Network access control (NAC) will increasingly be used to help enterprises manage the consumerization trend, as more enterprises allow employees to "bring their own PC to work." NAC will enable network managers to gain back some control over their networks by allowing access to some devices, while denying access to others. When evaluating NAC solutions, look for vendors that understand the consumerization trend and support, or have plans to support, policies for managing the non-Microsoft endpoints that will inevitably attempt to connect to your network.

Although NAC adoption increased (primarily to support guest networking) in 2009, as we predicted in "Network Access Control Market Overview" in December 2004, the increasing availability of NAC functionality in network infrastructure and endpoint protection (EPP) products put severe pressure on NAC revenue. In 2004, we said, "However, as organizations progress through the technology refresh cycle and upgrade to solutions with built-in NAC functions, many will no longer pay extra for independent NAC solutions." We saw many enterprises decide to look to their EPP vendors for embedded NAC capabilities, as well as many that decided to wait until they rolled out Windows 7 on desktops to make NAC decisions. Although this was partly driven by the economic slowdown, it mostly represents what will be the continuing market reality.

This led to the exit of ConSentry Networks from the NAC market, while other NAC vendors attempted to broaden their products' appeal beyond NAC functionality. Aruba, which had been reselling a private-labeled version of Bradford Networks' NAC appliance, decided it made more sense to focus on selling rich wireless networking solutions with embedded NAC capabilities, rather than to pursue specific NAC revenue.

The pressure on the NAC market and the failure of several NAC vendors have led to a common misconception that "NAC is dead" — classic Trough of Disillusionment behavior. However, in working with Gartner clients evaluating and deploying NAC during the past year, as well as in talking to the reference customers supplied by vendors as part of this Magic Quadrant analysis, we continue to see early adopters expanding beyond basic NAC functionality, while new NAC installations continue to focus on meeting immediate guest networking needs. The "consumerization of IT" trend is driving the need for guest networking to rapidly expand beyond contractors and visitors to employees using their own laptops or smartphones. To a large extent, many enterprises are starting to look more like the early adopters of NAC, college campuses, with an increasingly chaotic mix of managed and unmanaged IT on the corporate network. Because employee-owned laptops or smartphones will typically not have corporate endpoint security software on them, stand-alone NAC capabilities will see higher demand.

As targeted botnet attacks (such as that suffered by Google and many other high-profile businesses in 2010) cause increasing damage, Gartner believes those initial guest networking implementations will be expanded to include the endpoint baselining/health check — provided that NAC vendors move beyond simple vulnerability checking and build in support for detecting whether an endpoint is dangerous versus just missing patches or being behind in antivirus signatures.

The increasing publicity around targeted malware has also caused increased demand for post-connect containment capabilities, but we have seen very limited demand for advanced identity-aware NAC capabilities, outside of the traditional high-security "belt and suspenders" enterprises. We believe that NAC vendors that manage to grow in 2010 and beyond will be the ones that increase their capabilities for enterprises to safely allow unmanaged PCs and mobile devices to be used to meet business needs.

The four most common uses for NAC are:

• Guest network services: Isolating guests and visitors from the corporate network and providing them with limited connectivity — typically, Internet access only. Guest networking was the primary driver in approximately 75% of NAC deployments. Most organizations are starting with wireless guest access and are planning to extend guest networking capabilities to the wired network.
• Endpoint baselining: Determining whether endpoints on the corporate network are compliant with device configuration policies (for example, up-to-date patches and antivirus signatures). Endpoint baselining was the primary driver in approximately 15% of NAC deployments.
• Quarantine/containment: Restricting network access either when endpoints are noncompliant with configuration policies, or when suspicious traffic from the endpoint presents a risk to the network or to other endpoints. Quarantining noncompliant endpoints is common in educational environments (where schools often don't control the endpoints); however, in other environments, it is only the primary driver in approximately 5% of deployments. Remediating noncompliant endpoints and "dangerous" endpoints is an important aspect of this use case.
• Identity-aware networking: Providing greater visibility and control over user behavior on the network. Organizations add identity awareness to the network to monitor user traffic and enforce access to critical resources. Identity-aware networking was the primary driver in approximately 5% of NAC deployments.

The NAC market consists of several categories, as outlined below:

• Infrastructure: Most enterprise-class LAN switch manufacturers offer NAC solutions. Seven of the eight vendors analyzed in "Magic Quadrant for Enterprise LAN (Global)," sell NAC products. The LAN switch vendors primarily target their NAC solutions to their installed base. That is a good strategy, because network managers, who are the buyers of LAN switches, are usually the buyers of NAC solutions. Infrastructure vendors have had limited success in selling their NAC solutions outside of their installed bases and into their competitors' accounts.
• EPP: Some vendors that sell EPP suites also offer NAC solutions (for example, Check Point Software Technologies, McAfee, Sophos and Symantec). All these vendors benefit from their existing desktop "footprint," which gives them an advantage in the endpoint baselining usage case.
• Network security vendors: A mix of intrusion prevention system (IPS), firewall and virtual private network (VPN) vendors offer NAC solutions. Because they already serve as enforcement points in the network, these products can be easily repurposed to become NAC policy enforcement points.
• Pure-play vendors: Several vendors are pure-play NAC vendors or vendors with multifunctional offerings whose primary focus is NAC (for example, Avenda Systems, Bradford Networks, ForeScout, Impulse Point, InfoExpress and Nevis Networks). The pure-play vendors face the biggest challenges, as vendors in the other three categories continue to enhance their NAC offerings.

