Licensed for Distribution Market Guide for Network Access Control Published 31 July 2018 - ID G00332886 - 24 min read By Analysts Claudio Neiva, Lawrence Orans NAC vendors are emphasizing the discovery and profiling of IoT devices. However, profiling and enforcing policies for traditional IT devices are still the primary drivers for NAC today. Security and risk management leaders should map business drivers and capabilities offered by vendors. Overview Key Findings ■ Network visibility (discovering and identifying devices attached to the network) continues to be the primary driver for NAC. ■ IoT is a strong driver for NAC in the manufacturing and healthcare industry verticals. ■ NAC solutions fall into two categories. Some network infrastructure providers provide NAC as a feature, whereas other vendors offer pure-play NAC solutions. Recommendations Security and risk management leaders responsible for network security should: ■ Select NAC solutions that are optimized to the size of their IT infrastructure. The NAC market is mature, and some vendors specialize in large environments, whereas others focus on small and midmarket organizations. ■ Implement NAC in multiple phases. Phase 1 typically provides network visibility. Phase 2 usually enables device and/or user authentication to the network. Phase 3 commonly allows more advanced policies, such as blocking noncompliant devices from the network, but is rarely being used by the majority of enterprises. Market Definition Gartner defines network access control (NAC) as technologies that enable organizations to implement policies for controlling access to corporate infrastructure by both user-oriented devices and Internet of Things (IoT) devices. Policies may be based on authentication, endpoint configuration (posture) or users' role/identity. NAC can also implement postconnect policies based on integration with other security products. For example, NAC could enforce a policy to contain the endpoint based on an alert from a SIEM. An organization should evaluate the following capabilities: ■ Device visibility/profiling ■ Access control ■ Security posture check ■ Guest management ■ Bidirectional integration with other security products Market Description The NAC providers can be grouped into two categories, pure-play NAC vendors and network infrastructure vendors. Pure-Play NAC Vendors Most pure-play NAC vendors have a dedicated solution that supports heterogeneous networking devices. Due to their focus on multivendor support and integration, pure-play NAC solutions integrate with a wider range of other security products (such as ATD, EMM, NGFW, SIEM and NTA). Most NAC providers offer a RADIUS-based approach. However, pure-play NAC vendors stand out for offering capabilities that facilitate the implementation of NAC, offering alternatives to the 802.1X protocol and MAC authentication. Therefore, the main advantage of this type of provider is the ease of deployment, ease of use and flexible methods of policy enforcement in the network infrastructure. Pure-play vendors provide ease of deployment when organizations choose to use deployment approaches other than the standard 802.1X-based NAC implementation. Organizations that choose 802.1X will experience the same degree of difficulty regardless of the choice of a pureplay or infrastructure vendor. It is also necessary to install an additional agent in some cases. Network Infrastructure Vendors The NAC solutions of network infrastructure providers typically utilize a RADIUS-based method to control access to the network by devices in combination with user access control based on identity (authentication). However, even though 802.1X is the preferred method of implementation, Gartner has seen investments by network infrastructure vendors in facilitating the NAC implementation process by including capabilities that can simplify deployment. An example of this is "monitor mode," which allows NAC implementation without blocking users or devices with authentication failures in the first stage. The main advantages of infrastructure providers are: ■ Leverage deep integration between other products from the same vendor, which may allow for more control options for devices (see "IoT Solutions Can't Be Trusted and Must Be Separated From the Enterprise Network to Reduce Risk"). ■ Leverage capabilities included in other vendor-provided components to enforce more granular policies or to avoid installing an additional agent, which is s