Question

[Computer Network Security] Network Access Control (NAC)

Network Access Control—What was it made for? How does it work? What kind of techs does it use? What does it protect?

Answer 1

Network access control is the process of restricting the access to network resources by devices that are used by the end user. Network access controls implement a defined security policy for access which is supported by a network access server that performs the authentication and authorization. The server also restricts the data that each user can access, as well as the activities that can be performed by the end user once they gain access to the network.

How Network Access Controls Work

There are several different types of network access controls that perform different functions according to the needs of the organization and the level of security that is required for performing daily functions.

• Agent-Based Network Access Control: An agent-based network access control operates through the endpoint device (user's device) which provides a higher level of security and ensures that the end-user is complying with security policies. The unit continually operates in the background of the device to monitor security compliance and then sends periodic updates to the policy server.

• Agentless Network Access Control: An agentless network access controldoes not require any added installations. Instead this type of network access control assesses compliancy on both endpoints before the user is allowed to access the network. The problem with this type of network access control is that authorization is provided through the assessment of network traffic. This makes the application easier to exploit to gain unauthorized access to the network system.

• Hardware-Based Network Access Control: A hardware-based network access control works through an appliance that is installed on the network and functions in conjunction with the network traffic. This type of network access control requires changes in the infrastructure and operational practices to allow for defined access by the end user. Because implementation requires significant server configuration changes, the chances of failure are greater than other network access control systems.

• Dynamic Network Access Control: Dynamic network access control is the easiest form of deployment for controlling access by end users. This is because the system does not require any software or hardware appliance installation or changes in the network configuration. Instead a dynamic network access control works on specific computers that are connected to a local area network and are considered to be trusted systems. When an unauthorized user attempts to access the network, the trusted systems will restrict access and then communicate the action to the main policy server

Why network access control?

Network access control systems are useful because they enable organizations to control the myriad of different endpoints connected to corporate networks, thereby helping to protect them from rogue and compromised devices. They do this by enforcing predefined policies, which require connected endpoints to meet prerequisites, such as a type of device or the presence of up-to-date patching and antivirus software.

While NAC products can be used by organizations of all sizes, they are most relevant to those that have a large number of employees with many different devices -- for example, mobile devices and laptops. In addition, NAC aids IT in the enormous challenge of securing network access when a company has many satellite offices. This challenge has become more difficult as IoT-enabled devices have started to become embedded in organizations on a much larger scale.

The importance of NAC integration

What is becoming increasingly important for organizations is that network access control systems seamlessly integrate with existing security infrastructure, especially security information and event management (SIEM), IPS, MDM, advanced threat detection services and next-generation firewalls (NGFW). NAC systems can use alerts generated by these integrated products to better react to changing network status.

Examples of this would be blocking all new device connections if an intrusion attempt is flagged, or blocking a single device based on its behavior -- e.g., the device is initiating port scans -- as well as blocking a device based on the information received; be it because a specific device is initiating attacks on the network or because it has been compromised. Recent integrations with vulnerability assessment and threat detection tools can block devices based on indicators of compromise, and can alert IT teams immediately to a potential intrusion or advanced persistent threat infection.

Most network access control systems can also integrate with Active Directory in order to control network access based on group policy, ensuring users only have the network access required to fulfill their jobs. For example, an organization wouldn't want a call center agent to have access to the human resources database, or for a contractor to have access to pension information.