In this guide, we present some critical factors to consider in selecting the best Network Access Control (NAC) solution by comparing Genian NAC with PacketFence.
NAC - Deployment Models and Architectures
Genian NAC offers flexible industry leading deployment models with same functionality and seamless user experience delivered across Cloud Managed, Private Cloud or On-Premises. This is achieved by a highly flexible architecture comprised of central Policy Servers (Cloud or On-Prem) and geographically distributes non-intrusive Network Sensors.
This flexible Next-Gen NAC architecture offers proven Cloud and On-Prem deployment track records, with solutions capable to fulfill the needs for various customers of different sizes (from SMBs to multiple Fortune 500 existing Genians customers), across different sectors and with different compliance needs (from basic networks security with zero network configurations and no onsite IT infrastructure, up to the most demanding military agencies and high-tech companies).
In addition, Genians NAC is offered also as cloud-based MSP-Ready solution in a NAC-as-a-service model. This offering includes the same NextGen NAC capabilities and incorporates additional key functions for MSP (Managed Service Provider) operators which they need in order to successfully provide NAC solutions to their own clients: Automated Maintenance; Unified Billing; Customization; Integration; Co-branding; MSP Customer Portal;
PacketFence supports only the traditional On-Premises deployment with no Cloud deployment options available for customers (actually the Genians NAC flexibility and seamless experience between Cloud and On-Prem is not matched from major part of other competing commercial NAC Solutions). In addition, PacketFence does not provide any separation of NAC server roles for central management purposes (e.g Policy Server) and detection/enforcement (Network Sensor), resulting in very limited architecture setup options.
Inverse (the company that develops PacketFence) offers also a paid product called PakcetFence Cloud that is provided only to value-added resellers (VAR) and managed services providers (MSP) to offer PacketFence NAC services to their customers.
PacketFence Cloud is not free & open source but it is licensed software and comes with professional services from Inverse. It is not offered as-a-service and it requires 3rd party and independently managed cloud hosting from Amazon AWS, Microsoft Azure, Rackspace, or others resulting in increased costs and additional complexity.
Rather than being an MSP ready to use as-a-service product, it consists of paid software licenses and implementation & support services from Inverse, where they will set up a multi-tenant NAC installation – with no additional MSP functionality out of the box (e.g. Automated Maintenance; Unified Billing; Customization; Integration; MSP Customer Portal.)
NAC - Installation and Initial Setup
Genian NAC provides a unified installation for both Cloud-Managed or On-Premises deployments, no confusion. Cloud Managed setup requires no additional user action at all for the policy server setup (just create an account on genians.com and start using it).
For the On-Prem deployment, a single optimized and hardened ISO Appliance is used for all installation types (Policy Server or Network Sensor either VM or Physical), and the installation is complemented with an easy and guided few steps initial setup process making the NAC solutions production ready in minutes.
The entire process actually comes down in two simple questions based on customer preference:
- Will the Policy Server be On-Prem or Cloud?
- Will the Policy Server and Sensor be Physical or Virtual?
Note: Genians NAC offer instant free trial (no credit card required) at Genians.com for both Cloud or On-Prem deployment and technical support via Slack is available as well. The setup of a full demo PoC for Genians NAC can be done in less then an hour and customers would be able to fully test the Next-Gen NAC features including full network visibility and enforcement without making any network changes at all. Trials from Genians NAC include all the production functions, and if satisfied customers can simply purchase and activate the license and continue using the product with no disruptions.
PacketFence has multiple On-Premises installation procedures, and with limited documentation describing the clear limitations and differences between each of them:
- An OVF VM template for VMware virtualization only is available, but it is not recommended for full functionalities like HA and scalability that require modifications to the underlying Linux OS. This is intended mainly for Labs or small production environments.
- An ISO edition of PacketFence is available and contains customizations intended to automate some tasks and guide the user through a full Debian OS installation & configuration, setup of some dependencies, and automated installation of PacketFence – but after the initial setup of the Linux OS, packet fence and any dependencies will need to be maintained independently.
- PacketFence can be installed as a package on an existing Linux. Requires a full setup of RHEL 8.x (mandates separate paid subscription for RHEL) or Debian 11. Linux SysAdmin skills are required to set up the server OS and dependencies, the process is manual and with various issues based on different factors. PacketFence requires disabling RHEL SElinux or Debian AppArmor significantly lowering the security of the overall NAC solution (SElinux/AppArmor are designed to provide the industry-leading Linux application security system and kernel-level protection where a vulnerability/exploit in one package or application would be isolated and not affect the entire system or other applications).
