Embed Size (px)
Citation preview
It is a real pleasure for me and for all of the team at Open Cloud Factory, that the world’s leading technology analyst firm Gartner has included Open
Cloud Factory as a Representative Vendor in their 2018 Market Guide for Network Access Control.
We believe that our efforts in R&D & have paid off as OpenNAC Enterprise has been included in this expert analysis of cutting-edge technologies. As a team it is extremely valuable to see that our technological vision is aligned with the trends and challenges faced by organizations both today and moving forward as clearly defined by Gartner in this document.
One of these mega trends is IoT. IoT devices are growing exponentially, stretching the threat surface beyond current capabilities and traditional solutions. This tsunami of devices is reshaping the threat landscape. Gartner estimates that “By 2020, more than 25% of identified attacks in enterprises will involve the IoT, although the IoT will account for less than
Welcome10% of IT security budgets”.1 For this same reason visibility continues to be the main driver in this year’s NAC Market Guide.
However, organizations must start but stop there. Once continuous visibility is achieved organizations should continue to implement more access controls based on asset information mapped with the businesses own risk logic. For the same reason it is only logical that Gartner recommends that security and risk management leaders should; “Implement NAC in multiple phases”.2
We encourage organizations to be diligent when selecting a solution, keep present the importance of modular and flexible technology that can adapt to their growing needs and infrastructure over time and empower them to execute a phased roll out.
We believe that this document is a must read for any organization that is rethinking the importance of asset visibility and control and we hope that it helps you understand the drivers, trends and challenges to make a better-informed decision when choosing a solution.
Enjoy the read.
Albert Estrada i Capilla CEO/Founder
Security Starts with Visibility Visibility and control of all assets: the prerequisites for security
2 Research from Gartner :Market Guide for Network Access Control 9Visibility & Modularity, the Next Generation Security 10About Open Cloud Factory
1Gartner Inc., ‘Leading the IoT’, Mark Hung, 20172Gartner Inc., Market Guide for Network Access Control, 31 July 2018, G00332886
2
Market Guide for Network Access Control
Security Starts with Visibility is published by Open Cloud Factory. Editorial supplied by Open Cloud Factory is independent of Gartner analysis. All Gartner research is © 2018 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartner’s permission. The use or publication of Gartner research does not indicate Gartner’s endorsement of Open Cloud Factory’s products and/or strategies. Reproduction or distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.
Research from Gartner
NAC vendors are emphasizing the discovery and profiling of IoT devices. However, profiling and enforcing policies for traditional IT devices are still the primary drivers for NAC today. Security and risk management leaders should map business drivers and capabilities offered by vendors.
Key Findings
• Network visibility (discovering and identifying devices attached to the network) continues to be the primary driver for NAC.
• IoT is a strong driver for NAC in the manufacturing and healthcare industry verticals.
• NAC solutions fall into two categories. Some network infrastructure providers provide NAC as a feature, whereas other vendors offer pure-play NAC solutions.
Recommendations
Security and risk management leaders responsible for network security should:
• Select NAC solutions that are optimized to the size of their IT infrastructure. The NAC market is mature, and some vendors specialize in large environments, whereas others focus on small and midmarket organizations.
• Implement NAC in multiple phases. Phase 1 typically provides network visibility. Phase 2 usually enables device and/or user authentication to the network. Phase 3 commonly allows more advanced policies, such as blocking noncompliant devices from the network, but is rarely being used by the majority of enterprises.
Market Definition
Gartner defines network access control (NAC) as technologies that enable organizations to implement policies for controlling access to corporate infrastructure by both user-oriented devices and Internet of Things (IoT) devices. Policies may be based on authentication, endpoint configuration (posture) or users’ role/identity. NAC can also implement postconnect policies based on integration with other security products. For example, NAC could enforce a policy to contain the endpoint based on an alert from a SIEM.
An organization should evaluate the following capabilities:
• Device visibility/profiling
• Access control
• Security posture check
• Guest management
• Bidirectional integration with other security products
Market DescriptionThe NAC providers can be grouped into two categories, pure-play NAC vendors and network infrastructure vendors.
