In testing 12 NAC products, we discovered an incredible variety of management styles. To organise our results, we broke things up into three main categories: overall management, separation of control and high availability.
If we just awarded prizes based on simplicity, Cisco NAC Appliance, ForeScout CounterACT and HP NAC would immediately jump to the top of the list, because all of them have easy to use, easy to learn interfaces that get you up and running quickly and offer strong visibility into what is happening.
Other products were more complex, but more powerful, as well. For example, when we started learning to use Juniper UAC, we spent an entire hour one morning drawing a picture trying to put all the pieces together. It's a complicated set of products. There are central management tools, individual device management interfaces, intrusion-prevention systems, and on top of that, the UAC web-based GUI itself. Bringing it all together is tough, but it doesn't seem fair to knock Juniper down because it's product has a lot of optional pieces.
Avenda eTIPS is another good example of a product that does a lot, and because of that, you end up with a complicated user interface. In Avenda's case, the management system is as simple as it could be — but still offer all the power that we needed.
In the end, we looked at products with two management criteria in mind: how hard it was to use, and how much visibility it gave us into the NAC status of our network.
Some of the products have serious flaws. Alcatel-Lucent's SafeNAC is not really a single product, it's a bunch of features of their management system, their switches and InfoExpress' CyberGatekeeper that together act as a NAC solution. It certainly works well together, but the management is very un-integrated.
Bradford Network Sentry's management system is similarly disappointing. A few minutes into configuration, we found ourselves lost in pop-up windows, new tabs and sub-windows. Sometimes, we'd click on something and get a new page in the same window. Other times, we'd get a new tab in the same window, and other times we'd get an entirely different window. We expected better than that from one of the oldest NAC products in our test.
Are these issues that can be worked around? Certainly. A badly designed GUI is not a reason to throw out a good product. In the case of NAC, badly designed management systems are more the norm than the exception.
A more significant issue in NAC management comes under the general term of "visibility": how much information is quickly and easily available to the network manager about what is happening, NAC-wise, on the network.
In this area, there are three clear winners: ForeScout CounterACT, HP NAC and Trustwave NAC, with a close second place from McAfee's Network Security Manager. All excel in giving great real-time information about users.
The question of visibility into current operations hits a key contradiction in the design of NAC products. In other parts of this test, we praised products which take a "hands off" approach, using standards such as 802.1X to push access control information to the edge devices. Those products, by their nature, have the least visibility into NAC operations because they are only loosely coupled to the edge devices.
In this part of the test, though, most of those products are losing points for their lack of visibility information. HP NAC, because it is tightly coupled to the HP switch management tool, does a good job of bridging the gap, as does Enterasys NAC, but these really are single-vendor exceptions.
Other bright spots
Avenda eTIPS is head-and-shoulders above the other products we tested when it comes to transaction logging. The ability to look at what happened, in detail, as someone tried to come onto the network was amazingly useful — and something we missed in other products.
Bradford Network Sentry and Cisco NAC Appliance gave us visibility into the network, but they were more switch-centric than user-centric. Having a lot of detail on devices and ports is a great asset. We feel, though, that a typical Help Desk call would be from a user who was having a problem getting logged in, not someone who knew what switch and port number they were on. This made the visibility we got from Bradford Network Sentry and Cisco NAC Appliance good if you're a network manager, but not quite as nice if you're working on the Help Desk.
McAfee and Symantec both had outstanding visibility into the endpoint security posture of systems, another strong benefit. Where they fell down was in showing us how the total NAC system was working.