The concept behind network access control (NAC) used to be simple: Don't let anyone pass through the boundaries of the enterprise network unless they're compliant with security policies and can authenticate themselves. But with cloud computing and virtualization separating applications from enterprise servers and mobile devices erasing IT control of endpoints, the boundaries of the network have become blurred.

NAC vendor ForeScout is responding to this by releasing the CounterACT Virtual Appliance, a software version of its CounterACT appliance, and moving beyond NAC to include mobile security and compliance monitoring.

"NAC was our bread and butter until pretty much last year," said Hanan Levin, VP of product management at ForeScout." We were leaders right behind Cisco in terms of market share. It was a nice ride." But now the company wants to focus on more, not because the need for access control is disappearing but because so much more is necessary. With mobile devices either employee-owned or not capable of running an agent, requiring one on every client is no longer tenable for many organizations, so access control has to be agentless. The focus is also shifting from clients to traffic, as many enterprises can't realistically expect to control everything that connects to the network but do still need to control exactly what each client can do.

The new version of CounterACT can still use a client-side agent for organizations or applications that require them, but it also supports dissolvable agents that run temporarily for client remediation, as well as standard protocols like 802.1x. "The technology developed use-cases bigger than we had imagined," said Levin. "If you control the access, that's fine, but it's not enough. Security also depends on what's running: processes, registry, has a new application been introduced?" When this isn't possible, the system can isolate particular clients and restrict them to well-defined roles--important for guest access and for limited function devices like printers and IP phones

ForeScout hopes that the CounterACT Virtual Appliance will both extend the market for NAC and enable existing users to deploy it in different scenarios, from the cloud to branch offices where a hardware appliance can't be justified. As with other forms of virtualization, it also means that users can add capacity on demand. The need for NAC can be heavily dependent on the number of clients connecting, making this useful for networks in venues that have large spikes in visitors requiring guest access.

In common with other vendors that have virtualized their appliances, ForeScout's virtual version is functionally identical to the physical one and can be managed using the same interface. However, the company admits that virtual security isn't for everyone, noting in particular that virtualization isn't compliant with some versions of the Federal Information Processing Standards (FIPS) which require hardened hardware. "Customers may not choose to migrate to a virtual environment, and we support them in that," said Levin.

Virtual Event: Business Mobility Unleashed. Zero in on the top mobile technologies and techniques to ensure your organization thrives in the wireless world. Learn about strategies and products that offer remote user applications support, Wi-Fi management, security features, and device management. Our virtual event happens Thursday, July 14. Register now.