Network Access Control

Network Access Control / NAC Definition

NAC is an appliance or virtual machine that controls devices access to the network. It began as a network authentication and authorization method for devices joining the network, which follows the IEEE 802.1x standards. The authentications methods involve three parties:

• The Client

• The Authenticator

• The Authenticator Server

The authenticator could be a network switch or a wireless access point that demarks the protected network from the unprotected network. The client provides credentials in the form of a Username and Password, Digital Certificate, or some other means, to the authenticator, which forwards these credentials to the server. Pending on the outcome of authentication, the authenticator will either block the device or allow it access to the network. Another method to control access to a network, especially a publicly available network, is a captive portal. If you've ever connected to a network in an airport or hotel, you might remember interacting with a web page that asked you to agree to legal terms before granting access.

NAC Evolution To BYOD & IoT & Guest Access

For a couple of reasons, BYOD and IoT devices introduced new security challenges. One, BYODs are personally owned, not assets of an organization. So, MIS does not control what runs on these devices, for example, antivirus software or unsafe applications. Two IoT devices are hardware with a sensor that transmit data from one place to another over the internet, dramatically expending the attack surface area. Organizations buy IoT enabled devices from other vendors, and these devices connect back to vendor networks to provide information about product use and maintenance needs. Organizations tolerate this situation because IoT devices save them time and money. For example, if a printer is low on toner, the vendor could notify the network administrator by email, or even deliver new toner cartridges automatically. While convenient, IoT and BYOD lack security. The variety of devices, the lack of standards, and the inability to secure these devices make them a potential conduit for contagion to enter the network. Many IoT devices lack the CPU cycles or memory to host authentication security software. They identify themselves using a shared secret or a unique serial number, which is inserted during manufacturing, But this authentication scheme is very limited. Should the secret become known, there is likely no way to reset it, and without the ability to install security software, there is little visibility into those devices. Fortunately, NAC evolved to solve these weaknesses.

MIS First Appearance In NAC

When MIS introduces NAC into a network, the first thing NAC does is create profiles of all connected devices. NAC then permits access to network resources based on the device's profile, which is defined by function. This is similar to granting individuals access to sensitive information based on their need to know. For example, NAC would permit an IP camera connection to a network recorder (NVR) server, but would prevent it from connecting to a finance server. Based on its profile, an NVR has no business communicating with a finance server. When access is granted this way, the network becomes segmented by device function. If a device is compromised, malware can infect only those objects that the device is permitted to connect to. So, the compromised IP camera from the earlier example could infect the NVR server, but not the finance server.

NAC limitations

While NAC proved highly effective at managing numerous unprotected devices, it had shortcomings over its evolution. Some NAC solutions were designed to help with BYOD onboarding in wireless networks, but performed badly in the wired portion of the network. Other solution were developed to work within a single vendor environment, but couldn't automatically profile third party devices. Some had good visibility into small, simple networks, but didn't scale well into large, distributed networks.

Modern NAC Development

Today, most NAC solutions have redressed these limitations. They have complete Visibility into the network and are better at categorizing devices automatically. They effectively perform in both Ethernet and wireless networks. Many NAC solutions have centralized architecture0 that improves control of devices across large and multi-site networks. Critically, NAC must also be integrated into the security framework, so that when a breach is detected, NAC automatically responds to notify the security operations center (SOC) and coordinates with other security devices to neutralize the threat.