When measured by annual revenue, the NAC market is declining. Gartner estimates that the size of the NAC market in 2009 was approximately $199 million, a decrease of approximately 10% over the market in 2008. We had anticipated a slowdown in market growth to 25%, but market factors detailed above and the severity of the economic slump contributed to the shrinking market. Also, some vendors exited the market, and others entered, but the overall effect was a net loss in market size. As we predicted back in 2004, the NAC capabilities existing or promised in network infrastructure, EPP platforms and the latest Windows desktop operating system impacted the growth of NAC-specific revenue, even as NAC "seats" increased. For 2010, we expect a flat market, with total revenue of approximately $200 million. Positive NAC demand factors, such as support for consumerization, will be offset by embedded NAC and a focus on inexpensive authentication, particularly 802.1X.

The goal of the inclusion/exclusion criteria listed below is to identify those vendors that own core NAC technology. Vendors whose solutions are based heavily on technology that is licensed from original equipment manufacturers have been excluded from this Magic Quadrant.

To be included in this Magic Quadrant, the vendors' solutions must include the policy, baseline and access control elements of NAC, as defined by the following criteria:

• Policy: The NAC solution must include a dedicated policy management server with a management interface for defining and administering security configuration requirements and for specifying the access control actions (for example, allow or quarantine) for compliant and noncompliant endpoints. The ability to report on the overall state of endpoint compliance is a critical component of the policy function. Because policy administration and reporting functions are key areas of NAC innovation and differentiation, vendors must own the core policy function to be included in this Magic Quadrant.
• Baseline: A baseline determines the security state of an endpoint that is attempting a network connection (LAN, wireless LAN or VPN) so that a decision can be made about the level of access that will be allowed. Baselining must include the ability to assess policy compliance (for example, up-to-date patches and antivirus signatures) and may include the ability to detect installed malware. Various technologies may be used for the baseline function, including agentless solutions (such as vulnerability assessment scans), dissolvable agents and persistent agents. NAC solutions must include a baseline function, but "reinventing the wheel" is not necessary. Baseline functionality may be obtained via an OEM or licensing partnership.
• Access control: The NAC solution must include the ability to block, quarantine or grant full access to an endpoint. The solution must be flexible enough to enforce access control in a multivendor network infrastructure, and it must be able to enforce access in both LAN and remote-access environments. Enforcement must be accomplished either via the network infrastructure — for example, 802.1X, virtual LANs (VLANs), access control lists (ACLs) — or via the vendor's NAC solution — for example, dropping/filtering packets or Address Resolution Protocol (ARP) spoofing. Dynamic Host Configuration Protocol (DHCP) enforcement qualifies for inclusion, provided that policy enforcement can be delivered via partnerships with two or more DHCP solutions. Vendors that rely solely on agent-based endpoint self-enforcement do not qualify as NAC solutions.

Additional criteria:

• Solutions must link to remediation systems (for example, patch and configuration management), but they do not need to own core mitigation technology.
• The products with the required features and functions must be shipping as of 1 February 2010.
• The vendor must have at least $2 million in NAC sales during the 12 months leading up to 1 February 2010.

Vendors Considered but Not Included in the 2010 Magic Quadrant

LAN Switch Manufacturers

LAN switch manufacturers that base critical components of their NAC solutions on OEM technology or that resell NAC solutions from other vendors have been excluded from this Magic Quadrant. For example, Extreme Networks has not been included in our analysis, because its Sentriant AG200 NAC solution is based on StillSecure's Safe Access product. Alcatel-Lucent has not been included, because its approach to NAC is to resell the CyberGatekeeper solution from InfoExpress.

Small or Midsize Business (SMB) Vendors

SMB vendors that lack enterprise-class features and functions have been excluded from this Magic Quadrant. For example, NetClarity is a vendor that targets SMBs. Its NetClarity family of NACwall appliances use an agentless (no additional software on the PCs) approach to baseline the health of the endpoints. NACwalls are deployed out of band in LANs, so they install easily and are not in the line of traffic (no additional latency to the network). NACwall appliances interface with existing switches and firewalls to enforce access control. ARP manipulation can also be used to enforce access. Napera Networks, an SMB-focused vendor that previously sold a family of switches with embedded support for Microsoft Network Access Protection (NAP), has shifted its strategy to offer a cloud-based subscription service that performs endpoint baselining.

Microsoft

Microsoft embeds NAC functionality (branded as Microsoft NAP) within its more recent operating systems (Windows 7, Vista and XP Service Pack 3) and within Windows Server 2008. Consistent with our practice from 2009, we did not include Microsoft in this year's Magic Quadrant because of the requirement that organizations need to upgrade to the required Microsoft products. None of the other solutions in this Magic Quadrant require a desktop operating system update. However, we will re-evaluate Microsoft and the market penetration of Microsoft NAP-ready endpoints in 2011.

• Avaya (via its acquisition of Nortel's Enterprise Solutions unit).
• Avenda Systems
• HP (via its acquisition of 3Com)
• Nevis Networks

• Aruba has terminated its licensing agreement with Bradford Networks, which was the OEM of Aruba's Endpoint Compliance Systems appliance. Aruba is re-evaluating its NAC strategy.
• ConSentry effectively went out of business in August 2009 (although its website, at the time of this Magic Quadrant's publication, is still operational and makes no mention of the company's change in status).

