Understanding Network Access Control
====================================
What is NAC?
------------
Network Access Control (NAC) starts by checking whether a device is permitted
to connect to a network. Based on this, a device may be allowed or denied
access. Such access control is typically provided through a technology known as
`802.1X`_, which provides three important functions called Authentication,
Authorization, and Accounting (AAA).
**Authentication**
Authentication is the process of verifying the identity of a user or device
connecting to the network. This is usually done through the end user entering a
username/password. In some cases the MAC address and digital certificates may
be used for authentication.
**Authorization**
Authorization is the process of determining what network resources an
authenticated device can access. Depending on the type of authenticated device
or group of identified users, network, service and time zone may be restricted.
**Accounting**
Accounting is a process that allows a device to keep records of network access
and use it for future billing or security purposes. This allows you to see who
technology of network access control. Recently, due to security vulnerabilities
of network endpoints, it has become desireable to determine eligibility for
used what device, when, where, and how. AAA has long been used as a basic
network access by security compliance status of the endpoints. NAC solutions
function to allow administrators to set security compliance criteria other than
usernames and passwords, and to control access based on these varied criteria.
These different aspects of NAC can be divided conceptually into functions that
occur before the point of network connection, and after network connection.
**Pre-Connect**
Pre-Connect refers to operations performed before the endpoint is connected to
the network and normal communication is established. When an endpoint attempts
to connect to a network, the endpoint is identified and authenticated using
identity information such as a username / password / certificate / MAC address
provided by that endpoint. If this process does not confirm that the device is
authorized, the network connection will be denied. This process can be provided
via 802.1X through a device such as a switch or a wireless LAN access point, or
through ARP control.
**Post-Connect**
If the endpoint meets the requirements of the Pre-Connect phase, it will be
given access to the network with a certain level of authorization. At the time
of connection, the NAC begins continuously monitoring the endpoint for
compliance to policies set by the administrator. If and when the policy is
violated, the network privileges of the endpoint may be reduced or revoked to
isolate the endpoint. An agent can be used to monitor the state of the
endpoint. The agent monitors the status of the endpoints hardware and software
for compliance. Upon change, the NAC policy server is notified and network
access can be controlled if a violation has occurred.
The Evolution of NAC:
---------------------
**First Generation**
The earliest generation of NAC is user and device authentication based on
802.1X protocols. If a device tried to connect to switch ports or wireless
access points, it was required to provide a username/password or certificate,
to be approved by a RADIUS server. This approach allowed or denied access at
the level of the switch port or the wireless access point. This method, while
effective can be difficult to implement and is not compatible with all devices.
**Second Generation**
The second generation of NAC expanded to information gathering capability
through SNMP with network devices or using independent network sensor devices.
This generation also introduced access control methods in addition to 802.1X,
such as VLAN quarantining, ARP based control, and port mirroring. This era also
coincided with an increasing shift to wireless networking. To manage the
emerging vulnerabilities of WLANs like rogue access points, solutions like
network sensors, wireless controllers and endpoint agents were increasingly
utilized for visibility and control.
**Third Generation**
The third generation of NAC expanded into automation. Agents became able to
automatically configure endpoint devices to comply with security policy, and
enabled the creation of a cooperative security model through integration with
various systems. For example, a security system operating in the perimeter of
the network such as an IDS or firewall may be able to identify threats, but at
best, it can only block traffic that flows through it. Integrating with a NAC
provides the ability to quarantine malicious devices from the rest of the LAN.
A NAC can also share detailed endpoint and user information to other security
systems to enhance their functioning. These integration commonly use
standardized protocols such as REST, Webhook, and Syslog.
**Fourth Generation**
The current generation of NAC aims to address the issues of reduced endpoint
visibility that have come along with the increasing prevalence of IoT and BYOD.
A main feature of this generation is an increasing move towards advanced device
fingerprinting for managing business concerns such as end-of-life or
end-of-support for assets, as well as automated management responses to known
and emerging vulnerabilities. Lastly there an increasing reliance on and
integrations with cloud technologies, mirroring the increasing use of cloud
computing in fast changing networking environments.
Problems Addressed By NAC
-------------------------
**Entry By Unauthorized Devices**
Networks that do not implement NAC may be accessed by any device that is
plugged into a switch port, or connects to a wireless acces point. Even if
password protection is enabled, a user may still log into the network with an
unapproved devices. This carries a substantial risk of introducing malware into
the network. NAC can safeguard against these threats by denying access by
unapproved devices.