Pure-Play NAC Vendors
Most pure-play NAC vendors have a dedicated solution that supports heterogeneous networking devices. Due to their focus on multivendor support and integration, pure-play NAC solutions integrate with a wider range of other security products (such as ATD, EMM, NGFW, SIEM and NTA). Most NAC providers offer a RADIUS-based approach. However, pure-play NAC vendors stand out for offering
capabilities that facilitate the implementation of NAC, offering alternatives to the 802.1X protocol and MAC authentication. Therefore, the main advantage of this type of provider is the ease of deployment, ease of use and flexible methods of policy enforcement in the network infrastructure.
Pure-play vendors provide ease of deployment when organizations choose to use deployment approaches other than the standard 802.1X-based NAC implementation. Organizations that choose 802.1X will experience the same degree of difficulty regardless of the choice of a pure-play or infrastructure vendor. It is also necessary to install an additional agent in some cases.
Network Infrastructure Vendors
The NAC solutions of network infrastructure providers typically utilize a RADIUS-based method to control access to the network by devices in combination with user access control based on identity (authentication). However, even though 802.1X is the preferred method of implementation, Gartner has seen investments by network infrastructure vendors in facilitating the NAC implementation process by including capabilities that can simplify deployment. An example of this is “monitor mode,” which allows NAC implementation without blocking users or devices with authentication failures in the first stage. The main advantages of infrastructure providers are:
• Leverage deep integration between other products from the same vendor, which may allow for more control options for devices.
• Leverage capabilities included in other vendor-provided components to enforce more granular policies or to avoid installing an additional agent, which is
3
3
sometimes required when using a pure-play NAC solution.
• For vendor management, it would avoid overhead of managing yet another vendor in the organization’s security ecosystem.
Market Direction The NAC market will continue with its proposition to maintain visibility and control for access to an organization’s IT infrastructure. However, Gartner believes there will be new partnerships between NAC vendors and providers specialized in IoT. Also, there is the possibility that some NAC vendors may be acquired by other security vendors to supplement their portfolio. For example, Fortinet acquired Bradford Networks to increase the visibility and control of its portfolio strategy – Fortinet Security Fabric.1
IoT and NAC NAC vendors discover IoT devices by scanning the network infrastructure regardless of whether it is wired or wireless to provide security leaders the visibility to define what policy would be appropriate for each use case, for example, separating OT devices from IT infrastructure by applying segmentation.
IoT devices (such as VCRs, CCTV and web cameras), smart lighting systems, building automation and facilities management systems all may be partially or entirely connected to corporate data networks in the organization without IT awareness. One simple step for providing security to the general network from compromised IoT devices would be proper network segmentation to maintain IoT device connectivity only within segments that are dedicated to IoT systems. New IoT devices may also be invisible to typical IT security asset discovery and tracking systems, so new IoT-specific solutions for discovery and management may be required.
One way to prepare for IoT security is to view IoT devices as defined by class, depending on their functional capabilities.
Alternatives to NAC Providers Providers of alternatives to NAC solutions can fulfill part of NAC basic functions, such as device detection, rogue detection and the maintenance of an effective IoT asset database, with attributes and entitlements for access by those devices.
The IoT vendors listed below have overlap capabilities with NAC providers. However, these solutions do not meet all of the above-mentioned use cases. The vendors listed in this section could be considered alternatives to NAC, depending on business requirements. This is a representative list and not an exhaustive list:
• Great Bay Software
• Pwnie Express
• Armis
Market Analysis
Gartner sees the NAC market as mature. The drivers considered by clients when implementing a NAC solution are:
• Visibility into infrastructure-connected devices with the goal of implementing access policies. This includes commonly used devices (such as a workstation, laptop, printer, IP phone, IP camera, access points, and also IoT devices like OT devices, medical devices and building automation).
• Manage access for contractors, consultants and different kinds of visitors to maintain visibility and limit access only to resources required according to each profile.
• Enable the implementation of a BYOD program, primarily wireless, to ensure that employees can use their equipment while maintaining a minimum of due diligence for access to corporate infrastructure.
• Analyze compliance with a minimum security posture at the endpoint. For example, verify that the endpoint has EPP installed, and most critical security patches are installed.
