastructure (the main target 

audience for Avaya NAC) remains somewhat cautious and skeptical about 

Avaya's commitment to the market after enduring a very difficult and 

uncertain period as Nortel consolidated investments and dispersed its 

assets. 

Avaya's NAC solution has little visibility in the broader market (beyond 

Nortel's installed base).



8 of 18 19/8/2553 15:31 

Return to Top 

Avenda Systems 

Avenda Systems is a new entrant in the NAC Magic Quadrant. Its focus on the 

guest network use case and on interoperability (it was an early supporter of 

Trusted Network Connect [TNC] protocols) has contributed to its position in the 

Visionaries quadrant. Founded in 2006, Avenda's flagship offering is a 

RADIUS-based policy server, known as Enterprise Trust & Identity Policy System 

(eTIPS), that can be used in heterogeneous environments (mixed endpoints 

and/or mixed network infrastructure). eTIPS is available in an appliance form 

factor, and also as a virtual machine for VMware. It supports 802.1X and 

Web-based authentication for wireless, wired and VPN environments, and can also 

be used to enable the endpoint baselining use case for NAC (it supports 

permanent agents, dissolvable agents and agentless scans via Nessus). Multiple 

enforcement options are offered, including VLAN steering, ACLs and DHCP. 

Enterprises that can tolerate the risks of a startup and need a solution to support 

a heterogeneous environment should consider Avenda. 

Return to Top 

Strengths 

Support for the TNC's Statement of Health protocol enables Avenda to 

provide endpoint baselining for Microsoft NAP-enabled endpoints (Windows 

7, Vista and XP SP3) without requiring an additional agent. Avenda also 

provides agents that can baseline endpoints running Apple OS X and Linux 

operating systems. 

Avenda's Quick 1X tool simplifies the configuration of a broad set of 

supplicants, including supplicants native to Windows and Linux. It also 

supports supplicants on Mac OS X, iPhone and iPad operating systems. 

References for Avenda commented that its solution provides a flexible and 

granular approach to creating policies. 

Return to Top 

Cautions 

Avenda's prospects for success are tied heavily to 802.1X, for which 

adoption in wired networks has been slow thus far. 

Enterprise inertia is a challenge for Avenda. Most enterprises have already 

implemented RADIUS servers from Cisco, FreeRADIUS, Microsoft or Juniper 

for their VPN and wireless access, and they are likely to stay with these 

existing solutions as they begin to extend RADIUS-based authentication to 

their wired networks. 

Avenda is a small company with limited resources. Microsoft and other 

vendors with a focus on the TNC specifications (for example, Juniper) have 

the resources to thwart Avenda's progress by duplicating eTIPS functionality 

on their own policy servers. 

Return to Top 

Bradford Networks 

Bradford Networks was one of the earlier entrants into the NAC market, 

developing its Campus Manager product to meet the needs of universities to allow 

a wide variety of university-owned and student-owned PCs to connect without 

causing security problems. Bradford has built on this vertical industry to attack 

the broader NAC market. In May 2009, it brought in a new CEO. Bradford renamed 

its lead NAC product "Network Sentry" and took steps to put more discipline in its 

channel strategy to go after corporate markets. In 2009, Aruba terminated its 

agreement to license technology from Bradford. The loss of that OEM deal offset 

gains in its ability to execute, brought by Bradford expanding beyond the 

academic vertical market. Enterprises should evaluate Bradford's capabilities when 

NAC requirements are driven by diverse IT environments. 

Return to Top 

Strengths 

Ease of deployment is rated very high for Network Sentry. Bradford's 

out-of-band approach and wide platform support eliminate many potential



9 of 18 19/8/2553 15:31 

problems. 

Bradford's experience in diverse university requirements puts it in a good 

position for satisfying enterprise needs to use NAC to secure the use of 

employee-owned PCs and smartphones. 

Bradford consistently gets high marks for customer support and overall 

corporate responsiveness. 

In the past year, Bradford had a number of wins outside of the university 

vertical market, some displacing other incumbent NAC vendors. 

Return to Top 

Cautions 

The ending of the OEM relationship with Aruba will slow Bradford's 

progress in expanding beyond the academic vertical market. 

Like all other NAC pure-play vendors, Bradford will be increasingly 

squeezed by NAC solutions offered by incumbent network infrastructure and 

EPP software vendors. 

