Network Access Control (NAC)

Controlling access to the network is fundamental security control. For shared networks, the capability of users to connect to the network should be restricted. Well known security frameworks such as ISO 27002, Information technology – Security techniques – Code of practice for information security management, includes this control as a recommendation. And the Payment Card Industry Data Security Standard (PCI DSS) also requires restrictions to network access.

ISO 27002 recommends that to prevent unauthorized access to network services, the  incorporation of controls to restrict the connection capability of the users may be required for shared networks, especially those extending across organizational boundaries.

PCI-DSS requires that companies implement physical and/or logical controls to restrict access to publicly accessible network jacks. For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.

Neither of the these standards mandate the use of Network Access Control (NAC). Some organizations meet the access control requirements by implementing MAC address filtering. However, MAC address filtering is easily bypassed by spoofing the MAC address of a device and it lacks several features incorporated into today’s NAC solutions.

The current generation of NAC  solutions allow organizations to implement policies that address:

  • Device authentication
  • Device configuration
  • Device behavior
  • System integration

Early NAC solutions were expensive and complex. Many NAC deployments failed or stalled, due to complexity, the lack of interoperability and proprietary technologies used in the NAC solutions. Vendor lock-in was an issue. Modern NAC solutions are much better suited for multi-vendor, heterogeneous environments. Vendors of both NAC solutions and operating systems have developed standards to facilitate interoperability and advanced feature sets.

Some NAC products require an agent to be installed on each endpoint. Others are agentless. This can be an important decision point when selecting a product.  If an organization needs to control IoT devices, an agentless system should be used.  If agents are to be used, does the vendor provide agents for all of the platforms that need to be supported?

Device authentication is more robust than simply checking the MAC address of the device. Policies can require the use of X.509 issued to each authorized device. Some systems can examine multiple factors including the  username, authenticated state, email address, IP Address, MAC address, hostname, device type, and operating system.

Policies mandating device configuration can require connecting devices to have current operating system patches, an active firewall, active anti-virus and/or anti-malware installed. Some systems can even prohibit devices that have restricted applications installed.

Any good NAC (Legacy or modern) includes the ability to monitor the actions of users and devices and report on what is happening. This capability should integrate with an organization’s IDS and IPS systems. Integrations with security information and event management (SIEM) systems are also common.

Important features for modern NAC solutions is include Mobile Device Management (MDM) either directly in the NAC product or via good system integration with products from major MDM vendors. Support for BYOD users is important.

Another important feature is the ability to manage contractor and guest access.

One emerging area is the ability to support and control IoT devices. Flexible baseline control, and predefined baseline profiles for well know IoT devices is one method to address these devices. A baseline determines the security state of an endpoint that is attempting a network connection, allowing the protection resources to decide the suitable level of access. A baseline feature must work in heterogeneous endpoint environments.

Some of the leading vendors in the NAC market are (in alphabetical order):

  • Aruba
  • Auconet
  • Bradford Networks
  • Cisco
  • Extreme Networks
  • ForeScout
  • Pulse Secure