In addition to the typical customer drivers for using NAC, there are also emerging use cases that are motivators for some customers to acquire a NAC solution. An example is the need to increase the visibility and control over IoT devices that may introduce internal or external threats. An example of the user of a NAC solution to deal with an internal threat is using NAC to identify and isolate endpoints that do not have critical patches to prevent the lateral spread of ransomware throughout the network. Some companies have used this NAC preventive capability to contain the WannaCry attack campaign. Some external threats seek to exploit IoT device vulnerabilities to compromise the operation of these devices. The health and manufacturing sectors have legitimate concerns about the availability of specialized equipment and the need to segment this specialized equipment from the rest of the infrastructure. There are additional NAC use cases that are oriented to cloud-based management interfaces, and visibility of workloads in the cloud (see Figure 1 on page 4).
Interoperability with other security solutions should also be considered an essential factor in choosing a NAC solution. Integration with other solutions can happen in two ways, customization through open APIs and the use of built-in integration.
The purpose of this interoperability between the NAC solution and other third-party security solutions is to enable decisions about network access with more contextual information. For example, the NAC solution is capable of sharing information (such as user identity, security posture status and device location) with other monitoring and control functions. The NAC solution can collect more detailed information about equipment or user. NAC can also gather more information about mobile devices from an enterprise
4
Vendor Product, Service or Solution Name
Auconet • Business Infrastructure Control Solution (BICS)
Cisco Systems • Cisco Identity Services Engine (ISE)
Extreme Networks • ExtremeControl
ForeScout Technologies • CounterACT
Fortinet (Bradford Networks) • Network Sentry
Genians • Genian NAC
Hewlett Packard Enterprise (Aruba) • ClearPass
Impulse • SafeConnect
InfoExpress • CGX
IntelliGO • IntelliGO NAC
Inverse • Packet Fence
NETSHIELD • NETSHIELD NAC
Open Cloud Factory • OpenNAC Enterprise
Portnox • CLEAR • CORE
Pulse Secure • Pulse Policy Secure
Source: Gartner (July 2018)
Source: Gartner (July 2018)
FIGURE 1NAC Use Cases
mobility management (EMM) solution to determine whether or not this device belongs to the organization. In case of personal equipment, NAC could be used to implement a policy limiting access only to the internet. There are other use cases where bidirectional integration can improve the overall security implemented at the internal access edge of the organization’s infrastructure.
Also, Gartner continues to see a high demand for a response to auditors’ comments about the lack of visibility and the need to control devices connecting to the corporate network during client engagements. Alongside increased visibility, NAC use cases include management of access from an external contractor or guest.
Representative Vendors The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.
Market IntroductionThe vendors in this Market Guide offer at least the capabilities listed in the Market Definition section.
Table 1. Representative Vendors in NAC Market
5
5
Vendor ProfilesAuconet
Auconet is a privately held company with headquarters in Germany and sales/consulting in Western/Eastern Europe and North America. It has been delivering NAC solutions since 2005. The vendor has integrated NAC security and network troubleshooting capabilities into one solution for operations and security use cases for heterogeneous networks. Auconet works directly with global enterprises and with managed security service providers (MSSPs) offering large-scale, multitenant, managed NAC services.
The Auconet Business Infrastructure Control Solution (BICS) is deployed most commonly as an agentless solution, using Layer 2 Media Access Control (MAC)-based authentication, in addition to its RADIUS- based policy server, which supports native 802.1X supplicants embedded in multiple OSs. BICS is available as a hardware appliance, a virtual appliance or SaaS. Auconet also offers an optional permanent agent on Windows, UNIX/Linux platforms and macOS. In 2017, Auconet released its monitoring and access control for industrial networks and SCADA connected devices (such as MOXA, Phoenix, Hirschmann, Siemens, Belden, Schneider and Sixnet). In 2018, Auconet became part of Beta Systems Group, a globally operating software company with a 35-year track record of providing software to companies with large data centers, mainly to the finance industry.
Cisco Systems
Cisco Identity Services Engine (ISE) policy server is RADIUS-based and Terminal Access Controller Access Control System Plus (TACACS+)-based, which enables Cisco to support authentication and device administration in the infrastructure. ISE is available in hardware appliances and as a virtual server. The device-profiling capability provides endpoint classification and reports on devices connected to switches and wireless access points.