Bradford users consistently request improvements in Network Sentry's user 

interface and reporting. 

Return to Top 

Check Point Software Technologies 

Check Point Software Technologies is one of the largest pure-play security 

companies, with a large firewall and VPN gateway installed base, and a strong 

global channel. Check Point has been slowly accumulating the component pieces 

to compete in the EPP platform market, and is gradually building on its installed 

base from the acquisition of Pointsec in 2006. Thus, Check Point's NAC 

capabilities are features that can be enabled by enterprises using its network 

security, endpoint security products or both, rather than a stand-alone NAC 

offering. Check Point's planned support for advanced guest management 

capabilities and its embrace of industry standards gained it an increased vision 

rating this year. Check Point's offerings should be considered by enterprises using 

Check Point's network security and/or endpoint security products. 

Return to Top 

Strengths 

Check Point Cooperative Enforcement works well across Checkpoint network 

security products and third-party Open Platform for Security (OPSEC) 

partner technology. 

Check Point offers both a dissolvable agent and the Abra USB-based 

"portable personality" device for securing access by unmanaged PCs. 

Check Point's installed base and global channel provide a strong 

competitive advantage, especially where the NAC deployment is remoteaccess-centric. 

Return to Top 

Cautions 

In the EPP platform market, Check Point competes against more-established 

solutions from McAfee, Sophos and Symantec, putting Check Point at a 

disadvantage in competitive endpoint-centric NAC deployments. 

Although Checkpoint has supported guest access through a captive portal 

approach, it has been slow to add advanced guest networking management 

capabilities. 

Return to Top 

Cisco 

Cisco's execution in the NAC market has not mirrored its success in the network 

infrastructure market. The most common complaint about Cisco's NAC solution is 

that it is too complex and too expensive. Cisco was slow to recognize and adapt 

to these deficiencies — thus, its backward movement along the Completeness of 

Vision axis. Cisco also lost points in its ability to execute, because many of its 

customers chose to implement competing NAC solutions. However, Cisco is 

shifting its NAC strategy, and if it executes well, it should remain a leader in the



10 of 18 19/8/2553 15:31 

NAC market. The two main elements of the renewed strategy are an increased 

focus on 802.1X for controlling guest access and a new NAC appliance that 

consolidates functionality that is presently distributed among multiple NAC 

appliances. Cisco customers should consider the new NAC appliances once these 

products become available. Gartner expects that the new solutions will be 

shipping before year-end 2010. 

Return to Top 

Strengths 

Cisco's renewed focus on 802.1X in wired networks will enable it to deliver 

basic and inexpensive guest network access, thereby addressing the 

primary NAC requirement for most enterprises. 

AnyConnect, which combines VPN, NAC and other security technologies into 

a single endpoint client, will help Cisco grow its installed base of NAC 

endpoint software. Cisco has a strong market share in the VPN market, and 

when its customers upgrade to AnyConnect, they will also be installing the 

embedded NAC software. 

The combination of Cisco's profiling solution (NAC Profiler) and its guest 

networking solution (NAC Guest Server) make for a strong approach to 

guest networking. NAC Profiler (Great Bay Software is the OEM provider) 

discovers and monitors nonauthenticating devices (for example, IP phones 

and printers), thereby easing the process of supporting endpoints that are 

non-NAC capable. NAC Guest Server (this technology is also licensed from 

an OEM provider) provisions guest accounts and monitors guest activity on 

the network. (Note: functionality from NAC Profiler and NAC Guest Server 

will be included in Cisco's new NAC appliance.) 

Cisco's long-term strategy of embedding identity awareness into its Catalyst 

switches (a component of its TrustSec strategy) will enable it to support 

identity policies more granularly and more flexibly than most of its NAC 

competitors. 

Return to Top 

Cautions 

Before making further investments in Cisco's current family of NAC 

appliances (NAC Appliance 33XX Series, NAC Profiler and NAC Guest 

Server), Cisco customers should wait for Cisco to publicly announce its 

plans to upgrade these solutions and offer investment protection. 

Although Cisco's updated TrustSec positioning is a good start, it still needs 

improvements to its NAC marketing and branding. For example, Cisco needs 

to clarify the role that Secure Access Control System (ACS) plays in its 

broader NAC strategy. 

