Understanding Network Access Control

What is NAC?

Network Access Control (NAC) starts by checking whether a device is permitted to connect to a network. Based on this, a device may be allowed or denied access. Such access control is typically provided through a technology known as 802.1X, which provides three important functions called Authentication, Authorization, and Accounting (AAA).

Authentication

Authentication is the process of verifying the identity of a user or device connecting to the network. This is usually done through the end user entering a username/password. In some cases the MAC address and digital certificates may be used for authentication.

Authorization

Authorization is the process of determining what network resources an authenticated device can access. Depending on the type of authenticated device or group of identified users, network, service and time zone may be restricted.

Accounting

Accounting is a process that allows a device to keep records of network access and use it for future billing or security purposes. This allows you to see who technology of network access control. Recently, due to security vulnerabilities of network endpoints, it has become desireable to determine eligibility for used what device, when, where, and how. AAA has long been used as a basic network access by security compliance status of the endpoints. NAC solutions function to allow administrators to set security compliance criteria other than usernames and passwords, and to control access based on these varied criteria.

These different aspects of NAC can be divided conceptually into functions that occur before the point of network connection, and after network connection.

Pre-Connect

Pre-Connect refers to operations performed before the endpoint is connected to the network and normal communication is established. When an endpoint attempts to connect to a network, the endpoint is identified and authenticated using identity information such as a username / password / certificate / MAC address provided by that endpoint. If this process does not confirm that the device is authorized, the network connection will be denied. This process can be provided via 802.1X through a device such as a switch or a wireless LAN access point, or through ARP control.

Post-Connect

If the endpoint meets the requirements of the Pre-Connect phase, it will be given access to the network with a certain level of authorization. At the time of connection, the NAC begins continuously monitoring the endpoint for compliance to policies set by the administrator. If and when the policy is violated, the network privileges of the endpoint may be reduced or revoked to isolate the endpoint. An agent can be used to monitor the state of the endpoint. The agent monitors the status of the endpoints hardware and software for compliance. Upon change, the NAC policy server is notified and network access can be controlled if a violation has occurred.

The Evolution of NAC:

First Generation

The earliest generation of NAC is user and device authentication based on 802.1X protocols. If a device tried to connect to switch ports or wireless access points, it was required to provide a username/password or certificate, to be approved by a RADIUS server. This approach allowed or denied access at the level of the switch port or the wireless access point. This method, while effective can be difficult to implement and is not compatible with all devices.

Second Generation

The second generation of NAC expanded to information gathering capability through SNMP with network devices or using independent network sensor devices. This generation also introduced access control methods in addition to 802.1X, such as VLAN quarantining, ARP based control, and port mirroring. This era also coincided with an increasing shift to wireless networking. To manage the emerging vulnerabilities of WLANs like rogue access points, solutions like network sensors, wireless controllers and endpoint agents were increasingly utilized for visibility and control.

Third Generation

The third generation of NAC expanded into automation. Agents became able to automatically configure endpoint devices to comply with security policy, and enabled the creation of a cooperative security model through integration with various systems. For example, a security system operating in the perimeter of the network such as an IDS or firewall may be able to identify threats, but at best, it can only block traffic that flows through it. Integrating with a NAC provides the ability to quarantine malicious devices from the rest of the LAN. A NAC can also share detailed endpoint and user information to other security systems to enhance their functioning. These integration commonly use standardized protocols such as REST, Webhook, and Syslog.

Fourth Generation

The current generation of NAC aims to address the issues of reduced endpoint visibility that have come along with the increasing prevalence of IoT and BYOD. A main feature of this generation is an increasing move towards advanced device fingerprinting for managing business concerns such as end-of-life or end-of-support for assets, as well as automated management responses to known and emerging vulnerabilities. Lastly there an increasing reliance on and integrations with cloud technologies, mirroring the increasing use of cloud computing in fast changing networking environments.

Problems Addressed By NAC

Entry By Unauthorized Devices

Networks that do not implement NAC may be accessed by any device that is plugged into a switch port, or connects to a wireless acces point. Even if password protection is enabled, a user may still log into the network with an unapproved devices. This carries a substantial risk of introducing malware into the network. NAC can safeguard against these threats by denying access by unapproved devices.