Through its pxGrid framework, Cisco integrates with Cisco’s security products and third-party technologies in partner ecosystems that share alerts and contextual
information. Cisco packages its NAC posture agent within its AnyConnect endpoint bundle, which unifies other capabilities (such as VPN, NetFlow, MACsec, Supplicant, Stealthwatch, TrustSec, Cisco Umbrella and Advanced Malware Protection [AMP]). In 2017, Cisco implemented some change with a focus on user experience, such as quick wireless setup and ISE Posture enhancements that combine authentication and a dissolvable agent for security posture verification. Also, ISE is now part of the software-defined access (SDA) solution through integration with the Cisco DNA Center for automated and unified policy enforcement. As part of bidirectional integrations, Cisco ISE collects from Tenable, Rapid7 and Cisco Cognitive Threat Analytics (CTA) threat intelligence information supported by TALOS to automate quarantine and remediation response. Also, Cisco integrates Tetration and ISE focused on visibility and policy enforcement across the virtual and physical access network and data center.
Extreme Networks
Extreme Networks is based in San Jose, California. In addition to ExtremeControl (NAC), Extreme offers other security products (such as AirDefence from the Zebra acquisition, Fabric Connect from the Avaya acquisition, and Extreme Defender for IoT, which secures IoT devices when they connect to the network). The NAC offering includes out-of-band (NAC Gateway) and in-line (NAC Controller) appliances. The primary use case for NAC is for Extreme’s Switches and WLAN customers, although the solution can support non-Extreme environments.
Extreme Networks’ NAC is an AAA- and RADIUS-based solution that is available in a family of hardware and virtual appliances. Extreme’s tight integration of its NAC solution with its unified wired/wireless product family enables granular policy enforcement. Policies may permit, deny, apply quality of service (QoS), rate limit and implement other controls to traffic based on user identity, time, location, end system and user groups. In addition, Extreme offers virtual machine (VM) management by applying policy on vSwitch and physical switches to manage VM access through VMware and OpenStack integration. In 2017, Extreme implemented a
new workflow composer to enable network task automation based on a StackStorm open-source project. Also, Extreme invested on the combination of analytics and control with ExtremeAnalytics workflow by enhancing profiling capability.
ForeScout Technologies
ForeScout, based in San Jose, California, began trading as a public company in October 2017. The company sells its ForeScout CounterACT platform for visibility and control use cases (such as device visibility, asset management, device compliance, network segmentation and incident response). CounterACT is primarily an out-of-band agentless solution for heterogeneous network infrastructure. However, it also includes a RADIUS server to support 802.1X environments. CounterACT can be deployed on hardware and virtual appliances available for midsize to large deployments.
Although ForeScout offers optional agents, its agentless approach performs a security posture assessment for Windows, macOS, Linux and IoT devices. In addition to its core platform, ForeScout provides a series of Extended Modules that share contextual information and orchestrate workflows with third-party security products. Via these modules, CounterACT can be configured to automatically enforce policy (for example, remove an endpoint from the network) in response to alerts from ATD, VA, EDR, SIEM and other third-party products. In 2017, ForeScout extended CounterACT visibility into AWS for public cloud and VMware vSphere for private cloud, including NSX technology support. Also, ForeScout included a new out-of-the-box classification innovation along with a crowdsourced device cloud repository to extend and refine a library of device profiles used by customers for auto-classification.
Fortinet (Bradford Networks)
Bradford Networks has been delivering NAC solutions since 2001. In June 2018, they were acquired by Fortinet to be part of Fortinet’s Security Fabric 1. The Network Sentry product is a RADIUS-based solution available in hardware and virtual appliances, and can run in private and public clouds. Additionally, MSPs or MSSPs can purchase licenses and
6
offer the features as a cloud service. Network Sentry comes in three flavors – Secure Enterprise Basic (SEB), Secure Enterprise Advanced (SEA) and Secure Enterprise Premier (SEP) – each of which includes the ability to share contextual information about endpoints and provide tools for security analysts to respond to alerts from next-generation firewalls, ATD solutions and other security products. Bradford Networks’ mobile applications can perform limited mobile device management (MDM) capabilities (such as jailbreak detection) and can determine a device’s type and OS.