Despite a stated partnership with Microsoft, dating back to 2004, Cisco still 

does not support the Microsoft NAP protocols or the equivalent TNC 

specifications. Thus, Cisco software is required on Windows desktops to 

perform anything beyond the most basic endpoint baselining functionality. 

Return to Top 

Enterasys 

In 2008, the Gores Group purchased Siemens Enterprise Communications and 

merged it with Enterasys (which it already owned). Since then, Enterasys has 

struggled to gain market share (currently 1% to 2%) in the wired network 

infrastructure market, its core competency. Enterasys offers out-of-band (NAC 

Gateway) and in-line (NAC Controller) components. The NAC Controller enables 

NAC for older third-party switches that do not support 802.1X or RADIUS-based 

authentication. The Enterasys solution performs endpoint baselining via agents 

(permanent and dissolvable) and agentless technology. The primary usage case 

for Enterasys NAC is Enterasys switch and wireless LAN customers, although the 

solution is capable of supporting non-Enterasys environments. 

Return to Top 

Strengths 

Enterasys' main product strength remains the flow-based technology in its 

S-Series and N-Series switches. NAC policies can be applied for each 

unique flow (by tracking the source/destination address pairing). For 

example, granular policies can be established to implement bandwidth rate 

limits or trigger deep-packet inspection.



11 of 18 19/8/2553 15:31 

Enterasys' NAC management console has an integrated profiling capability, 

which automatically discovers and identifies all endpoints on the network. 

Enterasys has integrated its Dragon IPS, as well as third-party IPS 

solutions, with its NAC offering, so that it can quarantine endpoints that 

Dragon identifies as suspicious. 

Return to Top 

Cautions 

Its shrinking market share limits Enterasys' ability to grow its NAC 

business, particularly because it has had limited success in selling NAC to 

the broader market. 

For a network infrastructure vendor, Enterasys lacks operational and 

troubleshooting tools for managing an 802.1X environment. 

Return to Top 

ForeScout 

ForeScout is a network security pure-play company that offers the CounterACT 

NAC appliance and the CounterACT Edge security appliance. CounterACT is highly 

rated by users for ease of deployment and flexible enforcement scenarios. 

ForeScout's out-of-band approach simplifies moving from guest networking to 

baselining to enforcement, the common success pattern for NAC deployments. 

ForeScout had a number of new customer wins since the publication of the 2009 

NAC Magic Quadrant, with a strong presence at government agencies, gaining it 

an increase in its Ability to Execute rating. ForeScout should be considered by 

enterprises looking at NAC solutions that are not tied to network infrastructure or 

EPP software. 

Return to Top 

Strengths 

CounterACT is highly rated for ease of deployment and price/performance in 

large installations, and ForeScout consistently gets good ratings for 

responsiveness and support. 

CounterACT provides strong support for the guest network and endpoint 

baselining use cases, and it provides basic support for role-based policies. 

CounterACT also supports post-connect NAC, via its IDS-like functionality. 

ForeScout customers tend to grow their deployment of CounterACT 

appliances and scale their NAC solutions quickly. 

ForeScout's visibility (as reflected by how often it appears on the shortlists 

of Gartner clients) has improved since 2009. 

Return to Top 

Cautions 

Although CounterACT's price/performance is strong across large 

installations, users report that ForeScout's management console needs 

ease-of-use improvements for large-scale implementations. 

Like all other NAC pure-play vendors, ForeScout will be increasingly 

squeezed by NAC solutions offered by incumbent network infrastructure and 

EPP software vendors. 

Return to Top 

HP (3Com) 

HP Identity Driven Manager is HP's lead offering in NAC. In April 2010, HP 

completed the acquisition of 3Com, along with H3C, the joint venture between 

Huawei and 3Com. H3C has an NAC solution, as did TippingPoint, which 3Com 

had previously acquired in 2005. Prior to these acquisitions, HP's NAC solution 

consisted of Identity Driven Manager and the ProCurve Network Access Control 

800 appliance, which was based on technology licensed from StillSecure (via an 

OEM agreement). HP discontinued the ProCurve Network Access Control 800 

appliance in April 2010, and it recommends the StillSecure branded NAC offering 

as a replacement (StillSecure is an HP AllianceONE NAC Specialization Partner). 

Until HP articulates a coherent strategy and road map for its NAC products, we 

continue to rate it as a Niche Player in the market. Users of HP network



12 of 18 19/8/2553 15:31 

infrastructure technology should consider HP's NAC offering. 