The initial setup of PacketFence application is a web-guided process, but it requires users to manually set up MySQL DB parameters (because manual access to DB is needed for some functions) and also requires a mandatory external API integration (and 3rd party account registration) with Fingerbank.
Note: To set up a PoC with PacketFence in order to test all functions would require a lot of effort consisting of complex installation procedures with underlying Linux OS administration and tuning needs. Most importantly the PoC of PacketFence will demand multiple network architecture changes and device re-configurations in order to achieve the minimal must-have network visibility and NAC enforcement capabilities for testing and evaluation.
NAC - High Availability and Scalability
Genians NAC provides a native high availability and scalability design for both Cloud and On-Premises deployments.
- In the Cloud Managed deployment, the solution is ready for scalability and HA with no additional efforts required, and geo-distributed Network Sensor can be easily installed and scaled as needed.
- For On-Prem deployment where Policy Server is installed in the customer Data Center, Active/Standby HA support is offered for central Policy Servers that orchestrate and manage the geo-distributed Network Sensor.
- Network Sensor support HA deployment for critical infrastructures, channel bonding to protect from network link or switch failures, and fail open option when required. They can be easily scaled out to support large and geographically distributed customers with either Cloud or On-Prem Policy Server highly available central management and orchestration.
PacketFence offers support for high availability in the concept of manually clustering multiple nodes, and with no support for separation of any NAC functions (e.g. Policy Server and Network Sensors) all nodes will need to be part of the same DB cluster.
To setup the cluster PacketFence requires to install and configure additional 3rd party dependencies in Linux OS, manually configure Linux networking, manual sync of config files and a manual complex setup & maintenance of MySQL/MariaDB Galera Cluster. The Galera Database Cluster is the key part of the PacketFence cluster, and it will require ongoing manual setup and maintenance requiring Linux and DB admin skills overtime.
PacketFence L2 clusters are preferred for HA within a single site only. To scale out geographically in a multisite environment, a L3 cluster setup is possible but this is very complex (as noted also from PacketFence documentation) and requires in-depth knowledge of Linux, MySQL, Galera, networking and how PacketFence works. There is a push for paid professional services from Inverse to setup this complex clusters making it expensive to build and even more expensive and risky to maintain in production – even for simple customers with as few as 2-3 different network locations.
NAC - Device Fingerprinting, Profiling And Network Visibility
Genians NAC offers a highly effective device fingerprinting, profiling and network visibility with Next-Gen NAC capabilities.
With the built-in industry leading Genians Device Platform Intelligence (GDPI), Genians NAC natively delivers Layer 2 based network sensing technology with no network changes needed (plug-n-play fingerprinting), and real-time data via various active and passive detection methods performed from Network Sensors.
Genians Device Platform Intelligence receives regular Platform Database updates weekly or monthly, and it delivers full visibility into IT/OT convergence including IoT, ICS, SCADA, and manages the entire lifecycle of all IP-enabled devices via correlation of:
- Accurate detection of the device platform (e.g. Not just “Android phone” as most NACs do, but “Samsung Galaxy S21 mobile phone” detailed detection) and granular & accurate categorization of node type
- Contextual access information (Who, What, Where, When, How)
- Business context related to the device (e.g. EOL, EOS, Manufacturer Info)
- Common Vulnerabilities and Exposures (CVE) for each detected device
Node type and other profiling data can be used to deploy accurate network access policies for the always growing BYOD, IoT/OT devices in addition to traditional IT devices.
Genians Device Platform Intelligence (GDPI), as an integral built-in part provides a next-generation NAC capability required from businesses in today’s IoT and BYOD era; a functionality that outperforms not only Open-Source alternatives but is hard to be matched from other competitive commercial NAC solutions.
PacketFence offers a very limited device fingerprinting, profiling and visibility.
The fingerprinting methods are limited and intrusive as they require complex network configurations and changes to be able to collect information about devices because PacketFence cannot detect network device out of the box (like Genians NAC does vial L2 sensing technology with distributed Network Sensors).
Even after setting up the network in order to forward the collected information to PacketFence, the information cannot not be correlated and used directly from PacketFence but it relies on external 3rd party integration with Fingerbank via API.
The fingerprint correlation and device profiling results are limited (e.g just shows a device as “Android phone” but it cannot tell that it is a “Samsung Galaxy S21 mobile phone”), and with a considerable number of devices not being profiled correctly. This makes it not reliable to use the PacketFence device detection & profiling as an accurate network visibility tool or to make clear NAC policy decisions and actions based on device fingerprinting & profiling, leaving a very large gap in the IoT/OT devices coverage.