**Lack of Detailed IP Tracking**
Most security systems leave an IP address in the audit trail but may not
associate that IP with a user, or a device. This means that in environments
with changing IP addresses, it is difficult to determine which device or user
may be responsible for a security violation tied to an IP. NAC can keep track
of all the connected endpoints through continuous network monitoring, and can
provide various information about the endpoint that used the IP at a certain
point of time in the past.
**Disorganized Asset Management**
properly manage assets and ensure compliance to regulatory standards. However,
it is difficult for administrators to accurately identify IT assets Today's IT
environment is much more complex than in the past due to BYOD, IoT, and so on.
These conditions require thorough assessment in order to and check their status
at all times. To reduce administrative burden, NAC can provide endpoint details
such as the manufacturer, product name, name, location (switch port or physical
location), user name, network connection / disconnection time, etc.
**Poor WLAN Security**
As mobile devices such as smart phones spread into business environments, they
expand the usage of wireless LAN. In many networks, a shared password is used.
Shared passwords can be easily exposed and it is difficult to trace because
they can not be linked to a specific user. The company's shared password
should, in principle, be changed if an employee who knows the password leaves
the company. However, this is not an easy change to manage. To solve this
problem, an 802.1X system is required to allow authentication using a personal
password when accessing a wireless LAN. By default, NAC supports 802.1X,
allowing for better wireless security.
**Unauthorized Access Points**
As the network technology develops, the user endpoints can access various types
of external networks in addition to the network provided by the company to
which the user belongs. Problems such as leakage of internal data may be caused
by if a user connected to the internal network creates an access point to the
network on their device that is available to outside entities. Data leaks may
also occur if a device with sensitive data connects to a public network. NAC
monitors WiFi that can be accessed from inside the company, and manages and
controls which users are connected. Therefore both rogue access points and the
use of non corporate networks can be identified and blocked.
**Non-Compliant Endpoints**
To solve security problems, administrators require employees to set up
essential software or operating system settings, or may prohibit use of certain
programs. However, security incidents are constantly occurring because not all
users' endpoints meet their requirements. NAC continuously monitors the
essential settings, such as antivirus software and screen savers, to ensure
that theys are properly complied with, allowing non compliant devices to be
blocked/quarantined, and fixed in case of violation.
**Insecure Operating Systems**
The most important thing for security of endpoint is application of latest
security patch. NAC continuously monitors the endpoint and isolates unpatched
endpoints from the network. This is different from typical endpoint management
software, in that the control operates at the network level that the endpoint
has reached. Through network control, administrators can make strong
regulations that users can not bypass.
The Difference Between NAC and Firewall
---------------------------------------
Users who are not familiar with NAC technology often confuse their roles with
firewalls. Because of the generality of the term Network Access Control, it is
easy to think of a firewall as a product of the same function. However, the two
products have the following major differences.
**Endpoint vs. Network focused**
A firewall is generally located between two or more networks in its
configuration location to provide access control for communication between the
networks, while NAC controls communiniation between endpoints within a network.
For example, NAC can control a file share between two PCs on the same subnet,
while the firewall generally does not.
**Dynamic vs. Static policies**
Firewall policies are usually made through objects such as addresses and ports
of the source / destination called 5 Tuples. Recently, next-generation
firewalls have begun to provide control through additional objects, such as
users. In NAC, devices are organized into groups by multiple criteria. As the
devices behavior and attributes change, the group the device is place into
changes. Each of the groups can be linked to a security policy with a certain
level of network privilege. For example, an endpoint that is not running an
antivirus can be identified in real time and quarantined on the network.
**Internal vs. External networking**
A firewall generally controls traffic by blocking non compliant traffic coming
into and out of a network, and generally works off simple rule sets. NAC acts
on the endpoints themselves to control traffic between devices within the
network in a more flexible fashion.
NAC and firewall solutions play complementary roles by addressing different
aspects of network control.
Steps to Implement NAC
----------------------
**Gain Visibility**
The ultimate goal of NAC is to control and manage the use of non-compliant
end-user devices that connect to the network. For this purpose, however, it is
very difficult to immediately apply control functions to the network. For
example, when setting up 802.1X, it is often unclear if all networking devices
and enpoint are compatible. Additionally, it is not obvious how to collect
information for non compliant devices to bypass 802.1X. A proper setup for
802.1X requires visibility. However, 802.1X does not provide visibility until
it is full implemented and controlling connections.
Additional strategies must be used to gain endpoint visibility such as IP, MAC,
platform type / name / manufacturer, host name, connection switch / port,
connection SSID, service port, and operation status. Agents and other means can
help establish this visibility.