Return to Top 

Strengths 

Identity Driven Manager is a plug-in to HP's ProCurve Manager Plus, 

simplifying NAC deployment for ProCurve wired and wireless network users. 

HP has tightly coupled Identity Driven Manager to Microsoft's NAP 

technology that is built into PCs running the XP SP3, Vista and Windows 7 

operating systems, easing NAC deployment for enterprises that have 

deployed these newer operating systems. 

As a large company with global support and significant R&D resources, and 

a good track record in supporting and driving industry standards, if HP 

chooses to focus on NAC as a key part of competing in the network 

infrastructure market, then it could become a major market factor. 

Return to Top 

Cautions 

Identity Driven Manager's integration to ProCurve puts it in direct 

competition with Cisco's NAC strategy. Although Gartner gives ProCurve a 

strong rating as a network infrastructure contender, Cisco's domination of 

the installed base is a major challenge to HP NAC adoption. 

HP's reliance on Microsoft NAP puts it at a disadvantage in environments 

with older Microsoft desktop operating systems (that do not support 

Microsoft NAP) and where consumerization demands are resulting in more 

use of PCs and smartphones that run non-Microsoft operating systems. 

Although HP has a large portfolio of security products, its overall strategy 

for security is unclear, and its NAC strategy and road map suffer as a result. 

Return to Top 

Impulse Point 

Impulse Point has shown growth in the higher education market, and also the 

K-12 sector, but it has not demonstrated an ability to penetrate the commercial 

enterprise market. Its strong vertical focus keeps it positioned in the Niche Players 

quadrant. Enforcement is provided via ACLs at Layer 3 (for example, routers and 

switches), at Layer 4 (support is provided for Blue Coat proxies) or via firewall 

policies. This approach is suitable for some university environments, although it 

does not meet the enforcement requirements of most corporate environments, 

where enforcement is required at Layer 2 (at the LAN switch). Impulse Point 

delivers its solution as a managed service, which includes managing updates 

(patches and antivirus status) to its policy server and housing daily policy 

configuration backups. Safe Connect is available as an appliance or via software 

(it is certified to run in a virtualized VMware environment). Educational 

institutions dealing with heterogeneous endpoint environments should consider 

Impulse Point. 

Return to Top 

Strengths 

Safe Connect can be deployed quickly, because its Layer 3 approach to 

enforcement eliminates the need to test compatibility at Layer 2 (among an 

enterprise's LAN switches). 

Impulse Point provides a scalable and relatively inexpensive approach to 

NAC. In large environments (10,000 nodes and above), Impulse Point's 

pricing model is highly favorable. 

With several of its university customers, SafeConnect displaced its 

competitors' NAC equipment. 

Its endpoint agent provides continuous posture assessment and 

quarantining (agent-based self-enforcement). Many endpoint-based NAC 

solutions require scheduled posture assessment scans. 

Return to Top 

Cautions 

Safe Connect's Layer 3-based enforcement mechanism (ACLs on routers) 

makes it a poor choice for enterprises seeking to implement guest networks



13 of 18 19/8/2553 15:31 

in corporate environments. Endpoints are still able to gain access by 

connecting to a Layer 2 LAN switch. Impulse Point provides the option to 

integrate FreeRADIUS in the Safe Connect policy server to authenticate 

802.1X-enabled endpoints, although the solution is not competitive with 

other appliance-based RADIUS solutions that are more scalable and have 

better tools for troubleshooting failed authentications. 

Although its focus on NAC as a managed service shifts the daily support 

burden to Impulse Point, some of its customers have commented that 

product documentation quality is weak. In the most recent release, updated 

documentation was not available for several months after the product 

shipped. 

Outside the higher education market, Impulse Point suffers from low market 

visibility, because of its small size and its limited resources. 

Although Impulse Point has improved its reporting and graphical interface, 

its policy controls in the area of guest networking and its Windows patch 

management are weaker than many of its competitors. 

Return to Top 

InfoExpress 

InfoExpress is largely focused on the NAC market, although it also offers a 

personal firewall product. It is still a small company (fewer than 100 employees), 

but it was founded in 1993 and remains a "bootstrap" company — it has never 

needed to raise money from venture capitalists. In 2009, InfoExpress partnered 

with Alcatel-Lucent and integrated its technology with Alcatel-Lucent's LAN 

switches, wireless access points (from Aruba) and its VitalQIP Suite (which 

enables DHCP-based enforcement). Alcatel-Lucent is now a global reseller of 

InfoExpress solutions. Enterprises should evaluate InfoExpress' capabilities when 

NAC requirements are driven by diverse IT environments. 