The Ability to Execute criteria are:

• Product/Service: An evaluation of the features and functions of the vendor's NAC solution. Because the most common usage case for NAC is guest networking (blocking unmanaged endpoints from the main network, and granting them limited access or Internet access only), those solutions with strong support for guest networking will score strongly. Support for endpoint baselining and, to a lesser extent, identity-aware networking is also an important part of this criterion. Ease of use and the overall quality of the management and reporting features will be important considerations. Those solutions that support a variety of enforcement options (for example, VLAN steering, ACLs, DHCP and others) will score more highly than solutions with limited enforcement options.
• Overall Viability: Viability includes an assessment of the vendor's overall financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue to invest in an NAC solution.
• Sales Execution/Pricing: The vendors' capabilities in all presales activities and the structure that supports them. The ability of vendors to succeed in their target markets is important. Vendors that target large enterprises should demonstrate success in winning NAC deals of 10,000 endpoints and more. Vendors that target SMBs should demonstrate a high volume of smaller and midsize deals.
• Market Responsiveness and Track Record: Ability to respond, change direction and be flexible as market dynamics vary. This criterion also considers the vendor's history of responsiveness, including how quickly it responded when the primary focus on NAC shifted from endpoint baselining to guest networking.
• Marketing Execution: This criterion assesses the effectiveness of the vendor's marketing programs and its ability to create awareness and "mind share" in the NAC market. Those vendors that frequently appear on client shortlists are succeeding in marketing execution.
• Customer Experience: Quality of the customer experience based on reference calls and input from Gartner clients.
• Operations: The ability of the organization to meet its goals and commitments in an efficient manner. Past performance is weighted heavily. Note — this criterion will not be evaluated for the NAC Magic Quadrant.

Completeness of Vision criteria are:

• Market Understanding: Ability of the vendor to understand buyers' needs and translate these needs into NAC products. This includes the ability to anticipate market trends and to quickly adapt via partnerships, acquisitions or internal development.
• Marketing Strategy: This criterion analyzes whether the vendor's marketing strategy succeeds in differentiating its NAC solution from its competitors.
• Sales Strategy: The vendor's strategy for selling to its target audience, including an analysis of the appropriate mix of direct and indirect sales channels.
• Offering (Product) Strategy: An evaluation of the vendor's strategic product direction and its road map for NAC. The product strategy should address the NAC trends reflected in Gartner's client inquiries.
• Business Model: The soundness and logic of the vendor's underlying value proposition. How well will the vendors' NAC strategy succeed in an environment where NAC is increasingly becoming a feature of broader network and security solutions.
• Vertical/Industry Strategy: The vendor's strategy for meeting the specific needs of individual vertical markets and market segments (for example, higher education).
• Innovation: This criterion includes product leadership and the ability to deliver NAC features and functions that distinguish the vendor from its competitors.
• Geographic Strategy: The vendor's strategy for penetrating geographies outside its home or native market.

Leaders are successful in selling large NAC implementations (10,000 nodes and above) to multiple large enterprises as a primary offering. Leaders are networking and/or security companies that recognized early on that NAC would be an important component of their overall product portfolios and have been first to market with enhanced capabilities as the market matures. Leaders have the resources to maintain their commitment to NAC, have strong channel strength and have financial resources. They have also demonstrated a strong understanding of the future direction of NAC, including market demand for inexpensive guest network and authentication solutions. Leaders should not equate to a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.

Challengers are networking and/or security companies that have been successful in selling NAC to their installed bases, although they are generally unsuccessful in selling NAC to the broader market. Challengers are generally not NAC innovators, but are large enough and diversified enough to continue investing in their NAC strategy. They are able to withstand challenges and setbacks more easily than Niche Players.

Visionaries have led the market in product innovation and/or displayed an early understanding of market forces and trends. They are either smaller pure-play NAC vendors or larger networking and/or security companies. A common theme in visionary vendors is that they don't have significant channel strength and have not succeeded in building installed bases as large as the leaders. Pure-play vendors in the Visionaries quadrant face challenges in moving into the Leaders quadrant, due to the trend of network and security companies embedding NAC functionality in their existing solutions.

Niche Players represent a mix of small and large companies. The large companies are network and/or security vendors that have had some success in selling NAC to their traditional installed base, but typically face stiff competition from other NAC vendors. Large Niche Players have generally struggled to sell NAC to the broader market. Small Niche Players don't appear often on Gartner clients' shortlists, but some of them are successful in addressing subsets of the overall market. Niche Players are valid suppliers in the market and often provide solutions targeted to the needs of a particular vertical industry.

Avaya appears in the NAC Magic Quadrant for the first time, as a result of its acquisition of Nortel's Enterprise Solutions unit. The key component in Avaya's NAC strategy is its RADIUS-based policy server, known as the Ignition Server, which is part of a solution that Nortel gained by acquiring key intellectual property of Identity Engines. The Ignition Server is available only as a virtual machine on VMware. The Avaya Health Agent is capable of baselining Windows endpoints. The primary use case for Avaya's NAC solution is the installed base of Nortel switch and wireless LAN customers, although the Ignition Server is capable of supporting non-Nortel environments.

• Support for Microsoft NAP makes the Ignition Server a good choice in all-Microsoft environments.
• The Identity Engines offering provides a strong guest networking solution that is complete with user provisioning, reporting and management capabilities.
• Avaya has strong multivendor 802.1X support and operational tools (for example, authentication reports) for easing the operational challenges of managing an 802.1X environment.

• Avaya's NAC solution does not include permanent agents for baselining OS X, Linux or other non-Microsoft endpoints. It also does not offer an agentless scanning option.
• The Avaya installed base of network infrastructure (the main target audience for Avaya NAC) remains somewhat cautious and skeptical about Avaya's commitment to the market after enduring a very difficult and uncertain period as Nortel consolidated investments and dispersed its assets.
• Avaya's NAC solution has little visibility in the broader market (beyond Nortel's installed base).

Avenda Systems is a new entrant in the NAC Magic Quadrant. Its focus on the guest network use case and on interoperability (it was an early supporter of Trusted Network Connect [TNC] protocols) has contributed to its position in the Visionaries quadrant. Founded in 2006, Avenda's flagship offering is a RADIUS-based policy server, known as Enterprise Trust & Identity Policy System (eTIPS), that can be used in heterogeneous environments (mixed endpoints and/or mixed network infrastructure). eTIPS is available in an appliance form factor, and also as a virtual machine for VMware. It supports 802.1X and Web-based authentication for wireless, wired and VPN environments, and can also be used to enable the endpoint baselining use case for NAC (it supports permanent agents, dissolvable agents and agentless scans via Nessus). Multiple enforcement options are offered, including VLAN steering, ACLs and DHCP. Enterprises that can tolerate the risks of a startup and need a solution to support a heterogeneous environment should consider Avenda.