In 2017, Network Sentry included several features. The features that stand out are: IoT solution security, app framework partnership with Palo Alto and integrations with Fortinet solutions. Also, they included automation through integration with Qualys and FortiSIEM.
Genians
Genians was founded in 2005 with its headquarters in South Korea. Genians also has offices in Boston (U.S.), Singapore and Serbia. Genians’ flagship solution, Genian NAC, is a sensor-based NAC solution that can host its management/policy component in the cloud or on-premises. Genian NAC stands out on its device detection capabilities through its Device Platform Intelligence (DPI) feature, which provides visibility by adding business context information (such as a device’s EOL/EOS status, manufacture or vendor viability). Genian NAC monitors the life cycle of all IP-enabled devices based on L2/L3 protocols and other sources of information to increment the device profiling. The database passes to a DPI cloud for profile validation and shares new profiles with other Genians customers.
For customers that still need to keep fixed IP addresses on their devices for any reason, Genians keeps a complete mapping of devices and IP addresses being used to avoid problems related to tow devices using the same IP address. Also, Genian NAC provides access control using ARP poisoning, TCP reset by SPAN port, Radius/DHCP server, and agent-based.
Hewlett Packard Enterprise (Aruba)
Hewlett Packard Enterprise (HPE) offers an NAC named ClearPass, which includes the ClearPass Policy Manager. ClearPass Policy Manager offers RADIUS and non-RADIUS enforcement options for user and IoT devices, as well as TACACS for device management authentication. It is available as hardware and virtual appliances, including support for deployments in Amazon Web Services (AWS). ClearPass has broad OS support, including Windows, macOS and Linux, as well iOS and Android for mobile devices. ClearPass options include guest access management (ClearPass Guest), device onboarding (ClearPass Onboard) and endpoint posture assessments (ClearPass OnGuard).
Third-party products have been integrated and validated using ClearPass Exchange, including firewalls, MDM/EMM, and SIEMs – via REST-based APIs, syslog messaging and RADIUS proxy functions. In 2017, HPE acquired Niara, a user and entity behavior analytics (UEBA) solution that uses machine learning and custom algorithms to detect attacks that have evaded traditional security. Now sold as Aruba IntroSpect, it provides bidirectional integration with ClearPass to deliver insights that allow containment via either manual or automatic policy. ClearPass and IntroSpect are elements of the Aruba 360 Secure Fabric, which is a framework for IT and security teams to achieve visibility, control and protection of their network infrastructure.
Impulse
Based in Tampa, Florida, and founded in 2004, Impulse historically catered to the higher education and K-12 markets but now has a growing percentage of corporate enterprise customers. Impulse delivers its SafeConnect solution as a cloud managed service, which includes system monitoring, problem determination and resolution, daily updates to device type, antivirus and OS profiling recognition, and remote backup of policy configuration data. All Impulse products can be implemented as hardware or as virtual appliances.
SafeConnect offers 802.1X and non-802.1X RADIUS-based policy enforcement options at a Layer 2 or Layer 3 enforcement approach that eliminates the need to integrate with Layer 2 LAN switches. SafeConnect’s Network Security Orchestration (NSO) feature correlates device type, user identity, location, and ownership information and shares contextual data to multiple third-party security platforms (such as VMware AirWatch, RSA, Palo Alto Networks, SonicWall, Fortinet, IBM Security QRadar and Splunk) to enable identity/role-based policies and security assessment analytics. In 2017, Impulse announced its new software-defined perimeter, which is offered as a cloud-based service that “hides” applications and data through the encryption among devices and organization’s applications, integrating multifactor authentication and identity access management providers. SafeConnect SDP is composed of three components (such as SDP client, SDP Controller and SDP gateway).
InfoExpress
InfoExpress is a privately held company, based in Santa Clara, California, focused on providing NAC solutions. Its CGX solution is available as hardware or a virtual appliance. The NAC offering includes out-of-band and in-line appliances (typically used for VPN implementation).
