The best cybersecurity comes in layers, making it difficult or frustrating for an intruder to fight through each line of defense to break into the network and gain access to data. One of the front-line defenses should be network access control (NAC) and its ability to restrict network access to devices and users that are authorized and authenticated.
NAC was the highest IT security spending priority in eSecurity Planet's 2019 State of IT Security survey – and is also one of the technologies users have the most confidence in.
What is network access control?
The emphasis of NAC is the access control – who or what has authorized permission to access the network. This includes both users and devices. The NAC network intercepts the connection requests, which are then authenticated against a designated identity and access management system. Access is either accepted or denied based on a pre-determined set of parameters and policies that are programmed into the system.
While this concept is fairly straightforward, deploying network access control is more challenging. This is because NAC requires interaction between protocols and different technologies that range from IT systems to security in order to function effectively.
According to the executive team at managed services provider VirtualArmour, the goals of network access control are as follows:
- Authorization, Authentication and Accounting (AAA) of network connections
- Role-based control for a user, device, or application post-authentication. This means that a given user and their device are placed into their corresponding permission buckets such that an employee in finance and an employee in HR have access to different resources in their environment.
- Confidentiality and containment of intellectual property through policy enforcement
- Identity and asset management
- Automatically assess a device’s security posture, and allow or block based on if they pass the security check (which can be based on numerous things, such as operating system version, latest patches installed, a certain anti-virus is installed, etc.)
There are a number of use cases that cover all types of organizations using NAC solutions, according to Vinay Anand, VP of ClearPass Security at Aruba, an HPE company. These include the following:
- Access policy: This is the over-arching use case for NAC, said Anand. It allows the administrator to define multiple access policies that govern users and devices connecting to the network based on specific situations such as user profile, device type or user location.
- Compliance checks of endpoint devices: When a NAC client runs on end user compute devices, it can continually check and validate to ensure the appropriate software is installed, as well as confirming the devices have updated versions or patch management. If the device fails any of these compliance checks, it will likely be denied access to the network until appropriate updates are made.
- Guest access: There will be times that an organization needs to allow non-employees to access the network. An NAC solution can provide guests the ability to connect to the corporate network with restricted access.
- Device discovery and profiling: Due to the increased use of the Internet of Things (IoT), especially in particular industry verticals such as healthcare or manufacturing, the IT administrator needs to a comprehensive view of any and all devices connected to the network. Anand said in these situations, NAC is very useful as it has the capability to discover all devices on the network, and then fingerprints and profiles them so the IT administrator has a global view of what is on the network.
- Enforcement: There will be times when an unauthorized device or user attempts to connect to the network. When this happens, the NAC solution can automatically disconnect the device. There is also an option to quarantine the device until an investigation is done to determine if the device was supposed to be authorized and why it was exhibiting unauthorized behaviors.
- Security analytics: Network access control is an important part of the security system. It can continuously monitor the behavior of devices while on the network by collecting logs, flows and packets, Anand explained. The NAC solution can also apply machine learning and security analytics in order to detect malicious behavior that could lead to exfiltration, stolen credentials, or attack on the network infrastructure.
Although these goals and use cases can be used across any industry vertical, there can be specific advantages to deploying network access control solutions for specific situations, as in heavily regulated industries such as healthcare and financial services.
Bring Your Own Device (BYOD) is a mainstay in enterprises today. Allowing users to connect to the network with their own devices has the potential to wreak havoc, as it is difficult for IT departments to control. Even with a BYOD policy in place, IT administrators depend on employees to be honest about what devices are being used to connect to the network, what applications are on those devices, and what security tools are used to protect them. Employees are blurring the line between personal and professional, because by using their own devices, sometimes on insecure WiFi connections, they can work more efficiently. Isn’t that good for the company?
Perhaps, but it certainly isn’t good for the security of the network or the data stored there. That’s where NAC security kicks in. The NAC platform will be able to monitor the BYOD devices, detecting which ones are authorized for access or denying a device that is coming from a risky connection.