• Support for the TNC's Statement of Health protocol enables Avenda to provide endpoint baselining for Microsoft NAP-enabled endpoints (Windows 7, Vista and XP SP3) without requiring an additional agent. Avenda also provides agents that can baseline endpoints running Apple OS X and Linux operating systems.
• Avenda's Quick 1X tool simplifies the configuration of a broad set of supplicants, including supplicants native to Windows and Linux. It also supports supplicants on Mac OS X, iPhone and iPad operating systems.
• References for Avenda commented that its solution provides a flexible and granular approach to creating policies.

• Avenda's prospects for success are tied heavily to 802.1X, for which adoption in wired networks has been slow thus far.
• Enterprise inertia is a challenge for Avenda. Most enterprises have already implemented RADIUS servers from Cisco, FreeRADIUS, Microsoft or Juniper for their VPN and wireless access, and they are likely to stay with these existing solutions as they begin to extend RADIUS-based authentication to their wired networks.
• Avenda is a small company with limited resources. Microsoft and other vendors with a focus on the TNC specifications (for example, Juniper) have the resources to thwart Avenda's progress by duplicating eTIPS functionality on their own policy servers.

Bradford Networks was one of the earlier entrants into the NAC market, developing its Campus Manager product to meet the needs of universities to allow a wide variety of university-owned and student-owned PCs to connect without causing security problems. Bradford has built on this vertical industry to attack the broader NAC market. In May 2009, it brought in a new CEO. Bradford renamed its lead NAC product "Network Sentry" and took steps to put more discipline in its channel strategy to go after corporate markets. In 2009, Aruba terminated its agreement to license technology from Bradford. The loss of that OEM deal offset gains in its ability to execute, brought by Bradford expanding beyond the academic vertical market. Enterprises should evaluate Bradford's capabilities when NAC requirements are driven by diverse IT environments.

• Ease of deployment is rated very high for Network Sentry. Bradford's out-of-band approach and wide platform support eliminate many potential problems.
• Bradford's experience in diverse university requirements puts it in a good position for satisfying enterprise needs to use NAC to secure the use of employee-owned PCs and smartphones.
• Bradford consistently gets high marks for customer support and overall corporate responsiveness.
• In the past year, Bradford had a number of wins outside of the university vertical market, some displacing other incumbent NAC vendors.

• The ending of the OEM relationship with Aruba will slow Bradford's progress in expanding beyond the academic vertical market.
• Like all other NAC pure-play vendors, Bradford will be increasingly squeezed by NAC solutions offered by incumbent network infrastructure and EPP software vendors.
• Bradford users consistently request improvements in Network Sentry's user interface and reporting.

Check Point Software Technologies is one of the largest pure-play security companies, with a large firewall and VPN gateway installed base, and a strong global channel. Check Point has been slowly accumulating the component pieces to compete in the EPP platform market, and is gradually building on its installed base from the acquisition of Pointsec in 2006. Thus, Check Point's NAC capabilities are features that can be enabled by enterprises using its network security, endpoint security products or both, rather than a stand-alone NAC offering. Check Point's planned support for advanced guest management capabilities and its embrace of industry standards gained it an increased vision rating this year. Check Point's offerings should be considered by enterprises using Check Point's network security and/or endpoint security products.

• Check Point Cooperative Enforcement works well across Checkpoint network security products and third-party Open Platform for Security (OPSEC) partner technology.
• Check Point offers both a dissolvable agent and the Abra USB-based "portable personality" device for securing access by unmanaged PCs.
• Check Point's installed base and global channel provide a strong competitive advantage, especially where the NAC deployment is remote-access-centric.

• In the EPP platform market, Check Point competes against more-established solutions from McAfee, Sophos and Symantec, putting Check Point at a disadvantage in competitive endpoint-centric NAC deployments.
• Although Checkpoint has supported guest access through a captive portal approach, it has been slow to add advanced guest networking management capabilities.

Cisco's execution in the NAC market has not mirrored its success in the network infrastructure market. The most common complaint about Cisco's NAC solution is that it is too complex and too expensive. Cisco was slow to recognize and adapt to these deficiencies — thus, its backward movement along the Completeness of Vision axis. Cisco also lost points in its ability to execute, because many of its customers chose to implement competing NAC solutions. However, Cisco is shifting its NAC strategy, and if it executes well, it should remain a leader in the NAC market. The two main elements of the renewed strategy are an increased focus on 802.1X for controlling guest access and a new NAC appliance that consolidates functionality that is presently distributed among multiple NAC appliances. Cisco customers should consider the new NAC appliances once these products become available. Gartner expects that the new solutions will be shipping before year-end 2010.

• Cisco's renewed focus on 802.1X in wired networks will enable it to deliver basic and inexpensive guest network access, thereby addressing the primary NAC requirement for most enterprises.
• AnyConnect, which combines VPN, NAC and other security technologies into a single endpoint client, will help Cisco grow its installed base of NAC endpoint software. Cisco has a strong market share in the VPN market, and when its customers upgrade to AnyConnect, they will also be installing the embedded NAC software.
• The combination of Cisco's profiling solution (NAC Profiler) and its guest networking solution (NAC Guest Server) make for a strong approach to guest networking. NAC Profiler (Great Bay Software is the OEM provider) discovers and monitors nonauthenticating devices (for example, IP phones and printers), thereby easing the process of supporting endpoints that are non-NAC capable. NAC Guest Server (this technology is also licensed from an OEM provider) provisions guest accounts and monitors guest activity on the network. (Note: functionality from NAC Profiler and NAC Guest Server will be included in Cisco's new NAC appliance.)
• Cisco's long-term strategy of embedding identity awareness into its Catalyst switches (a component of its TrustSec strategy) will enable it to support identity policies more granularly and more flexibly than most of its NAC competitors.