Return to Top 

Strengths 

InfoExpress provides a broad array of deployment options for NAC. 

Persistent or dissolvable agents can be used to baseline endpoints. Its 

CyberGatekeeper appliances provide in-line and out-of-band enforcement 

for LAN, wireless LAN and VPN connections, and its policy server functions 

as a RADIUS proxy. InfoExpress' most popular NAC solution is its Dynamic 

NAC offering, which uses permanent agents to implement ARP-based 

enforcement of noncompliant endpoints. 

Dynamic NAC can be a cost-effective solution for organizations that have 

many sparsely populated branch offices, because it does not require 

additional hardware. 

InfoExpress' CyberGatekeeper NAC solution is a good complement to its 

personal firewall offering. 

Return to Top 

Cautions 

InfoExpress' policy management console lacks some of the user-friendly 

features (for example, drop-down menus and radio buttons) found in 

competitive offerings. 

Guest networking functionality is limited. Guest accounts must be 

provisioned on a RADIUS server or on Active Directory, and managing an 

exception list of endpoints is manually intensive. 

The company's technology differentiation has eroded as large competitors, 

such as McAfee and Symantec, have expanded their endpoint security 

solutions to include better personal firewalls and NAC support. 

Return to Top 

Insightix 

Insightix is a pure-play network visibility vendor with products branded under the 

Insightix Business Security Assurance (BSA) line. BSA Visibility is the main 

product, which uses a mixture of active and passive techniques to detect and 

profile devices connected to the network. Visibility greatly reduces the manual 

effort required to maintain a continuous and accurate inventory of everything 

connected to the network and the key attributes of each device. BSA NAC provides 

enforcement capabilities through ARP manipulation, while BSA Guest Access



14 of 18 19/8/2553 15:31 

Control provides a captive portal approach for allowing limited guest access. 

Insightix has improved its management and workflow capabilities and added 

integration to McAfee and Juniper environments, but its lack of visibility and 

limited large-scale deployments acted to offset these gains in the Ability to 

Execute and Completeness of Vision axes. Enterprises that have demand and 

funding for network discovery capabilities that later may be used as the 

foundation for broader NAC deployment should consider Insightix. 

Return to Top 

Strengths 

Ease of implementing discovery and baselining and the depth and accuracy 

of the profiling information are Insightix's core strengths. Embracing the 

IF-MAP standard will help it increase partnerships with network 

infrastructure vendors that lack their own discovery capabilities. 

Insightix's enforcement technique is easy to deploy for organizations that 

are mostly interested in visibility and inventory, with limited quarantining 

requirements. 

Return to Top 

Cautions 

Insightix's visibility in North American and larger European companies is 

very limited, and it rarely appears on Gartner client shortlists in those 

geographies. 

Insightix's integration with remediation products and its support for guest 

access management are limited. 

Although Insightix can sell network visibility outside the NAC space, it will 

be increasingly squeezed in NAC opportunities by incumbent network 

infrastructure and EPP software vendors that embed NAC functionality. 

Return to Top 

Juniper 

Juniper has been an early promoter of NAC standards, and its Unified Access 

Control (UAC) solution was one of the first to implement the TCG/TNC's protocols 

that enable NAC interoperability. Juniper has also been an early adopter of the 

TNC's IF-MAP specification, which creates an open and structured way for devices 

and users to share information on a network. Juniper's success in selling UAC into 

large accounts and its foresight with regard to NAC interoperability have enabled 

it to remain in the Leaders quadrant, although it lost points overall in the 

Completeness of Vision and Ability to Execute axes. With regard to vision, Gartner 

believes that Juniper is missing opportunities by not targeting UAC more strongly 

as a solution for the Guest Network use case. With regard to its ability to execute, 

Juniper lost points because it needs to create stronger mind share and sales for 

UAC among its installed base of enterprise customers. Juniper customers and 

enterprises that emphasize NAC interoperability due to diverse IT environments 

should consider Juniper's UAC solution. 

