NAC Vendors Have The Endpoint In Sight


Network access control vendors are working with a broad array of security vendors to bolster visibility and control of endpoint devices attempting to connect to the network.

ForeScout Technologies is launching ControlFabric as well as an extended technology partner program for network access control, or NAC, integration this week. Other vendors, including Cisco Systems and Bradford Networks, also are creating partnerships and building capabilities to better interoperate with other security appliances.

ForeScout, Cupertino, Calif., said its platform allows system integrators and users to develop their own policies with multiple types of products, ranging from other security platforms to help-desk ticketing systems.

An area where adoption may be strongest, according to industry analysts, is integration with mobile device management platforms. MDM systems typically can provide greater control over applications, encryption and other security policies applied to mobile devices. Meanwhile, NAC systems can control device access to critical systems or files or block the device altogether, said Sean Ginevan, director of business development at MDM vendor MobileIron, Mountain View, Calif.

[Related: Network Access Control Gains Traction With BYOD]

"A NAC system alone is going to know that it's an iPhone, it's going to know the hardware address of that device, but it will not necessarily have the richness and completeness of data that an MDM system would," Ginevan told CRN. "This is about admission control and understanding if the devices can be trusted."

MobileIron, which partners with ForeScout on its ControlFabric platform, has been expanding its integration with other technology vendors, partnering with Bradford Networks, Novell and Cisco. Much like ForeScout's ControlFabric, Bradford Networks has a SmartEdge Platform to integrate with third-party technologies.

ForeScout and other NAC vendors say deeper integration ensures that network-based controls align with the MDM device application policies and user-based roles. It also can automate enrollment to force users to register their device with a company MDM platform so it can have broader access to corporate resources.

System integrators are asking for broader integration with network devices because companies want additional control over endpoint devices, particularly in education, health care and financial services, said Ginevan.

The market for endpoint device control to address BYOD is still emerging, prompting providers to strike integration partnerships, said Eric Maiwald, a research vice president at Gartner, in an interview with CRN. Businesses need to evaluate NAC vendors by understanding how their respective platform reacts to a device that falls out of policy, he said, adding that businesses want more controls but don't want to disrupt end users.

"There's no perfect solution out there, and I'm not sure anything will emerge that will even come close to perfection," Maiwald said.

Additional control over endpoint systems also extends to incident response capabilities. Companies that have implemented FireEye appliances for antimalware detection also are seeking broader integration with point products. ForeScout recently launched a connector to FireEye that enables its CounterACT platform to knock an endpoint offline or block its communication at the port.

Didi Dayton, vice president, worldwide strategic alliances at FireEye, Milpitas, Calif., said integration helps speed the incident response process after the platform detects malware.

"Most organizations don't have incident responders so they rely on ad hoc products to correlate into a [security information event management system] to hopefully tell them what is going on, but it can take weeks or months," Dayton told CRN.

FireEye's products also integrate with Dell SecureWorks, IBM, MobileIron, Fiberlink, and other MDM and SIEM vendors. The partnerships can cut the integration time from six months or more down to two months or so, Dayton said.

PUBLISHED OCT. 15, 2013