• Before making further investments in Cisco's current family of NAC appliances (NAC Appliance 33XX Series, NAC Profiler and NAC Guest Server), Cisco customers should wait for Cisco to publicly announce its plans to upgrade these solutions and offer investment protection.
• Although Cisco's updated TrustSec positioning is a good start, it still needs improvements to its NAC marketing and branding. For example, Cisco needs to clarify the role that Secure Access Control System (ACS) plays in its broader NAC strategy.
• Despite a stated partnership with Microsoft, dating back to 2004, Cisco still does not support the Microsoft NAP protocols or the equivalent TNC specifications. Thus, Cisco software is required on Windows desktops to perform anything beyond the most basic endpoint baselining functionality.

In 2008, the Gores Group purchased Siemens Enterprise Communications and merged it with Enterasys (which it already owned). Since then, Enterasys has struggled to gain market share (currently 1% to 2%) in the wired network infrastructure market, its core competency. Enterasys offers out-of-band (NAC Gateway) and in-line (NAC Controller) components. The NAC Controller enables NAC for older third-party switches that do not support 802.1X or RADIUS-based authentication. The Enterasys solution performs endpoint baselining via agents (permanent and dissolvable) and agentless technology. The primary usage case for Enterasys NAC is Enterasys switch and wireless LAN customers, although the solution is capable of supporting non-Enterasys environments.

• Enterasys' main product strength remains the flow-based technology in its S-Series and N-Series switches. NAC policies can be applied for each unique flow (by tracking the source/destination address pairing). For example, granular policies can be established to implement bandwidth rate limits or trigger deep-packet inspection.
• Enterasys' NAC management console has an integrated profiling capability, which automatically discovers and identifies all endpoints on the network.
• Enterasys has integrated its Dragon IPS, as well as third-party IPS solutions, with its NAC offering, so that it can quarantine endpoints that Dragon identifies as suspicious.

• Its shrinking market share limits Enterasys' ability to grow its NAC business, particularly because it has had limited success in selling NAC to the broader market.
• For a network infrastructure vendor, Enterasys lacks operational and troubleshooting tools for managing an 802.1X environment.

ForeScout is a network security pure-play company that offers the CounterACT NAC appliance and the CounterACT Edge security appliance. CounterACT is highly rated by users for ease of deployment and flexible enforcement scenarios. ForeScout's out-of-band approach simplifies moving from guest networking to baselining to enforcement, the common success pattern for NAC deployments. ForeScout had a number of new customer wins since the publication of the 2009 NAC Magic Quadrant, with a strong presence at government agencies, gaining it an increase in its Ability to Execute rating. ForeScout should be considered by enterprises looking at NAC solutions that are not tied to network infrastructure or EPP software.

• CounterACT is highly rated for ease of deployment and price/performance in large installations, and ForeScout consistently gets good ratings for responsiveness and support.
• CounterACT provides strong support for the guest network and endpoint baselining use cases, and it provides basic support for role-based policies. CounterACT also supports post-connect NAC, via its IDS-like functionality.
• ForeScout customers tend to grow their deployment of CounterACT appliances and scale their NAC solutions quickly.
• ForeScout's visibility (as reflected by how often it appears on the shortlists of Gartner clients) has improved since 2009.

• Although CounterACT's price/performance is strong across large installations, users report that ForeScout's management console needs ease-of-use improvements for large-scale implementations.
• Like all other NAC pure-play vendors, ForeScout will be increasingly squeezed by NAC solutions offered by incumbent network infrastructure and EPP software vendors.

HP Identity Driven Manager is HP's lead offering in NAC. In April 2010, HP completed the acquisition of 3Com, along with H3C, the joint venture between Huawei and 3Com. H3C has an NAC solution, as did TippingPoint, which 3Com had previously acquired in 2005. Prior to these acquisitions, HP's NAC solution consisted of Identity Driven Manager and the ProCurve Network Access Control 800 appliance, which was based on technology licensed from StillSecure (via an OEM agreement). HP discontinued the ProCurve Network Access Control 800 appliance in April 2010, and it recommends the StillSecure branded NAC offering as a replacement (StillSecure is an HP AllianceONE NAC Specialization Partner). Until HP articulates a coherent strategy and road map for its NAC products, we continue to rate it as a Niche Player in the market. Users of HP network infrastructure technology should consider HP's NAC offering.

• Identity Driven Manager is a plug-in to HP's ProCurve Manager Plus, simplifying NAC deployment for ProCurve wired and wireless network users.
• HP has tightly coupled Identity Driven Manager to Microsoft's NAP technology that is built into PCs running the XP SP3, Vista and Windows 7 operating systems, easing NAC deployment for enterprises that have deployed these newer operating systems.
• As a large company with global support and significant R&D resources, and a good track record in supporting and driving industry standards, if HP chooses to focus on NAC as a key part of competing in the network infrastructure market, then it could become a major market factor.

• Identity Driven Manager's integration to ProCurve puts it in direct competition with Cisco's NAC strategy. Although Gartner gives ProCurve a strong rating as a network infrastructure contender, Cisco's domination of the installed base is a major challenge to HP NAC adoption.
• HP's reliance on Microsoft NAP puts it at a disadvantage in environments with older Microsoft desktop operating systems (that do not support Microsoft NAP) and where consumerization demands are resulting in more use of PCs and smartphones that run non-Microsoft operating systems.
• Although HP has a large portfolio of security products, its overall strategy for security is unclear, and its NAC strategy and road map suffer as a result.

