Infrastructure and networks
Network Access Control (NAC): what is it and why is it important?
In the implementation of a robust and effective security strategy, a key role is played by NACs, Network Access Control, solutions that allow monitoring of devices and users trying to access the network, limiting access to resources to unauthorized users and, most importantly, cybercriminals, hackers or attackers.
Traditionally used by financial institutions, businesses and institutions with high security requirements, research centers and universities, NACs are the focus of attention to counter the increased security risks associated with both Bring Your Own Device policies, the proliferation of networked IoT devices, and the possibility of integrating them into MDM (Mobile Device Management), SIEM (Security Information and Event Management) in next-generation firewalls.
In a well-constructed cybersecurity strategy, NAC enables companies to act as gatekeepers for authorized users, particularly for all those entities that allow remote access to the corporate network from non-business devices such as cell phones, laptops and tablets, or for companies that allow employees working in the office to use personal devices.
By limiting or denying access to resources to users and devices that do not meet security policies, NAC solutions help companies ensure compliance and strengthen their IT infrastructure.
Traditionally used by financial institutions, businesses and institutions with high security requirements, research centers and universities, NACs are the focus of attention to counter the increased security risks associated with both Bring Your Own Device policies, the proliferation of networked IoT devices, and the possibility of integrating them into MDM (Mobile Device Management), SIEM (Security Information and Event Management) in next-generation firewalls.
In a well-constructed cybersecurity strategy, NAC enables companies to act as gatekeepers for authorized users, particularly for all those entities that allow remote access to the corporate network from non-business devices such as cell phones, laptops and tablets, or for companies that allow employees working in the office to use personal devices.
By limiting or denying access to resources to users and devices that do not meet security policies, NAC solutions help companies ensure compliance and strengthen their IT infrastructure.
Meaning of Network Access Control
As we have mentioned, NAC (Network Access Control) refers to software that monitors and controls network access and regulates network admission.
Not to be confused with 802.1X, the IEEE standard for port-based network access control, NAC is implemented in order to strengthen the security, visibility and access management of a proprietary network by restricting the availability of network resources to endpoint devices and users who comply with defined security policies.
Thus, it is a set of rules, protocols, and processes that govern access to network-connected resources, wired and wireless, such as network routers, traditional PCs, IoT devices, and other types of endpoints, and also applies to virtual and software-defined resources.
In fact, it also serves as a permanent inventory of users, devices and their access level.
It can also be used as an “active discovery” tool to discover previously unknown devices that may have gained access to all or parts of the network, requiring IT administrators to change security policies.
Not to be confused with 802.1X, the IEEE standard for port-based network access control, NAC is implemented in order to strengthen the security, visibility and access management of a proprietary network by restricting the availability of network resources to endpoint devices and users who comply with defined security policies.
Thus, it is a set of rules, protocols, and processes that govern access to network-connected resources, wired and wireless, such as network routers, traditional PCs, IoT devices, and other types of endpoints, and also applies to virtual and software-defined resources.
In fact, it also serves as a permanent inventory of users, devices and their access level.
It can also be used as an “active discovery” tool to discover previously unknown devices that may have gained access to all or parts of the network, requiring IT administrators to change security policies.
How it works and types of NAC
It is up to the security teams to define the protocols that form the basis of the authorization criteria, the network access control list (ACL), that the NAC will apply whenever it receives a connection request.
In other words, the system authenticates users and creates secure connections that resemble the classic traffic tunnels of virtual private networks.
Not only that.
It also determines what resources are available to each user: in fact, security policies can define different levels of access based on users’ roles, and NAC software will prevent users from going outside their assigned permissions.
In addition, since even authorized devices can contravene the defined rules, the use of sensors for NAC, either as software components or directly on access points, allows for real-time monitoring of all network traffic, blocking it if necessary.
Two types of Network Access Control are generally referred to: Pre-Admission and Post-Admission.
In other words, the system authenticates users and creates secure connections that resemble the classic traffic tunnels of virtual private networks.
Not only that.
It also determines what resources are available to each user: in fact, security policies can define different levels of access based on users’ roles, and NAC software will prevent users from going outside their assigned permissions.
In addition, since even authorized devices can contravene the defined rules, the use of sensors for NAC, either as software components or directly on access points, allows for real-time monitoring of all network traffic, blocking it if necessary.
Two types of Network Access Control are generally referred to: Pre-Admission and Post-Admission.
- Pre-Admission In this case, pre-admission network access control takes place before access is granted.
A user attempting to enter the network makes a request for access.
The NAC reviews the request and provides access if the device or user is able to authenticate its identity.
The NAC stores user credentials on secure databases, and access protocols specify the requirements that devices must meet before they can gain access.