Lack of Detailed IP Tracking

Most security systems leave an IP address in the audit trail but may not associate that IP with a user, or a device. This means that in environments with changing IP addresses, it is difficult to determine which device or user may be responsible for a security violation tied to an IP. NAC can keep track of all the connected endpoints through continuous network monitoring, and can provide various information about the endpoint that used the IP at a certain point of time in the past.

Disorganized Asset Management

properly manage assets and ensure compliance to regulatory standards. However, it is difficult for administrators to accurately identify IT assets Today's IT environment is much more complex than in the past due to BYOD, IoT, and so on. These conditions require thorough assessment in order to and check their status at all times. To reduce administrative burden, NAC can provide endpoint details such as the manufacturer, product name, name, location (switch port or physical location), user name, network connection / disconnection time, etc.

Poor WLAN Security

As mobile devices such as smart phones spread into business environments, they expand the usage of wireless LAN. In many networks, a shared password is used. Shared passwords can be easily exposed and it is difficult to trace because they can not be linked to a specific user. The company's shared password should, in principle, be changed if an employee who knows the password leaves the company. However, this is not an easy change to manage. To solve this problem, an 802.1X system is required to allow authentication using a personal password when accessing a wireless LAN. By default, NAC supports 802.1X, allowing for better wireless security.

Unauthorized Access Points

As the network technology develops, the user endpoints can access various types of external networks in addition to the network provided by the company to which the user belongs. Problems such as leakage of internal data may be caused by if a user connected to the internal network creates an access point to the network on their device that is available to outside entities. Data leaks may also occur if a device with sensitive data connects to a public network. NAC monitors WiFi that can be accessed from inside the company, and manages and controls which users are connected. Therefore both rogue access points and the use of non corporate networks can be identified and blocked.

Non-Compliant Endpoints

To solve security problems, administrators require employees to set up essential software or operating system settings, or may prohibit use of certain programs. However, security incidents are constantly occurring because not all users' endpoints meet their requirements. NAC continuously monitors the essential settings, such as antivirus software and screen savers, to ensure that theys are properly complied with, allowing non compliant devices to be blocked/quarantined, and fixed in case of violation.

Insecure Operating Systems

The most important thing for security of endpoint is application of latest security patch. NAC continuously monitors the endpoint and isolates unpatched endpoints from the network. This is different from typical endpoint management software, in that the control operates at the network level that the endpoint has reached. Through network control, administrators can make strong regulations that users can not bypass.

The Difference Between NAC and Firewall

Users who are not familiar with NAC technology often confuse their roles with firewalls. Because of the generality of the term Network Access Control, it is easy to think of a firewall as a product of the same function. However, the two products have the following major differences.

Endpoint vs. Network focused

A firewall is generally located between two or more networks in its configuration location to provide access control for communication between the networks, while NAC controls communiniation between endpoints within a network. For example, NAC can control a file share between two PCs on the same subnet, while the firewall generally does not.

Dynamic vs. Static policies

Firewall policies are usually made through objects such as addresses and ports of the source / destination called 5 Tuples. Recently, next-generation firewalls have begun to provide control through additional objects, such as users. In NAC, devices are organized into groups by multiple criteria. As the devices behavior and attributes change, the group the device is place into changes. Each of the groups can be linked to a security policy with a certain level of network privilege. For example, an endpoint that is not running an antivirus can be identified in real time and quarantined on the network.

Internal vs. External networking

A firewall generally controls traffic by blocking non compliant traffic coming into and out of a network, and generally works off simple rule sets. NAC acts on the endpoints themselves to control traffic between devices within the network in a more flexible fashion.

NAC and firewall solutions play complementary roles by addressing different aspects of network control.

Steps to Implement NAC

Gain Visibility

The ultimate goal of NAC is to control and manage the use of non-compliant end-user devices that connect to the network. For this purpose, however, it is very difficult to immediately apply control functions to the network. For example, when setting up 802.1X, it is often unclear if all networking devices and enpoint are compatible. Additionally, it is not obvious how to collect information for non compliant devices to bypass 802.1X. A proper setup for 802.1X requires visibility. However, 802.1X does not provide visibility until it is full implemented and controlling connections.

