Trustwave NAC is the ultimate "zero touch" NAC product. It doesn't need to know anything about your infrastructure; it doesn't require that you implement 802.1X. To use Trustwave NAC, you put it in a position to monitor traffic on each of your network segments. Then, to enforce access controls, Trustwave NAC injects packets into the network which cause it to become a "man-in-the-middle," presenting a captive portal and providing endpoint security scanning software. When a workstation has passed both authentication and end-point security requirements, Trustwave NAC releases its hold on the device and traffic flows normally.

Although the documentation on Trustwave NAC can best be described as "dismal to awful," the product is fairly easy to understand and to configure. For example, if your NAC policy says that someone must not be running an FTP server, then the Trustwave NAC appliance port scanner will look for FTP servers. If you don’t have FTP servers in your policy, then they won't bother to look for them.

Normally, LAN users authenticate indirectly in Trustwave NAC. If you have 802.1X, or if users log in via Active Directory, then Trustwave NAC can detect this and will assign credentials to the device. For guest users who do not log into a domain or use 802.1X, Trustwave NAC will redirect the user to a captive portal which can be used for both authentication and endpoint security checking.

Trustwave NAC tries to be as unobtrusive as possible while still providing NAC protections. A combination of network monitoring and active network-based scanning (similar to what NMAP and Nessus do) are used to detect the status and state of each device on the network.

This makes it more of a reactive product than a proactive product, in the sense that it will detect bad behaviour when it occurs but not necessarily help in managing compliance. If this looks similar to what Forescout’s CounterACT does — it is. The products have many parallels and are closer to each other than to other NAC products.

Trustwave NAC does not require active changes to the network, a huge benefit. While this comes with some restrictions, such as a weaker endpoint security host checking model, it also will be attractive to many network managers, especially in smaller sites, where network changes are especially difficult.

However, Trustwave NAC's strategy of tricking the network by poisoning ARP caches and injecting TCP packets might send chills down the spine of a network manager. When you can't trust basic troubleshooting tools such as Ping and Traceroute or the predictability of the TCP state machine, you're opening up the potential for small network problems to become un-debuggable nightmares. On the other hand, for small, well-behaved networks such as at branch offices, this concern might be overstated.


If you don't like the protocol shenanigans that Trustwave NAC uses to enforce access controls, you don't have to use them. In that case, you still get a great deal of valuable visibility information on what types of systems are connecting to your network. Since many NAC deployments never get to the stage of actually pushing out access controls, the power of Trustwave NAC's passive discovery and active scanning may be just what you need.