CGX offers optional endpoint agents for a wide variety of OSs, including Windows, macOS X, Apple iOS, Android and Linux. CGX correlates data from multiple sources, such as syslog, Nmap, MDM and NAC agents to support NAC policies. For example, if a mobile device is reported as stolen and reappears on the network, CGX can quarantine the device and notify administrators. Dynamic NAC (DNAC) comes as an agent-based or hardware enforcement solution. CGX also works as a proxy RADIUS, when using 802.1X to facilitate implementation of CGX across complex networks.
InfoExpress also offers an agentless NAC solution that is out-of-band. Positioned as Easy NAC, it provides visibility and access control over all devices on the LAN and wireless networks. It prevents unknown
7
7
devices from joining the network, enforces baseline security, and ensures that BYOD devices are properly registered and guest accounts are managed. Easy NAC also integrates with Firewalls, APTs and other security appliances, so it can quickly quarantine offending devices.
IntelliGo Networks
Founded in 2005, IntelliGO Networks is a privately held company based in Toronto, Ontario, Canada. IntelliGO provides a service for managed detection and response for SMB use cases for network access control using a virtual appliance and agent. IntelliGO also aggregated a set of control features for an MDM, NAC, PKI, virtual appliance scanner or IoC hunting, and profiling for Windows and macOS. Its RADIUS-based IntelliGO Security Platform NAC solution is available in a family of hardware and virtual models with support from 100 to 100,000 users/devices. The IntelliGO Security Platform supports onboarding and enforcement in an agentless approach through Secure Shell (SSH).
IntelliGO Security Platform also promotes NAC as a managed service, which can include assistance-tuning security tools (such as firewalls and SIEM). IntelliGO Security Platform has a vulnerability scanning engine and collects IoC from sandboxes solution to include indicators of compromise definitions. In addition to sandbox integration, it is able to search for endpoints (Windows-, Linux- and Macintosh-based) with patterns that indicate compromise to isolate the endpoint automatically. In 2017, IntelliGO replaced network access control licensing with the IntelliGO managed detection and response service’s recurring monthly pricing and added vulnerability scans and log analytics service into its portfolio.
Inverse (Packet Fence)
Founded in 2008, Inverse is a privately held company based in Montreal, Quebec, Canada. Inverse develops the PacketFence NAC solution, which is completely free and open-source. PacketFence is a RADIUS-based solution, and Inverse delivers consulting services and product support for the software.
PacketFence includes a captive-portal for registration and remediation. It uses Fingerbank to leverage profiling capability. The Fingerbank solution is a set of device fingerprints that identifies connected endpoints to the network infrastructure. Inverse provides advanced auditing capabilities to PacketFence and a cloud version of PacketFence for the MSSP use case. In 2017, Inverse released a new web admin allowing customization of reports along with ready-to-use reports. PacketFence is a good choice in the education vertical and in other budget-constrained enterprises. It is also a good choice in large-scale heterogeneous networks that values open-source solutions.
NETSHIELD
In 2017, SnoopWall was officially renamed NETSHIELD, targeting SMBs. NETSHIELD is a non-in-line agentless access control (AAC) solution. Its NETSHIELD product uses agentless endpoint discovery. NETSHIELD uses an ARP poison methodology to block the rogue device along with peer blocking to keep all peers from communicating with the rogue device. In addition, SmartSwitch integration allows NETSHIELD to further isolate the rogue device through black-holing or moving to a quarantine VLAN.
NETSHIELD appliances are equipped with a malware detection feature designed to identify outbound “command and control” traffic destined for known malware sites, and an auditing engine to identify common vulnerabilities and exposures (CVE). Its NAC solution is currently available as a hardware appliance that ranges from 25 to 4,000 assets on the protected network segment. NETSHIELD is now offering the first of its kind of cyberinsurance for U.S. customers with coverage up to $250,000 at no extra cost to the customer.
Open Cloud Factory
Founded in 2011 and based in Spain, Open Cloud Factory (OCF) is a privately held company whose NAC offering is openNAC Enterprise. OCF customers are based mainly in Europe and Latin America. openNAC is offered as a virtual appliance that can be deployed as an on-premises, cloud or hybrid
solution. The RADIUS-based openNAC Core policy engine contributed to the foundation of OCF, and openNAC Sensor (probe) supports endpoint discovery without 802.1X. The solution uses ELK software stack to provide reporting. The openNAC integrates with third-party security solutions (such as SIEM, NGFW and MDM) through RESTful APIs.