Additional strategies must be used to gain endpoint visibility such as IP, MAC, platform type / name / manufacturer, host name, connection switch / port, connection SSID, service port, and operation status. Agents and other means can help establish this visibility.

Classify Endpoints

Once the visibility is secured, a security policy should be established. The first step is to classify the endpoints based on the collected data to determine which groups require control. The classification of endpoints ideally groups endpoints in a way relevant to the IT manager's daily tasks or that indicates compliance status with organizational security rules.

Control Access

The methods of control should be applicable in a variety of ways, depending on the network environment or the status of the device. Technologies such as: 802.1X, ARP, SNMP switch control, SPAN, and agents may be used, as well as integrations with other security systems. The first consideration in the access control phase is the user's authentication. With identification being an important task, it is generally recommended that the user database be aligned with the existing authentication system in use at the deployment site. LDAP interlocks, such as Microsoft Active Directory, or enterprise services such as Google G-Suite, Office 365, email, and even RDBMS, are common options. The next step is to provide role-based access control on the nature of the device or the user authenticated. The next step is to attributes may be used to allocate VLANs or block connections so that organization provide role-based access control on the nature of the device or the user athenticated. User departments have different access rights for authenticating from devices, or using network resources.

If a user tries to access resources that have ben restricted, they can be redirected to a captive web portal. This portal may be customized so that the user can know which policy they are in violation of, and in turn how to become compliant.

IT Security Automation

Automation is the automatic application of security standards set by the administrator, such as operating system/software updates and settings, installation and operation of essential software, etc. This allows for devices that may violate a policy to be brought to a compliant status before network privileges are revoked. For example, a non-compliant device may be identified by the agent, and automatically corrected, without the intervention, of an administrator.

For more detailed deployment practices and considerations, see Deployment Considerations.

Features of Genian NAC

  • 4th Generation NAC
    Genian NAC is the flagship product of 4th Generation NAC, providing advanced visibility through network sensors, without the need for infrastructure changes. The information discovered can be used to dynamically group endpoints by over 500 criteria in real time. Flexible configuration options make it quick and easy to deploy.
  • Advanced Sensor Based Visibility
    Genian NAC uses network sensors that connect directly to the broadcast domains of each network, minimizing interworking with existing IT infrastructures, even working well in legacy networks. This approach allows for visibility of Broadcast (ARP, DHCP, uPNP, mDNS) and Multicast traffic on each subnet.
  • Advanced Endpoint Platform Information
    Device Platform Intelligence makes it easy for IT managers to perform daily management tasks by providing detailed endpoint information such as: End-of-Sale , End-of-Support, Network connection method, Manufacturers bankruptcy, Manufacturers merger, Manufacture country, List of published vulnerabilities, etc.
  • Multiple Access Control Methods
    Genian NAC provides the broadest set of access control methods compared to other NAC products. These include: ARP control, DHCP server, switch control, SPAN based control, agent based control, and 802.1x. This makes it easy to establish comprehensive security. (See: Policy Enforcement Methods)
  • Diverse Security Automation Functions
    The Genian NAC agent make it easy to manage endpoint operating systems, software, and hardware, in addition to collecting detailed information and other services.
  • Enhanced WLAN Security
    Genian NAC collects wireless information through network sensors and agents to deliver security functions such as rogue AP detection, unauthorized wireless LAN connection monitoring/ control, and blocking of soft APs.
  • Excellent Interoperability
    REST API, Webhook, and Syslog, are supported for interworking with existing IT systems.
  • Flexible Configurations
    On-Premises or Cloud-managed versions provide the right solution for everyone, whether using an in-house IT department, or an out-sourced management service. In addition, it is a software based product, so users can select the hardware or virtual environment they desire to use.
  • Function Based Editions
    Genian NAC is available in 3 Editions based on the implementation steps above. See: Compare Editions. The Basic Edition is primarily intended to quickly provide visibility into the early stages of NAC deployment without changing the existing network configuration. The Professional Edition provides network access control functions such as 802.1X, ARP control, and SPAN control, and may be upgraded to after the Basic edition is used to assess the network. Finally, the Enterprise Edition can be considered if there is a need to apply automated endpoint control, interwork with other security systems, provide role based administration or high availability deployment.