Return to Top 

Strengths 

Junos Pulse, which combines VPN, NAC and WAN acceleration technology 

into a single endpoint client, will help Juniper grow its installed base of 

NAC endpoint software. Juniper has strong market share in the VPN market, 

and when its customers upgrade to Junos Pulse, they will also be installing 

the embedded NAC software. 

Integrating Webroot anti-spyware, another component of Junos Pulse, 

enables Juniper to go beyond basic endpoint compliance checking to also 

assess whether an endpoint is infected with malware. 

UAC support is embedded in Juniper's firewall, IPS and Ethernet switch 

product families. This integrated approach enables Juniper components to 

enforce device policies and/or identity policies (user policies), and makes 

UAC a good option for multiple NAC use cases. 

Juniper's support for Microsoft NAP enables it to provide basic endpoint 

baselining on Windows PCs without requiring the Junos Pulse agent. 

Return to Top



15 of 18 19/8/2553 15:31 

Cautions 

Feedback from some Juniper references reflects poorly on the ease of UAC 

deployment. Gartner received complaints about the deployment and 

manageability of the UAC client, and also received similar input regarding 

Juniper's RADIUS functionality. 

Juniper is too focused on selling the complete UAC solution, and has not 

leveraged its 802.1X support to gain a beachhead in accounts for guest 

networking. 

For a solution with a strong emphasis on identity-aware networking, 

Juniper's policy management console lacks some important features for 

enabling guest access. For example, setting up time-based access requires 

custom filters (instead of radio buttons), and guest credentials cannot be 

automatically e-mailed or texted in advance. 

Return to Top 

McAfee 

As an EPP vendor with a strong set of network security products, McAfee is 

well-positioned to sell NAC into its installed base of ePolicy Orchestrator (ePO) 

customers. In addition to embedding NAC functionality into its EPP suites, McAfee 

also offers NAC as a stand-alone component. An optional software module for 

McAfee's IPS appliance enables it to enforce NAC policies. Non-IPS customers 

have the option of purchasing a stand-alone NAC appliance, which runs the same 

software but without the IPS functionality. McAfee had purchased the assets of 

failed NAC vendor Lockdown Networks, which would have enabled it to deliver an 

inexpensive NAC solution for the SMB market, but it appears to have abandoned 

that strategy. McAfee's Network User Behavior Analysis, a solution that it gained 

with its acquisition of Secure Computing, monitors user behavior on an enterprise 

network and could be deployed as part of a post-connect NAC project, although 

McAfee does not market it as an NAC offering. Even with its strengths in network 

security, McAfee has yet to demonstrate that it can consistently win large NAC 

deals in its installed base of ePO accounts, and Gartner has positioned it below 

the Ability to Execute line in the Visionaries quadrant. McAfee customers should 

evaluate its NAC solution. 

Return to Top 

Strengths 

McAfee's Network Security Manager (NSM) enables organizations to build 

and enforce rich policies, including identity policies and location-based 

policies. 

The user interface for provisioning guest accounts is good and includes 

several options for notifying guests of the account credentials (for example, 

SMS and e-mail). 

McAfee has gained additional network security experience through its 

acquisition of Secure Computing, which should help it compete in NAC sales 

against other EPP vendors. 

Return to Top 

Cautions 

McAfee's N-450 NAC Appliance is available in only one size, and it is not 

cost-effective for small environments or small remote sites. 

McAfee's NAC solution lacks the ability to enforce policy by configuring 

ACLs on LAN switches, a common feature in competing offerings. 

Return to Top 

Nevis Networks 

Nevis Networks appears for the first time in the NAC Magic Quadrant, although it 

also appeared in Gartner's NAC MarketScope in 2007 and 2008. Nevis went 

through a period of transition in 2009, after a management buy-out that resulted 

in the management team relocating to India, where the company already had a 

development center. Due to the uncertainty surrounding the company, Gartner did 

not include Nevis in the 2009 NAC Magic Quadrant. Nevis offers an in-line 

approach to NAC via two options — an Ethernet switch (Secure Switch 

LANenforcer) and a LAN appliance (LANenforcer) that is positioned between an 

edge switch and a core switch. Both products are based on Nevis' ASIC



16 of 18 19/8/2553 15:31 

technology, which has enabled it to cost-effectively integrate basic IPS 

capabilities in the LAN. Organizations that need the benefits of an in-line 

approach to NAC and can accept dealing with a geographically remote support 

organization should consider Nevis. Organizations that are located in India or 

China should consider Nevis. 