Impulse Point has shown growth in the higher education market, and also the K-12 sector, but it has not demonstrated an ability to penetrate the commercial enterprise market. Its strong vertical focus keeps it positioned in the Niche Players quadrant. Enforcement is provided via ACLs at Layer 3 (for example, routers and switches), at Layer 4 (support is provided for Blue Coat proxies) or via firewall policies. This approach is suitable for some university environments, although it does not meet the enforcement requirements of most corporate environments, where enforcement is required at Layer 2 (at the LAN switch). Impulse Point delivers its solution as a managed service, which includes managing updates (patches and antivirus status) to its policy server and housing daily policy configuration backups. Safe Connect is available as an appliance or via software (it is certified to run in a virtualized VMware environment). Educational institutions dealing with heterogeneous endpoint environments should consider Impulse Point.

• Safe Connect can be deployed quickly, because its Layer 3 approach to enforcement eliminates the need to test compatibility at Layer 2 (among an enterprise's LAN switches).
• Impulse Point provides a scalable and relatively inexpensive approach to NAC. In large environments (10,000 nodes and above), Impulse Point's pricing model is highly favorable.
• With several of its university customers, SafeConnect displaced its competitors' NAC equipment.
• Its endpoint agent provides continuous posture assessment and quarantining (agent-based self-enforcement). Many endpoint-based NAC solutions require scheduled posture assessment scans.

• Safe Connect's Layer 3-based enforcement mechanism (ACLs on routers) makes it a poor choice for enterprises seeking to implement guest networks in corporate environments. Endpoints are still able to gain access by connecting to a Layer 2 LAN switch. Impulse Point provides the option to integrate FreeRADIUS in the Safe Connect policy server to authenticate 802.1X-enabled endpoints, although the solution is not competitive with other appliance-based RADIUS solutions that are more scalable and have better tools for troubleshooting failed authentications.
• Although its focus on NAC as a managed service shifts the daily support burden to Impulse Point, some of its customers have commented that product documentation quality is weak. In the most recent release, updated documentation was not available for several months after the product shipped.
• Outside the higher education market, Impulse Point suffers from low market visibility, because of its small size and its limited resources.
• Although Impulse Point has improved its reporting and graphical interface, its policy controls in the area of guest networking and its Windows patch management are weaker than many of its competitors.

InfoExpress is largely focused on the NAC market, although it also offers a personal firewall product. It is still a small company (fewer than 100 employees), but it was founded in 1993 and remains a "bootstrap" company — it has never needed to raise money from venture capitalists. In 2009, InfoExpress partnered with Alcatel-Lucent and integrated its technology with Alcatel-Lucent's LAN switches, wireless access points (from Aruba) and its VitalQIP Suite (which enables DHCP-based enforcement). Alcatel-Lucent is now a global reseller of InfoExpress solutions. Enterprises should evaluate InfoExpress' capabilities when NAC requirements are driven by diverse IT environments.

• InfoExpress provides a broad array of deployment options for NAC. Persistent or dissolvable agents can be used to baseline endpoints. Its CyberGatekeeper appliances provide in-line and out-of-band enforcement for LAN, wireless LAN and VPN connections, and its policy server functions as a RADIUS proxy. InfoExpress' most popular NAC solution is its Dynamic NAC offering, which uses permanent agents to implement ARP-based enforcement of noncompliant endpoints.
• Dynamic NAC can be a cost-effective solution for organizations that have many sparsely populated branch offices, because it does not require additional hardware.
• InfoExpress' CyberGatekeeper NAC solution is a good complement to its personal firewall offering.

• InfoExpress' policy management console lacks some of the user-friendly features (for example, drop-down menus and radio buttons) found in competitive offerings.
• Guest networking functionality is limited. Guest accounts must be provisioned on a RADIUS server or on Active Directory, and managing an exception list of endpoints is manually intensive.
• The company's technology differentiation has eroded as large competitors, such as McAfee and Symantec, have expanded their endpoint security solutions to include better personal firewalls and NAC support.

Insightix is a pure-play network visibility vendor with products branded under the Insightix Business Security Assurance (BSA) line. BSA Visibility is the main product, which uses a mixture of active and passive techniques to detect and profile devices connected to the network. Visibility greatly reduces the manual effort required to maintain a continuous and accurate inventory of everything connected to the network and the key attributes of each device. BSA NAC provides enforcement capabilities through ARP manipulation, while BSA Guest Access Control provides a captive portal approach for allowing limited guest access. Insightix has improved its management and workflow capabilities and added integration to McAfee and Juniper environments, but its lack of visibility and limited large-scale deployments acted to offset these gains in the Ability to Execute and Completeness of Vision axes. Enterprises that have demand and funding for network discovery capabilities that later may be used as the foundation for broader NAC deployment should consider Insightix.

• Ease of implementing discovery and baselining and the depth and accuracy of the profiling information are Insightix's core strengths. Embracing the IF-MAP standard will help it increase partnerships with network infrastructure vendors that lack their own discovery capabilities.
• Insightix's enforcement technique is easy to deploy for organizations that are mostly interested in visibility and inventory, with limited quarantining requirements.

• Insightix's visibility in North American and larger European companies is very limited, and it rarely appears on Gartner client shortlists in those geographies.
• Insightix's integration with remediation products and its support for guest access management are limited.
• Although Insightix can sell network visibility outside the NAC space, it will be increasingly squeezed in NAC opportunities by incumbent network infrastructure and EPP software vendors that embed NAC functionality.