Network access control in healthcare
The healthcare industry is security challenged for any number of reasons: the vast amount of personal and medical data it holds (and its high value on the black market); the number of third-party partners that interact with each other; and the increasing number of medical devices that are now connected to the internet – and connecting to the network from all over the world. BYOD is a growing concern in healthcare, too.
However, the healthcare industry is lagging in network scans. Deploying NAC solutions in healthcare could improve overall security, but it could also keep healthcare providers in compliance with HIPAA regulations. Medical personnel must have access to patient information quickly and easily, as it could be critical in a life or death situation. But while patient information needs to be immediately accessible for medical personnel, employees who do not need access should be restricted. That's where NAC could help with regulatory compliance.
Network access control on college campuses
The university setting may be a security professional’s greatest nightmare. At the base level, there is a user base that changes every four months or so, with new students coming on the network and former students who shouldn’t have access but still do. Staff and faculty may be a little more stable, but they also use multiple devices from multiple locations. There are grant agencies with access, collaborations with other universities, and outside contractors. And then, of course, there are the alumni and parents who want access to the campus networks. All of these entities require different levels of access permissions.
The NAC security solution will give campus IT administrators the ability to set up policy that determines who has access to what areas of the network. It can also control location access – a student device that can be used on campus may not have access from that Caribbean spring break locale, for example. NAC control can also determine how many devices a user can connect to the network or what type of IoT devices would be allowed. A sensitive research project may have permission to set up a security camera system with network access so it can be monitored remotely, for instance, giving permissions that may not be offered to other individuals or departments.
IT teams should have a good understanding of their corporate user and device access and compliance policy. For example, do they want to deploy an agent on every laptop or desktop in the network for compliance checks? Do they want NAC just to alert and report, or actively enforce policies?
Typically, NAC is a control plane solution and can be deployed anywhere in the network, explained Anand. “In most cases, it is deployed in the data center or close to the Active Directory or other identity source that is being used in the network,” he said. “In the most basic use case, NAC will intercept DHCP requests from devices connecting to the network to profile the users and devices, and authenticate them against the identity source.”
In addition, depending on the use case, NAC may require access to switches for enforcement via 802.1x or SNMP.
If enforcement is important, users should choose between 802.1x or SNMP as a means to configure the switch ports for policy enforcement, Anand added. While 802.1x is the secure approach, many of the older switches either don’t support this mechanism or don’t have this configured. In such cases, they can use SNMP.
In its NAC Framework Configuration Guide, Cisco shows that there’s a lot of details, nuances, and various configuration parameters that need to be set. A very high level overview of setting up a NAC framework includes:
- Install the NAC server and configure all wireless access points and switches to use the NAC server for authentication.
- Define basic profiling and authentication rules on the NAC server. This determines which resources certain users and devices have access to.
- Define inspection and compliance policies. These dictate the security posture checks.
- Test and fine-tune your rules and policies.
- Define alerts and reports, such that failed authentications are logged and sent to your security team for analysis. Weekly reports are useful to see trending data.
- Go live. After you are confident that your rules, policies, and alerts are all functioning as intended, roll out the NAC solution for a subset of your users (i.e., for a certain department or branch office location). This “canary” group will validate your newly deployed NAC solution before broader rollout.
The VirtualArmour team broke down the basic functions of network access control this way:
- The NAC server: this is the link between your user database and your enforcement points and ties it all together with security policies.
- The enforcement points: your network devices, such as routers, switches, firewalls, SSL VPN gateways, and wireless access points. These devices ultimately allow or don’t allow a user to access your network.
- The user database: this contains a list of all your authorized users and the various groups they belong to (often times grouped by company departments). This can be your Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) server. This could also be a cloud/SaaS based single-sign on (SSO) solution, such as Okta or Ping, which is responsible for identity management (IdM) for your environment.
- Impulse SafeConnect
- Extreme Networks ExtremeControl
- Auconet BICS
- ForeScout CounterACT
- Pulse Policy Secure
- HPE Aruba ClearPass
- Bradford Networks' Network Sentry
- Cisco Identity Services Engine
- InfoExpress CyberGatekeeper