Return to Top 

Strengths 

Nevis' in-line positioning enables it to enforce granular user-based policies 

by dropping and filtering packets — a flexible approach to adding identity 

awareness to the network. 

The IPS capabilities in the LANenforcer products enable strong post-connect 

NAC functionality, using both signature and anomaly-based detection. 

LANenforcers provide application detection and control capability for 

applications that companies typically seek to limit, including instant 

messaging and other peer-to-peer applications, as well as gaming and 

streaming audio/video applications. 

Return to Top 

Cautions 

Outside of India and China, Nevis has a small presence and low market 

visibility. 

The requirement to deploy appliances in-line can be expensive, particularly 

in network topologies where the Nevis appliances are only partially used 

(for example, if many ports are left unused). Often, it is not cost-effective 

to deploy Nevis appliances in small remote offices or to enforce NAC in 

VPNs. 

Despite its increased market penetration in India and China, Nevis will be 

challenged to sell its LAN switches and NAC appliances against established 

network infrastructure vendors, such as Cisco, HP and Juniper. 

Return to Top 

Sophos 

In May 2010, Apax Partners, a private equity firm, announced plans to acquire 

70% of Sophos. The deal gives Sophos additional financial backing, and should 

have limited impact on Sophos customers in 2010. Sophos offers two NAC 

solutions (both are based on technology from its 2007 acquisition of Endforce). 

Sophos' EPP suite, Endpoint Security and Control, provides basic NAC policy, 

reporting and enforcement capabilities. Sophos' NAC Advanced solution, which 

requires a separate agent and management console, provides more-advanced 

features, such as custom policy creation, stronger reporting capabilities and more 

enforcement options (including support for 802.1X). Sophos' NAC solutions are a 

reasonable choice for Sophos customers. Larger customers, with 

more-sophisticated needs, should evaluate the NAC Advanced solution. 

Return to Top 

Strengths 

Basic NAC functions are embedded (at no extra charge) in Sophos' Endpoint 

Security and Control suite, although this version does not support VPN 

environments (the NAC Advanced Solution is required for VPNs). 

The Sophos policy server acts as a RADIUS proxy and provides very flexible 

and granular support (for example, configuring vendor-specific attributes 

and subattributes) for interoperating with policy enforcement points. 

Return to Top 

Cautions 

Sophos is behind its major EPP suite competitors (McAfee and Symantec) in 

delivering an integrated NAC and EPP solution. Its NAC Advanced solution 

still requires a separate agent and management console, whereas Symantec 

and McAfee offer integrated NAC agents with their EPP solutions. 

Although Sophos has made progress in selling to larger accounts, the 

majority of its client base are SMB customers and are less likely to adopt its 

enterprise-class Advanced NAC offering.



17 of 18 19/8/2553 15:31 

Customer references said that Sophos' reporting capabilities are 

cumbersome and that its management dashboard does not provide enough 

drill-down troubleshooting capabilities. 

Return to Top 

StillSecure 

StillSecure sells IPS, NAC and vulnerability management products. In 2009, 

StillSecure acquired ProtectPoint, a small managed security service provider, to 

enter the security services business, but it does not offer managed NAC services. 

The StillSecure Safe Access NAC product offers a full-time agent, a dissolvable 

agent and an agentless assessment option. StillSecure has licensed its technology 

to network infrastructure vendors Extreme Networks, HP and Novell. Safe Access 

should be considered in NAC deployments where heterogeneous networks are in 

use and where organizations want the flexibility of agent or agentless baselining 

options. 

Return to Top 

Strengths 

Safe Access supports a broad range of endpoint baselining and enforcement 

methods. 

StillSecure Safe Access has received Common Criteria certification, which 

simplifies procurement for defense and government agencies. 

References consistently quote the quality of StillSecure's technical support 

and Safe Access integration with LAN switches as leading reasons for 

selecting Safe Access. 

Return to Top 

Cautions 

Safe Access has limited support for advanced guest network management 

functions. These features are on StillSecure's road map for 2010. 

As a relatively small security vendor, StillSecure's resources are spread 

across three product areas and the new management security services 

initiative. 

