Mirage enables you to control who gains admission to the network, ensuring that uninvited, infected, and out-of-policy endpoints are never allowed to access and harm the network. Our agentless Network Access Control technology performs risk assessment on all endpoints – regardless of IP device type or OS, irrespective of whether an endpoint is managed or unmanaged.

As soon as a device attempts to gain access to the network, Mirage immediately identifies the endpoint and runs a quick, effective policy check to determine if the device is infected with damaging threats and whether it complies with the security policies in the network segment that it is trying to join. To verify the identity of users and ensure that uninvited devices don’t gain network access, Mirage authenticates users by checking common credential stores, such as RADIUS and Active Directory.

Before granting network access, Mirage determines the device type of the endpoint; whether it is known or unknown; its past policy compliance and threat history; whether it is entering via a wired or wireless connection; and what services are currently running – such as instant messaging, file transfer protocol services, or peer-to-peer networking. A resulting risk profile is then used to evaluate whether to admit the endpoint to the network, to require it to register on the network, to send it to a designated quarantine server for remediation, or to trigger a combination of additional security checks.

For specific network segments, Mirage can be configured to run policy scans that assess risk factors, such as antivirus version, signature update levels, OS patch levels, and the absence or presence of spyware and firewall software. In addition to on-entry scans during network admission, devices can be re-checked throughout their lifecycle on the network. Mirage’s Network Access Control technology is also easily integrated with third-party solutions like Foundstone and Qualys for deeper vulnerability scan capabilities.

Going a step beyond identifying a device’s threat posture, Mirage’s admission checks can also be used to identify and immediately block access for high-risk devices, like rogue endpoints and rogue wireless access points. This feature offers another level of Endpoint Control, enabling you to establish an admission policy once and then rest assured that the Mirage appliance is actively enforcing it.

Mirage appliances physically deploy out-of-band. However, it is the only out-of-band appliance that detects endpoints and enforces NAC policies with no reliance on other parts of the infrastructure. When an endpoint is out of policy, the Mirage appliance steps virtually inline, surgically quarantining the endpoint directly.

Mirage surgically quarantines at-risk devices using patented ARP management techniques. This means you can enforce policies without VLAN re-architecture, without risky dynamic ACL implementations, and without relying on inherently insecure protocols like SNMP or Telnet to affect switch port access. Without introducing the latency, single points-of-failure, or deployment complexities of inline devices, Mirage provides inline protection. It is this distinction and the patented Mirage technology that make Mirage’s quarantine superior to any other security product available.

Mirage is committed to delivering a NAC solution that works in any network environment. Because we use patented discovery and enforcement techniques, Mirage NAC is a self-contained solution that does not rely on infrastructure components. Many NAC solutions require that SNMP be enabled on all switches, while others require Telnet access be provided for the NAC solution to dynamically change switch port configurations. Solutions with these or similar requirements not only pose additional security risk, but create huge overhead for deployment and management. They also are limited to functioning with a finite number of network device types, vendors, and operating systems.

Because Mirage NAC deals directly with the endpoints, and not with switches, routers or other devices in line with the endpoints, it works in any network.