Third-party authentication services are also typically used to provide additional assurance through MFA (Multi Factor Authentication). - Post-Admission This refers to a process of granting authorization to a device or authenticated user who attempts to enter a new or different area of the network for which authorization has not been granted.
To receive it, the user or device must re-verify its identity.
Post-Admission NAC controls what users can do once they access corporate resources.
Internal firewalls segregate network resources, while security protocols ensure that users access only the data corresponding to their privileges.
When endpoints attempt to violate those privileges, the NAC blocks them and denies access.
Basic functionality of network access control
But what, in essence, are the distinctive features of a NAC that make it easier for network administrators to manage the security posture of their infrastructure?
- Total network visibility Adopting NAC solutions make networks more readable for network managers, enabling them to map connected devices and have visibility into what is happening at the network perimeter, identifying threats and initiating mitigation actions before they cause damage.
- User Profiling When users request remote access, the system immediately verifies their credentials, excluding unknown devices and individuals by comparing the data with centrally stored resources.
- Guest User Management For network administrators, it is also possible to securely admit guest and temporary users by granting them limited access to the network.
This means being able to facilitate collaboration with partners, consultants and collaborators without jeopardizing security within the corporate network. - Management of internal users The moment a user is authenticated, the NAC is able, based on the rules defined by administrators, to determine what they can do, limiting access to sensitive resources to only those explicitly authorized.
- Network management Network administrators can also use NAC as part of their network management activities.
Specifically, NAC can find application in these three cases: - Load balancing, to distribute traffic and improve reliability and performance;
- Network resource management, to manage and allocate resources for network processes;
- network user sessions, to track users, store their data and maintain their specific status.
In extreme summary, we can summarize six key functions of a NAC
- Block: i.e., block access to the network by endpoints (which do not comply with enterprise security policies;
- Integrated: i.e., possibility of integration with other security solutions through application program interfaces.
- Limit: i.e. Limit network access to users and specific areas of the network;
- Manage: that is, manage the policy life cycle for different operational scenarios;
- Prevent: i.e., preventing access to data by unauthorized figures
- Recognize: that is, recognize and profile users and devices to protect them;
- Security Posture Check: i.e., evaluation and classification of security policy compliance based on user, device, location, operating system, and other criteria.
Why is it important?
To understand the importance of a NAC, it may be useful to think about the most common scenarios and use cases, starting, for example, with the aforementioned BYOD.
With the increasing prevalence of agile and remote working modes, it is becoming less and less uncommon for employees and contractors to use their personal devices to perform their work activities.
In this case, NAC criteria can be extended to BYOD to ensure that both the device and its owner are authenticated and authorized to enter the network.
Similarly, the proliferation of connected objects, from security cameras to sensors for monitoring access or meeting rooms in offices, effectively expands an organization’s attack surface.
NAC can reduce the risk by applying profiling measures and access policies for this category of devices.
Not least, Network Access Control is also useful for granting temporary access to outsiders and contractors, with ad hoc policies different from those in use for regular employees.
Finally, Network Access Control plays a key role in Incident Response, identifying compromised devices and automatically disabling their access to prevent an attack from spreading across the network.
With the increasing prevalence of agile and remote working modes, it is becoming less and less uncommon for employees and contractors to use their personal devices to perform their work activities.
In this case, NAC criteria can be extended to BYOD to ensure that both the device and its owner are authenticated and authorized to enter the network.
Similarly, the proliferation of connected objects, from security cameras to sensors for monitoring access or meeting rooms in offices, effectively expands an organization’s attack surface.
NAC can reduce the risk by applying profiling measures and access policies for this category of devices.
Not least, Network Access Control is also useful for granting temporary access to outsiders and contractors, with ad hoc policies different from those in use for regular employees.
Finally, Network Access Control plays a key role in Incident Response, identifying compromised devices and automatically disabling their access to prevent an attack from spreading across the network.
Conclusion
There is no denying that NAC’s automation capabilities offer tremendous efficiency to the process of user and device authentication and access authorization.
The presence of background checks and visibility features of the NAC add new levels of security for administrators and users. In addition, NAC is an extra piece for all those organizations that must or want to meet increasingly stringent compliance regulations governing what data can be collected, stored and shared by an organization.
And an effective NAC strategy helps protect network access and meet regulatory compliance requirements.
The presence of background checks and visibility features of the NAC add new levels of security for administrators and users. In addition, NAC is an extra piece for all those organizations that must or want to meet increasingly stringent compliance regulations governing what data can be collected, stored and shared by an organization.
And an effective NAC strategy helps protect network access and meet regulatory compliance requirements.