**Classify Endpoints**
Once the visibility is secured, a security policy should be established. The
first step is to classify the endpoints based on the collected data to
determine which groups require control. The classification of endpoints ideally
groups endpoints in a way relevant to the IT manager's daily tasks or that
indicates compliance status with organizational security rules.
**Control Access**
The methods of control should be applicable in a variety of ways, depending on
the network environment or the status of the device. Technologies such as:
802.1X, ARP, SNMP switch control, SPAN, and agents may be used, as well as
integrations with other security systems. The first consideration in the access
control phase is the user's authentication. With identification being an
important task, it is generally recommended that the user database be aligned
with the existing authentication system in use at the deployment site. LDAP
interlocks, such as Microsoft Active Directory, or enterprise services such as
Google G-Suite, Office 365, email, and even RDBMS, are common options. The next
step is to provide role-based access control on the nature of the device or the
user authenticated. The next step is to attributes may be used to allocate
VLANs or block connections so that organization provide role-based access
control on the nature of the device or the user athenticated. User departments
have different access rights for authenticating from devices, or using network
resources.
If a user tries to access resources that have ben restricted, they can be
redirected to a captive web portal. This portal may be customized so that the
user can know which policy they are in violation of, and in turn how to become
compliant.
**IT Security Automation**
Automation is the automatic application of security standards set by the
administrator, such as operating system/software updates and settings,
installation and operation of essential software, etc. This allows for devices
that may violate a policy to be brought to a compliant status before network
privileges are revoked. For example, a non-compliant device may be identified
by the agent, and automatically corrected, without the intervention, of an
administrator.
For more detailed deployment practices and considerations, see
:doc:`/deploying/deployment-models`.
Features of Genian NAC
----------------------
- 4th Generation NAC
Genian NAC is the flagship product of 4th Generation NAC, providing
advanced visibility through network sensors, without the need for
infrastructure changes. The information discovered can be used to
dynamically group endpoints by over 500 criteria in real time. Flexible
configuration options make it quick and easy to deploy.
- Advanced Sensor Based Visibility
Genian NAC uses network sensors that connect directly to the broadcast
domains of each network, minimizing interworking with existing IT
infrastructures, even working well in legacy networks. This approach allows
for visibility of Broadcast (ARP, DHCP, uPNP, mDNS) and Multicast traffic
on each subnet.
- Advanced Endpoint Platform Information
`Device Platform Intelligence`_ makes it easy for IT managers to perform
daily management tasks by providing detailed endpoint information such as:
End-of-Sale , End-of-Support, Network connection method, Manufacturers
bankruptcy, Manufacturers merger, Manufacture country, List of published
vulnerabilities, etc.
- Multiple Access Control Methods
Genian NAC provides the broadest set of access control methods compared to
other NAC products. These include: ARP control, DHCP server, switch
control, SPAN based control, agent based control, and 802.1x. This makes it
easy to establish comprehensive security. (See:
:doc:`controlling/enforcement-methods`)
- Diverse Security Automation Functions
The Genian NAC agent make it easy to manage endpoint operating systems,
software, and hardware, in addition to collecting detailed information and
other services.
- Enhanced WLAN Security
Genian NAC collects wireless information through network sensors and agents
to deliver security functions such as rogue AP detection, unauthorized
wireless LAN connection monitoring/ control, and blocking of soft APs.
- Excellent Interoperability
:doc:`REST API </api>`, Webhook, and Syslog, are supported for interworking
with existing IT systems.
- Flexible Configurations
On-Premises or Cloud-managed versions provide the right solution for
everyone, whether using an in-house IT department, or an out-sourced
management service. In addition, it is a software based product, so users
can select the hardware or virtual environment they desire to use.
- Function Based Editions
Genian NAC is available in 3 Editions based on the implementation steps
above. See: :doc:`deploying/editions`. The Basic Edition is primarily
intended to quickly provide visibility into the early stages of NAC
deployment without changing the existing network configuration. The
Professional Edition provides network access control functions such as
802.1X, ARP control, and SPAN control, and may be upgraded to after the
Basic edition is used to assess the network. Finally, the Enterprise
Edition can be considered if there is a need to apply automated endpoint
control, interwork with other security systems, provide role based
administration or high availability deployment.
.. _802.1X: https://en.wikipedia.org/wiki/IEEE_802.1X
.. _Device Platform Intelligence: https://www.genians.com/device-platform-intelligence/