What is NAC and why is it important for network security?

Network Access Control (NAC) is a network security technology that prevents unauthorized users and devices from entering private networks and accessing sensitive resources. NAC, also known as Network Admission Control, first gained a foothold in enterprises in the mid-to-late 2000s as a way to manage endpoints through basic scanning and blocking techniques.

As knowledge workers become increasingly mobile, and as BYOD initiatives spread across organizations, NAC solutions evolve to not only authenticate users, but also manage endpoints and enforce policies.

How NAC works

NAC tools detect and provide visibility into all devices on the network. NAC software prevents unauthorized users from entering the network and enforces policies on endpoints to ensure devices comply with network security policies. For example, a NAC solution will ensure that endpoints have the latest antivirus and anti-malware protection.

Non-compliant devices may be blocked from the network, quarantined, or granted limited access.

NAC works in two phases. The first phase, authentication, identifies the user and verifies their credentials. Most NAC tools support multiple authentication methods, including passwords, one-time passwords, and biometrics.

In the second phase, NAC enforces a number of policy factors, including device health, location, and user roles. Most NAC appliances also have the ability to limit access by role, allowing users to access only the resources they need to do their jobs.

If a user or device fails the authentication or authorization phase, NAC tools block or quarantine the device and/or user.

What are the different types of NAC methods?

NAC methods can vary in many ways, but two common differences involve when a device is checked and how the system collects information from the network.

Pre-admission and post-admission: There are two ways for NAC to authorize access to terminal devices. In a pre-admission design, devices are inspected and policies are enforced before they are granted access to the network. This method is best suited for use cases where the device may not have the latest antivirus and anti-malware software.

Alternatively, post-admission design focuses less on device posture and more on the user, enforcing policies based on behavior. This approach works well for use cases like guest access, where online activity is often limited to uses like web browsing and checking email.

Many NAC products offer a combination of these methods, which may vary by location, device type, or user group.

Agent-based vs. agentless design: Another architectural difference is agent-based vs. agentless information collection. Some NAC vendors require users to download agent software on their client devices. The agent then reports the device characteristics back to the NAC system.

Alternatively, agentless NAC solutions continuously scan the network and inventory of devices, relying on device and user behavior to trigger execution decisions.

Core capabilities of NAC system

NAC protects the network through multiple core functions. These include:

Authentication and authorization: Manage user and device access to resources.

Centralized policy lifecycle management: Enforce policies for all users and devices while managing policy changes across the organization.

Discovery, Visibility, and Profiles: Find devices on your network, identify them, and place them into groups with specific profiles while blocking unauthorized users and non-compliant devices.

Guest network access: Manage guests and provide them with temporary and often limited access through a customizable self-service portal.

Security posture check: Evaluate compliance with security policies by user type, device type, location, operating system version, and other organization-defined security criteria.

Incident response: Automatically block suspicious activity, quarantine non-compliant devices, and update devices to make them compliant when possible—all without IT intervention.

Bi-directional integration: Integrate NAC with other security tools and network solutions through open/RESTful APIs, enabling NAC to share contextual information (IP and MAC addresses, user IDs, user roles, location, etc.)

NAC and Zero Trust

Although NAC is a nearly 20-year-old technology, its adoption has mostly been limited to mid- to large-sized enterprises. However, as the network edge continues to spread beyond physical enterprise boundaries, and as the COVID-19 pandemic accelerates the acceptance of home, mobile and hybrid work environments, NAC has become an enabling technology for a zero-trust security approach.

As networks become more distributed and complex, cybersecurity teams must find ways to maintain visibility into devices connected to the furthest reaches of an organization’s network. NAC provides this capability through detection and visibility of all devices entering the network, centralized access control, and policy enforcement across all devices.

Main use cases for NAC

Increased employee mobility, an increase in the number of BYOD devices, and the need to support hybrid work environments due to the pandemic are driving the need for stronger network access controls. Common use cases for NAC include:

Guest and Partner Access: NAC solutions allow organizations to provide temporary, restricted access to guests, partners, and contractors. NAC solutions probe guest devices to ensure they comply with the organization’s security policies.

BYOD and work from anywhere: As knowledge workers become increasingly mobile, NAC is used to authenticate users who may be on unknown devices and in unknown locations, while also enforcing policies against those users and devices. If an employee takes a company device home, NAC ensures that no external malware infiltrates the network when the device re-enters the organization’s network.

The work-from-home and anywhere-anywhere hybrid work environments that have emerged during the COVID-19 pandemic have followed a similar pattern, with NAC solutions authenticating users, ensuring devices are compliant with policies, and restricting access to resources based on: location and user Role.

IoT: NAC’s ability to provide visibility, device analytics, policy enforcement, and access management helps reduce the risks associated with IoT devices entering corporate networks. NAC tools can inventory and tag each device as it enters the network, classify IoT devices into groups with limited permissions, and continuously monitor the behavior of IoT devices. NAC will automatically enforce rules to ensure devices comply with business, security, and compliance-related policies.

Medical devices: For IoT devices in highly regulated healthcare environments, NAC can not only detect and block unauthorized access to devices and medical records, but also enforce policies that ensure devices in the healthcare network comply with regulations such as HIPAA . NAC can also enforce policies when medical professionals access the network remotely.

Incident response: After deploying a NAC system, organizations can use it to share information, such as user ID, device type, and contextual information with third-party security point products. This enables automated incident response, where the NAC system automatically responds to network security alerts by blocking and/or quarantining potentially compromised devices without the need for IT intervention.

NAC and compliance

Regulatory compliance has become a driver of NAC adoption as more and more industries regulate how businesses handle consumer data and protect privacy. NAC systems can help organizations maintain compliance with a range of regulations, including but not limited to HIPPA, PCI-DSS, GLBA, SOX, GDRP, and CCPA.

These privacy requirements typically focus on understanding the who, what, when, and where of users and devices on the network, while limiting access to sensitive data to only those with legitimate needs. Demonstrating that you have accomplished all of this through repeatable and auditable processes is also critical for compliance.

NAC can address a variety of regulatory requirements with access control, policy enforcement across users and devices, network visibility, and audit trails. Additionally, many NAC vendors have built-in functionality to help organizations automate compliance with common regulations such as HIPPA, PCI-DSS, and SOX.

Kontakt