NAC - Wireless LAN Visibility and Monitoring
Genians NAC provides a comprehensive distributed Wireless LAN detection and monitoring capability, delivered through network sensors and agents, without requiring any extra network changes or configuration. This delivers state-of-the-art WLAN visibility and monitoring consisting in:
- Detection and monitoring of SSIDs by Wireless Network Sensor or Agent providing info such as the number of connections, Status (up/down), SSID name, MAC address, AP manufacturer, Encryption method, Protocol, Channel, Signal strength
- Discover all connected wireless devices per SSIDs
- Discover where SSIDs are located
- Detect APs connected to corporate networks
- Provide a list of stations that are connected to the Access Point and be able to identify which stations are known on the internal network
- Discover the physical location of AP/SSIDs
- Rogue AP Detection identifies any Access Points not acknowledged by network administrators
NAC - Network Policy Enforcement
Genians NAC offers an industry leading zero-touch, non-intrusive and highly efficient enterprise ready Layer 2: ARP Enforcement (using Network Sensor). No network changes or endpoint changes are required with this technology – offering the best zero touch Next Generation NAC enforcing method and completely re-shaping the NAC industry deployment limitations, obstacles and challenges faced from business worldwide.
A fully functional Genians NAC enforcement solution can be achieved within minutes to hours, instead of lengthy process of days or weeks (months sometimes in large customers) required to implement costly and complex network and endpoint changes and re-configuration required from PacketFence or other commercial legacy NAC solution.
While the ARP enforcement method is recommended and promoted based on its advantages, Genians NAC offers an extensive set of industry standard NAC policy enforcing capabilities – meeting the needs of even the most challenging and demanding customer environments:
- Built-in RADIUS server (802.1x)
- Layer 3: TCP reset (using Mirror/Span)
- Inline enforcing
- SNMP enforcing for switch port control
- Captive portal WebAuth for the user and guest authentication and onboarding
- Built-in DHCP server (more secure than DNS)
- Agent Enforcement (this comes with additional control, visibility, and endpoint management capabilities)
For customers who require full control over corporate Endpoints, Genians NAC Agent is provided for Windows, macOS, and Linux. With the Agent deployed, Genians NAC can not only enforce very advanced and granular network access policies, but the solution is capable to manage all desktop configurations, applications, OS Updates, peripheral devices, wireless connections and more, delivering the capability to standardize the configuration of corporate-owned devices automatically and control them remotely.
PacketFence has no support for zero-touch & non-intrusive enforcement. Instead PacketFence relies only on legacy enforcement methods that would require intensive network and/or endpoint changes and reconfigurations.
- Built-in RADIUS server (802.1x)
- Inline enforcing
- SNMP enforcing for switch port control
- Captive portal WebAuth for user and guest authentication and onboarding
- DNS (highlighted as easy by-passable from average users by simply changing the DNS)
PacketFence has no built-in support for enforcement via a managed agent or any other control capability over corporate-owned devices. A limited PacketFence agent is available only for WiFi connection provisioning purposes that does a setup provisioning for WiFi connection profiles (SSID profile and parameters) but does not provide any user authentication, NAC policy enforcement or control on the devices.
NAC - Log Management and Reporting
NAC - IT Security Automation
Genian NAC integrates a wide range of IT security and business solutions (Firewall, VPN, IDS/IPS, VM, MDM, SIEM, APT, DLP, CRM/ERP, etc.) to ensure unified policy enforcement. Genian NAC supports custom integration using Webhook, REST API, and Syslog making it capable for both transmission and receipt of contextual security data.
Following are some of the main key IT security automation capabilities and integration of Genians NAC that contribute to an end-to-end cybersecurity framework with user/device context awareness that can be generated and enforced only from a NAC.
- Perimeter Security System (Next-Gen Firewall)
- Give: IP-User information for user-aware policy
- Take: Receive Infected Endpoint IP or MAC then quarantine it
- Threat Detection System (SIEM, ATP, VA, EDR)
- Give: IP information (user, history, platform.)
- Take: Receive Infected Endpoint IP or MAC than quarantine it
- Enterprise Mobility Management
- Give: New device information
- Take: Block mobile devices if EMM agent is not installed
PacketFence has limited support for transmitting and receiving data from different external systems in order to achieve full IT Security Automation.
- PacketFence is able to Give IP-User information for user-aware policy to NG Firewalls but cannot Take Infected Endpoint IP or MAC from the NG Firewall and automatically quarantine them.