The openNAC solution provides multivendor support for network infrastructure, based on standard methods of authentication and enforcement for segmentation through (VLANs). For the authentication process, it can integrate with multiple LDAPs and active directories. It may also include a second factor of authentication integrating Google Authenticator or Mobile Connect. The discovery process can be done at authentication time or via SNMP traps. Additionally, it leverages captive portal for guest management and specific use cases that can be customized by OCF. For IoT and compliance, openNAC uses a tag system to categorize assets. In 2017, OCF restructured its NAC solution to be sold in modules, creating deployment and cost flexibility.
Portnox
Founded in 2007, Portnox is a pure-play NAC vendor that operates mainly in the Americas and EMEA. Portnox has two methods of NAC delivery: Portnox CORE, on-premises NAC and Portnox CLEAR, which offers NAC as a service from the cloud. The solutions are based primarily on endpoint discovery. After a device connects to the network, Portnox CLEAR checks the OS type, then applies the appropriate policy to the network access point (for example, a port on a LAN switch, a WLAN controller or a VPN gateway).
In 2017, Portnox Clear announced a NAC-as-a-service cloud platform that delivers off-premises risk monitoring of all endpoints to manage the health of corporate and personal assets, including IoT, BYOD and other mobile devices. Portnox CLEAR is a cloud-based offering enabling cloud deployment of 802.1X, including RADIUS server and certificate authority functionality. The optional CLEAR app runs on iOS, Android, Windows and macOS and includes onboard configuration for 802.1X supplicants. Operating as a standard/
8
simple app and not an MDM profile, Clear allows administrators to identify the device, its owner and its monitor compliance status, and to see all visited Wi-Fi networks. The Portnox CORE on-premises solution can also enforce NAC policies in wired, wireless, VPN and VMware environments.
Pulse Secure
Pulse Secure was created in 2014 when private equity firm Siris Capital Group acquired the Junos Pulse product line from Juniper. In addition to its NAC solution, Pulse Secure offers integrated VPN, application delivery and a mobile security solution. The Pulse Policy Secure NAC solution is RADIUS-based and available as a family of hardware and virtual appliances.
Since Pulse Secure became an independent company, it has focused on features that deliver integrated NAC and VPN access that enable it to work in a heterogeneous network infrastructure.
While Pulse Secure is still tightly integrated with Juniper’s core security and network products, the vendor continues to broaden its ecosystem with other vendors (such as Cisco, HP, Palo Alto Networks, Fortinet, Check Point, Splunk and IBM Security QRadar [SIEM]). Pulse Secure offers a central management, including one agent for its portfolio (VPN, NAC and mobile management) and enhancement in the profiling feature. In 2017, Pulse Secure acquired security certification (such as FIPS and Common Criteria) for both NAC and VPN. Also, Pulse announced their Pulse Access Suite that integrates the management
functions of individual Pulse Secure products and policies into a single console, along with a drill-down capability for troubleshooting.
Market Recommendations Organizations should focus on price, implementation cost and integration with existing infrastructure vendors to differentiate solutions. Given the range of solutions in the marketplace, we recommend that you:
• Focus on vendors that target organizations of your size and complexity. Because NAC is a mature market, many vendors are clearly aligned regarding SMB and large-enterprise opportunities.
• Perform a network inventory as part of your NAC project. This will influence your decision, based on the capabilities of your network devices.
• Determine which EMM solutions are already installed on the network to identify providers that have direct integration with existing EMM solutions.
• Implement NAC to deliver visibility (for example, which devices are connected to your network) and control (allow or deny access) over your corporate network.
• Use the postconnect functionality of your NAC solution. Most NAC products integrate with multiple security products. Configure NAC to automatically enforce policy when your threat detection solution (for example, network sandbox) alerts that an endpoint has been compromised. NAC
can automatically remove the endpoint from the network, or it can enforce another policy that limits the endpoint’s ability to communicate externally.