Return to Top 

Symantec 

Symantec's Network Access Control product consists of NAC agent capabilities 

integrated into Symantec's Endpoint Protection software, managed by the same 

Symantec Endpoint Protection manager. Like other EPP vendors, Symantec's 

strength in NAC is largely based on the capabilities of its Endpoint Protect agent, 

but it also supports a dissolvable agent and an agentless approach with an 

optional scanner. In 2010, Symantec acquired Gideon Technologies, and 

Symantec intends to integrate Gideon's SecureFusion vulnerability scanning into 

Symantec NAC by year-end 2010. Symantec also offers a Symantec NAC "Starter 

Edition" that does not offer 802.1X or DHCP enforcement. Symantec lost points in 

vision and moved into the Challengers quadrant, mainly because its support for 

the guest network use case remains weak. Symantec NAC should be considered 

when Symantec is the incumbent desktop EPP vendor. 

Return to Top 

Strengths 

Symantec's share in the EPP market enables it to aggressively price NAC as 

an integrated capability. Where Symantec's Altiris desktop management 

product is also in use, Symantec has a very strong story for remediating 

noncompliant endpoints. 

Symantec's dissolvable agent and in-line VPN enforcement capabilities are 

given strong marks by references. 

Symantec's NAC status display is effective and provides a strong capability 

for rapid drill-down into endpoint status. 

Return to Top



18 of 18 19/8/2553 15:31 

Cautions 

Users still report installation as being cumbersome and complex. Symantec 

tools for importing device information and easing NAC startup are basic. 

Symantec's support for guest network administration is limited. Enhanced 

capabilities in this area are on Symantec's 2011 road map. 

Symantec's visibility in NAC is lower than its EPP market share would 

predict. This is likely due to Symantec's attempts recently to diversify into 

storage and system management, diluting its visibility in NAC-specific 

opportunities. 

Return to Top 

Trustwave 

Trustwave is a large Payment Card Industry Qualified Security Assessor (QSA) and 

security service provider that entered the NAC market in 2009 via its acquisition 

of Mirage Networks. Trustwave Enterprise NAC provides the full set of NAC 

functions using an out-of-band, clientless approach with ARP manipulation for 

quarantining. Trustwave also offers NAC appliances with limited functionality for 

smaller organizations, as well as a managed NAC service. Trustwave has made 

additional acquisitions in security information and event management (SIEM), 

DLP, and mobile data protection to broaden its managed service offerings and 

increase its efforts to be visible outside the PCI compliance space. Trustwave is 

still primarily a service vendor and not a product vendor. It moved into the Niche 

Players quadrant due to its focus on the retail market and on PCI compliance. 

Trustwave moved upward on the Ability to Execute axis due to its rapid growth 

and its plans to broaden beyond the retail vertical industry. Trustwave NAC 

offerings should be evaluated by enterprises looking to meet PCI requirements, 

and those where a low cost of entry and minimal integration to third-party 

products are required. 

Return to Top 

Strengths 

References continually quote ease of deployment and low cost as the 

primary factors for selecting Trustwave NAC. 

Trustwave's QSA strength and broad business relationships with credit card 

payment acquirers/processors give it an edge in selling managed NAC 

services to merchants as part of a larger bundle of Trustwave services to 

reach PCI compliance. 

Trustwave NAC has received Common Criteria certification, which simplifies 

procurement for defense and government agencies. 

Return to Top 

Cautions 

Trustwave NAC offers a limited set of enforcement options and guest 

networking support. 

Because Trustwave has acquired many security technologies and offers a 

broad range of its own services, Trustwave NAC has a shortlist of resellers 

and has limited integration to third-party security products, such as SIEM or 

remediation. 

Trustwave is rarely mentioned by Gartner clients outside of the context of 

PCI-related services. To attack the broader market, and build up a base of 

users that drive product features that are beyond PCI requirements, 

Trustwave will need to invest in building out enterprise product support 

capabilities. 

Return to Top 

© 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, 

Inc. or its affiliates. Reproduction and distribution of this publication in any form without prior written 

permission is forbidden. The information contained herein has been obtained from sources believed to be 

reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such 

information. Although Gartner's research may discuss legal issues related to the information technology 

business, Gartner does not provide legal advice or services and its research should not be construed or 

used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information 

contained herein or for interpretations thereof. The opinions expressed herein are subject to change 

without notice.

Magic Quadrant for Network Access Control.pdf - WIT

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?