Magic Quadrant for Network Access Control.pdf - WIT

More documents

Recommendations

Info

Magic Quadrant for Network Access Control http://www.gartner.com/technology/media-products/reprints/j... 10 of 18 19/8/2553 15:31 NAC market. The two main elements of the renewed strategy are an increased focus on 802.1X for controlling guest access and a new NAC appliance that consolidates functionality that is presently distributed among multiple NAC appliances. Cisco customers should consider the new NAC appliances once these products become available. Gartner expects that the new solutions will be shipping before year-end 2010. Return to Top Strengths Cisco's renewed focus on 802.1X in wired networks will enable it to deliver basic and inexpensive guest network access, thereby addressing the primary NAC requirement for most enterprises. AnyConnect, which combines VPN, NAC and other security technologies into a single endpoint client, will help Cisco grow its installed base of NAC endpoint software. Cisco has a strong market share in the VPN market, and when its customers upgrade to AnyConnect, they will also be installing the embedded NAC software. The combination of Cisco's profiling solution (NAC Profiler) and its guest networking solution (NAC Guest Server) make for a strong approach to guest networking. NAC Profiler (Great Bay Software is the OEM provider) discovers and monitors nonauthenticating devices (for example, IP phones and printers), thereby easing the process of supporting endpoints that are non-NAC capable. NAC Guest Server (this technology is also licensed from an OEM provider) provisions guest accounts and monitors guest activity on the network. (Note: functionality from NAC Profiler and NAC Guest Server will be included in Cisco's new NAC appliance.) Cisco's long-term strategy of embedding identity awareness into its Catalyst switches (a component of its TrustSec strategy) will enable it to support identity policies more granularly and more flexibly than most of its NAC competitors. Return to Top Cautions Before making further investments in Cisco's current family of NAC appliances (NAC Appliance 33XX Series, NAC Profiler and NAC Guest Server), Cisco customers should wait for Cisco to publicly announce its plans to upgrade these solutions and offer investment protection. Although Cisco's updated TrustSec positioning is a good start, it still needs improvements to its NAC marketing and branding. For example, Cisco needs to clarify the role that Secure Access Control System (ACS) plays in its broader NAC strategy. Despite a stated partnership with Microsoft, dating back to 2004, Cisco still does not support the Microsoft NAP protocols or the equivalent TNC specifications. Thus, Cisco software is required on Windows desktops to perform anything beyond the most basic endpoint baselining functionality. Return to Top Enterasys In 2008, the Gores Group purchased Siemens Enterprise Communications and merged it with Enterasys (which it already owned). Since then, Enterasys has struggled to gain market share (currently 1% to 2%) in the wired network infrastructure market, its core competency. Enterasys offers out-of-band (NAC Gateway) and in-line (NAC Controller) components. The NAC Controller enables NAC for older third-party switches that do not support 802.1X or RADIUS-based authentication. The Enterasys solution performs endpoint baselining via agents (permanent and dissolvable) and agentless technology. The primary usage case for Enterasys NAC is Enterasys switch and wireless LAN customers, although the solution is capable of supporting non-Enterasys environments. Return to Top Strengths Enterasys' main product strength remains the flow-based technology in its S-Series and N-Series switches. NAC policies can be applied for each unique flow (by tracking the source/destination address pairing). For example, granular policies can be established to implement bandwidth rate limits or trigger deep-packet inspection.
Magic Quadrant for Network Access Control http://www.gartner.com/technology/media-products/reprints/j... 11 of 18 19/8/2553 15:31 Enterasys' NAC management console has an integrated profiling capability, which automatically discovers and identifies all endpoints on the network. Enterasys has integrated its Dragon IPS, as well as third-party IPS solutions, with its NAC offering, so that it can quarantine endpoints that Dragon identifies as suspicious. Return to Top Cautions Its shrinking market share limits Enterasys' ability to grow its NAC business, particularly because it has had limited success in selling NAC to the broader market. For a network infrastructure vendor, Enterasys lacks operational and troubleshooting tools for managing an 802.1X environment. Return to Top ForeScout ForeScout is a network security pure-play company that offers the CounterACT NAC appliance and the CounterACT Edge security appliance. CounterACT is highly rated by users for ease of deployment and flexible enforcement scenarios. ForeScout's out-of-band approach simplifies moving from guest networking to baselining to enforcement, the common success pattern for NAC deployments. ForeScout had a number of new customer wins since the publication of the 2009 NAC Magic Quadrant, with a strong presence at government agencies, gaining it an increase in its Ability to Execute rating. ForeScout should be considered by enterprises looking at NAC solutions that are not tied to network infrastructure or EPP software. Return to Top Strengths CounterACT is highly rated for ease of deployment and price/performance in large installations, and ForeScout consistently gets good ratings for responsiveness and support. CounterACT provides strong support for the guest network and endpoint baselining use cases, and it provides basic support for role-based policies. CounterACT also supports post-connect NAC, via its IDS-like functionality. ForeScout customers tend to grow their deployment of CounterACT appliances and scale their NAC solutions quickly. ForeScout's visibility (as reflected by how often it appears on the shortlists of Gartner clients) has improved since 2009. Return to Top Cautions Although CounterACT's price/performance is strong across large installations, users report that ForeScout's management console needs ease-of-use improvements for large-scale implementations. Like all other NAC pure-play vendors, ForeScout will be increasingly squeezed by NAC solutions offered by incumbent network infrastructure and EPP software vendors. Return to Top HP (3Com) HP Identity Driven Manager is HP's lead offering in NAC. In April 2010, HP completed the acquisition of 3Com, along with H3C, the joint venture between Huawei and 3Com. H3C has an NAC solution, as did TippingPoint, which 3Com had previously acquired in 2005. Prior to these acquisitions, HP's NAC solution consisted of Identity Driven Manager and the ProCurve Network Access Control 800 appliance, which was based on technology licensed from StillSecure (via an OEM agreement). HP discontinued the ProCurve Network Access Control 800 appliance in April 2010, and it recommends the StillSecure branded NAC offering as a replacement (StillSecure is an HP AllianceONE NAC Specialization Partner). Until HP articulates a coherent strategy and road map for its NAC products, we continue to rate it as a Niche Player in the market. Users of HP network
Page 1 and 2: Magic Quadrant for Network Access C
Page 9: Magic Quadrant for Network Access C

Magic Quadrant for Network Access Control.pdf - WIT

Create successful ePaper yourself

Delete template?

Save as template?