• Clients should evaluate which security solutions the organization is using to see if such solutions exist in the list of built-in integration from the NAC vendor. Of course, NAC vendors could always argue that they can integrate with other solutions that are not on the list but would require customization through professional services, resulting in an additional cost.
Evidence1 “Fortinet Acquires Bradford Networks,” Fortinet Press Release.
Note 1Representative Vendor Selection
The vendors listed in this market guide are representative in the network access control market. We did not include vendors where the NAC solution is sold as a feature of other products.
Note 2Gartner’s Initial Market Coverage
This Market Guide provides Gartner’s initial coverage of the market and focuses on the market definition, rationale for the market and market dynamics.
Source: Gartner Research, G00332886, Claudio Neiva, Lawrence Orans, 31 July 2018
9
Visibility & Modularity, the Next Generation Security
Threat detection time has fallen on average, however, the response time and the impact of disruptive attacks (Business Disruption Attacks) continues to grow due, in part, to the lack of asset visibility and control. Another negative impact in regards to lack of asset visibility and control comes from the external pressure of auditors and regulations regarding the assets connected to the corporate network.
Laptops, smartphones, tablets, suppliers, external users, and an avalanche of IoT devices are connected daily to networks that are increasingly heterogeneous, dispersed and complex to manage, each asset is a potential attack or reconnaissance point.
Do you have visibility and control of all assets connected to your network? And can you demonstrate that in an audit? The asset (entity and / or identity) should be the first line of defense.
At Open Cloud Factory we increase network security by enabling organizations 100% visibility and control of all assets connected to the network (Wireless, Wired and / VPN), automatically, centrally and in real-time.
Solution: openNAC Enterprise
OpenNAC Enterprise, regardless of the type of device and how it is connected, automatically discovers and categorizes all assets. Organizations can extend the asset information / categorization to include the context of the business and its risks to prioritize their efforts, establish more adaptive controls and respond efficiently to audits etc.
Having gained complete visibility the solution provides a single point from which you can define and apply access policies tailored to the needs of the organization and all connected assets that attempting to connect the work, when they try to connect. This process can be achieved via multiple mechanisms.
As such OpenNAC Enterprise’s extensible asset visibility and control reduces the risk and impact of disruptive attacks and enable organizations to respond to regulatory requirements.
OpenNAC Enterprise is a software solution that can be deployed from the cloud, on-premise or a hybrid model thus reducing the impact on the infrastructure.
Implement Network Access Control in multiple phases
The modular solution that meets your needs today and tomorrow:
FIGURE 1Modularity solution.
Source: Open Cloud Factory
With OpenNAC Enterprise organizations will discover all assets (regardless of type or connection) that are connected to their infrastructure, via multiple mechanisms for discovery, profiling and access control to your network.
OpenNAC Enterprise is the only solution that provides this visibility and control in a modular approach. This flexible approach guarantees the best fits for the organizations current situation, ensuring quick wins and reduce operational and financial risk for the organization. The solutions modularity enables organizations to adapt additional pieces of the solution overtime as the organizations security posture matures.
Source: Open Cloud Factory
10
Open Cloud Factory is a European based software security firm, that strives to ease the pressures on security and risk leaders, by providing solutions like OpenNAC enterprise that can act as security orchestrator. A solution that integrates with the organizations existing security stack via a restful API focus guaranteeing that the organizations gains more return from its existing security investment.
Open Cloud Factory solutions provides tools to implement companies’ Security Strategy in an effective and easy manner, always adapting to customers’ needs, and providing the best return of investment.
Our vision as a security vendor is to simplify security, make it easier for the customer to consume by adapting to existing security stacks and adding more value that just another additional solution.
With OpenNAC Enterprise, we provide companies with full visibility and control over corporate networks and offer different infrastructure access mechanisms based on profile and behavior, which can eliminate risks when threat patterns are detected.
Open Cloud Factory only European vendor recognized
Founded in 2011, Open Cloud Factory has key references in the finance, education or tourism sectors. With a consolidated presence in Europe and Latin America, Open cloud Factory manages deployments of over 300,000+ IPs in cutting edge, higly regulated industries.
About Open Cloud Factory