Juniper has been an early promoter of NAC standards, and its Unified Access Control (UAC) solution was one of the first to implement the TCG/TNC's protocols that enable NAC interoperability. Juniper has also been an early adopter of the TNC's IF-MAP specification, which creates an open and structured way for devices and users to share information on a network. Juniper's success in selling UAC into large accounts and its foresight with regard to NAC interoperability have enabled it to remain in the Leaders quadrant, although it lost points overall in the Completeness of Vision and Ability to Execute axes. With regard to vision, Gartner believes that Juniper is missing opportunities by not targeting UAC more strongly as a solution for the Guest Network use case. With regard to its ability to execute, Juniper lost points because it needs to create stronger mind share and sales for UAC among its installed base of enterprise customers. Juniper customers and enterprises that emphasize NAC interoperability due to diverse IT environments should consider Juniper's UAC solution.

• Junos Pulse, which combines VPN, NAC and WAN acceleration technology into a single endpoint client, will help Juniper grow its installed base of NAC endpoint software. Juniper has strong market share in the VPN market, and when its customers upgrade to Junos Pulse, they will also be installing the embedded NAC software.
• Integrating Webroot anti-spyware, another component of Junos Pulse, enables Juniper to go beyond basic endpoint compliance checking to also assess whether an endpoint is infected with malware.
• UAC support is embedded in Juniper's firewall, IPS and Ethernet switch product families. This integrated approach enables Juniper components to enforce device policies and/or identity policies (user policies), and makes UAC a good option for multiple NAC use cases.
• Juniper's support for Microsoft NAP enables it to provide basic endpoint baselining on Windows PCs without requiring the Junos Pulse agent.

• Feedback from some Juniper references reflects poorly on the ease of UAC deployment. Gartner received complaints about the deployment and manageability of the UAC client, and also received similar input regarding Juniper's RADIUS functionality.
• Juniper is too focused on selling the complete UAC solution, and has not leveraged its 802.1X support to gain a beachhead in accounts for guest networking.
• For a solution with a strong emphasis on identity-aware networking, Juniper's policy management console lacks some important features for enabling guest access. For example, setting up time-based access requires custom filters (instead of radio buttons), and guest credentials cannot be automatically e-mailed or texted in advance.

As an EPP vendor with a strong set of network security products, McAfee is well-positioned to sell NAC into its installed base of ePolicy Orchestrator (ePO) customers. In addition to embedding NAC functionality into its EPP suites, McAfee also offers NAC as a stand-alone component. An optional software module for McAfee's IPS appliance enables it to enforce NAC policies. Non-IPS customers have the option of purchasing a stand-alone NAC appliance, which runs the same software but without the IPS functionality. McAfee had purchased the assets of failed NAC vendor Lockdown Networks, which would have enabled it to deliver an inexpensive NAC solution for the SMB market, but it appears to have abandoned that strategy. McAfee's Network User Behavior Analysis, a solution that it gained with its acquisition of Secure Computing, monitors user behavior on an enterprise network and could be deployed as part of a post-connect NAC project, although McAfee does not market it as an NAC offering. Even with its strengths in network security, McAfee has yet to demonstrate that it can consistently win large NAC deals in its installed base of ePO accounts, and Gartner has positioned it below the Ability to Execute line in the Visionaries quadrant. McAfee customers should evaluate its NAC solution.

• McAfee's Network Security Manager (NSM) enables organizations to build and enforce rich policies, including identity policies and location-based policies.
• The user interface for provisioning guest accounts is good and includes several options for notifying guests of the account credentials (for example, SMS and e-mail).
• McAfee has gained additional network security experience through its acquisition of Secure Computing, which should help it compete in NAC sales against other EPP vendors.

• McAfee's N-450 NAC Appliance is available in only one size, and it is not cost-effective for small environments or small remote sites.
• McAfee's NAC solution lacks the ability to enforce policy by configuring ACLs on LAN switches, a common feature in competing offerings.

Nevis Networks appears for the first time in the NAC Magic Quadrant, although it also appeared in Gartner's NAC MarketScope in 2007 and 2008. Nevis went through a period of transition in 2009, after a management buy-out that resulted in the management team relocating to India, where the company already had a development center. Due to the uncertainty surrounding the company, Gartner did not include Nevis in the 2009 NAC Magic Quadrant. Nevis offers an in-line approach to NAC via two options — an Ethernet switch (Secure Switch LANenforcer) and a LAN appliance (LANenforcer) that is positioned between an edge switch and a core switch. Both products are based on Nevis' ASIC technology, which has enabled it to cost-effectively integrate basic IPS capabilities in the LAN. Organizations that need the benefits of an in-line approach to NAC and can accept dealing with a geographically remote support organization should consider Nevis. Organizations that are located in India or China should consider Nevis.

• Nevis' in-line positioning enables it to enforce granular user-based policies by dropping and filtering packets — a flexible approach to adding identity awareness to the network.
• The IPS capabilities in the LANenforcer products enable strong post-connect NAC functionality, using both signature and anomaly-based detection.
• LANenforcers provide application detection and control capability for applications that companies typically seek to limit, including instant messaging and other peer-to-peer applications, as well as gaming and streaming audio/video applications.

• Outside of India and China, Nevis has a small presence and low market visibility.
• The requirement to deploy appliances in-line can be expensive, particularly in network topologies where the Nevis appliances are only partially used (for example, if many ports are left unused). Often, it is not cost-effective to deploy Nevis appliances in small remote offices or to enforce NAC in VPNs.
• Despite its increased market penetration in India and China, Nevis will be challenged to sell its LAN switches and NAC appliances against established network infrastructure vendors, such as Cisco, HP and Juniper.