- PacketFence provides a limited set of integration capabilities for Intrusion Detection Systems relying on the Regex Syslog Parser only. The integration is manual, it requires development efforts and supports limited integration with a short list of open-source or commercial IDS systems, but no support or documentation for industry-leading security vendors’ integration is included
- PacketFence offers limited integration with EMM, it is able to block a device if EMM agent is not installed but it cannot Give New device information to the EMM
NAC - Administration, Maintenance, and Support
Genians NAC provides a state-of-the-art intuitive and easy-to-use Web-Based Administration that enables customers to easily set up, administer and maintain even the most challenging NAC features and functions.
The entire administration is handled from a single UI either in Cloud or On-Premises (same identical UI, features, and seamless user experience). This is a result of nearly two decades of continued R&D from Genians, aiming to bring the most advanced NAC functions and capabilities supporting also tomorrow’s ZT-NAC, packaged in a solution that is easy to deploy and manage from customers.
All of this is backed up via 24/7 technical support via Slack where Genians engineers and experts will assist their customers directly and in person, with no long waiting times on phones or non-useful communication with automated chat bots.
PacketFence comes with a convenient Web Based Administration but setup of advanced features and functions can become complex and many times it can require Linux OS administration tasks in CLI and development of custom scripts required to setup advanced settings and integrations no available in the Web UI. PacketFence requires the full support of the independent underlying Linux OS and dependencies, in addition to the support of PacketFence application itself.
PacketFence is a free and opensource product, but its development is maintained from Inverse (a commercial company) and the community support is very limited. Major part of the times community feedback is not received and is very hard to find fixes even for the average configuration issues, while running into a bug or major functionality/compatibility issue would prove very risky for businesses depending on PacketFence.
As noted in the website and documentation PacketFence, configuration and maintenance of this product can become very complex and to handle this they recommend paid commercial support service from Inverse (the company behind the development of PacketFence).
NAC - TCO and Investment Protection
Genians NAC offers a leading Next Generation NAC solution with extended set of cutting-edge features and functionality such as plug-n-play Layer 2 network sensing and full non-intrusive enforcement technology. All the features are delivered with a seamless Cloud or On-Premises NAC solution, a geo distributed and scalable deployment, a flexible and simplified licensing model with pay as you grow and no hidden costs. Yes, Genian NAC only counts the number of ACTIVE devices currently up and running in the network. Nothing else – no hidden cost based on e.g., network size, number of sensors, high availability, cloud hosting, etc. Customers can simply choose between a full OPEX via subscription for Cloud or On-Prem deployment or CAPEX with perpetual licenses for On-Prem. Genian NAC transparent offerings are affordable for SMBs and startups with limited budgets and can scale to meet the needs of large fortune 500 companies without adding extra hidden costs down the road.
Packed with Next-Gen NAC security features & Cloud-first deployment options Genians overcomes all the limitations of current and legacy NAC technologies preparing companies for a real Next-Gen cybersecurity roadmap and meeting the NAC needs for companies worldwide, covering today’s mandatory requirements and being fully ready for tomorrow’s cybersecurity challenges.
The outstanding technical advantage of Genians Next-Gen NAC (that cannot be matched by OpenSource alternatives or competitive commercial NACs) is packed with a fully transparent and flexible pay-as-you-grow licensing model with reduced TCO and no hidden costs, providing customers with a maximal investment protection and assurance for today’s needs and the business future – from SMBs to large corporates. Genians supports this with 17+ years of leading IT security company background with continued R&D and over 2,400 satisfied customers ranging from SMBs to various large Fortune 500 Companies and demanding Government and Military!
PacketFence is known as one of the main Free & OpenSource alternatives for Network Access Control (NAC), yet the product is not developed from a community but from the commercial company Inverse that provides paid consulting and integration services for it.
PacketFence provides only legacy NAC functionalities and detection/enforcing methods that demand complex, intensive, and costly network changes making it very difficult for most real-life business needs. The complexity of setting up PacketFence is clearly emphasized in their website and documentation where they recommend purchasing paid to consult and support services from Inverse (the company that develops it) bearing an unknown cost implication that can risk being non-predictable over time.
Based on a limited legacy NAC detection/enforcement method, a limited On-Prem only complex setup with no geo-distribution scalability, lack of Next-Gen NAC abilities, and very likely the need for paid services from Inverse bearing hidden costs: PacketFence can have varying and non-predictable TCO and high risks in long-term. Not being capable to deliver any Next-Gen NAC functions, makes PacketFence not reliable investment protection for corporates and SMBs!
The product development and futures roadmap depend on Inverse which provides consulting and support services for the complex PackeFence NAC, introducing non-predictable cost implications and high risk for a vendor lock-in for ongoing support and custom development needs.