In May 2010, Apax Partners, a private equity firm, announced plans to acquire 70% of Sophos. The deal gives Sophos additional financial backing, and should have limited impact on Sophos customers in 2010. Sophos offers two NAC solutions (both are based on technology from its 2007 acquisition of Endforce). Sophos' EPP suite, Endpoint Security and Control, provides basic NAC policy, reporting and enforcement capabilities. Sophos' NAC Advanced solution, which requires a separate agent and management console, provides more-advanced features, such as custom policy creation, stronger reporting capabilities and more enforcement options (including support for 802.1X). Sophos' NAC solutions are a reasonable choice for Sophos customers. Larger customers, with more-sophisticated needs, should evaluate the NAC Advanced solution.

• Basic NAC functions are embedded (at no extra charge) in Sophos' Endpoint Security and Control suite, although this version does not support VPN environments (the NAC Advanced Solution is required for VPNs).
• The Sophos policy server acts as a RADIUS proxy and provides very flexible and granular support (for example, configuring vendor-specific attributes and subattributes) for interoperating with policy enforcement points.

• Sophos is behind its major EPP suite competitors (McAfee and Symantec) in delivering an integrated NAC and EPP solution. Its NAC Advanced solution still requires a separate agent and management console, whereas Symantec and McAfee offer integrated NAC agents with their EPP solutions.
• Although Sophos has made progress in selling to larger accounts, the majority of its client base are SMB customers and are less likely to adopt its enterprise-class Advanced NAC offering.
• Customer references said that Sophos' reporting capabilities are cumbersome and that its management dashboard does not provide enough drill-down troubleshooting capabilities.

StillSecure sells IPS, NAC and vulnerability management products. In 2009, StillSecure acquired ProtectPoint, a small managed security service provider, to enter the security services business, but it does not offer managed NAC services. The StillSecure Safe Access NAC product offers a full-time agent, a dissolvable agent and an agentless assessment option. StillSecure has licensed its technology to network infrastructure vendors Extreme Networks, HP and Novell. Safe Access should be considered in NAC deployments where heterogeneous networks are in use and where organizations want the flexibility of agent or agentless baselining options.

• Safe Access supports a broad range of endpoint baselining and enforcement methods.
• StillSecure Safe Access has received Common Criteria certification, which simplifies procurement for defense and government agencies.
• References consistently quote the quality of StillSecure's technical support and Safe Access integration with LAN switches as leading reasons for selecting Safe Access.

• Safe Access has limited support for advanced guest network management functions. These features are on StillSecure's road map for 2010.
• As a relatively small security vendor, StillSecure's resources are spread across three product areas and the new management security services initiative.

Symantec's Network Access Control product consists of NAC agent capabilities integrated into Symantec's Endpoint Protection software, managed by the same Symantec Endpoint Protection manager. Like other EPP vendors, Symantec's strength in NAC is largely based on the capabilities of its Endpoint Protect agent, but it also supports a dissolvable agent and an agentless approach with an optional scanner. In 2010, Symantec acquired Gideon Technologies, and Symantec intends to integrate Gideon's SecureFusion vulnerability scanning into Symantec NAC by year-end 2010. Symantec also offers a Symantec NAC "Starter Edition" that does not offer 802.1X or DHCP enforcement. Symantec lost points in vision and moved into the Challengers quadrant, mainly because its support for the guest network use case remains weak. Symantec NAC should be considered when Symantec is the incumbent desktop EPP vendor.

• Symantec's share in the EPP market enables it to aggressively price NAC as an integrated capability. Where Symantec's Altiris desktop management product is also in use, Symantec has a very strong story for remediating noncompliant endpoints.
• Symantec's dissolvable agent and in-line VPN enforcement capabilities are given strong marks by references.
• Symantec's NAC status display is effective and provides a strong capability for rapid drill-down into endpoint status.

• Users still report installation as being cumbersome and complex. Symantec tools for importing device information and easing NAC startup are basic.
• Symantec's support for guest network administration is limited. Enhanced capabilities in this area are on Symantec's 2011 road map.
• Symantec's visibility in NAC is lower than its EPP market share would predict. This is likely due to Symantec's attempts recently to diversify into storage and system management, diluting its visibility in NAC-specific opportunities.

Trustwave is a large Payment Card Industry Qualified Security Assessor (QSA) and security service provider that entered the NAC market in 2009 via its acquisition of Mirage Networks. Trustwave Enterprise NAC provides the full set of NAC functions using an out-of-band, clientless approach with ARP manipulation for quarantining. Trustwave also offers NAC appliances with limited functionality for smaller organizations, as well as a managed NAC service. Trustwave has made additional acquisitions in security information and event management (SIEM), DLP, and mobile data protection to broaden its managed service offerings and increase its efforts to be visible outside the PCI compliance space. Trustwave is still primarily a service vendor and not a product vendor. It moved into the Niche Players quadrant due to its focus on the retail market and on PCI compliance. Trustwave moved upward on the Ability to Execute axis due to its rapid growth and its plans to broaden beyond the retail vertical industry. Trustwave NAC offerings should be evaluated by enterprises looking to meet PCI requirements, and those where a low cost of entry and minimal integration to third-party products are required.

• References continually quote ease of deployment and low cost as the primary factors for selecting Trustwave NAC.
• Trustwave's QSA strength and broad business relationships with credit card payment acquirers/processors give it an edge in selling managed NAC services to merchants as part of a larger bundle of Trustwave services to reach PCI compliance.
• Trustwave NAC has received Common Criteria certification, which simplifies procurement for defense and government agencies.

• Trustwave NAC offers a limited set of enforcement options and guest networking support.
• Because Trustwave has acquired many security technologies and offers a broad range of its own services, Trustwave NAC has a shortlist of resellers and has limited integration to third-party security products, such as SIEM or remediation.
• Trustwave is rarely mentioned by Gartner clients outside of the context of PCI-related services. To attack the broader market, and build up a base of users that drive product features that are beyond PCI requirements, Trustwave will need to invest in building out enterprise product support capabilities.