NAC (Network Access Control)

NAC (Network Access Control)

Legacy NAC offered the ability to implement a policy management server, which could dictate the activities that identified users and devices were able to use a specific network, typically using IEEE 802.1X. This included the ability to enforce network restrictions based on organizational policies and procedures as well as meeting requirements put forward in certain governmental regulations. It also offers the ability to restrict devices based on their current operational condition; for example, was it up to date with operating system patches? Did it have an active firewall, virus, and/or malware solution installed? Are any restricted applications installed?

A large restriction of these solutions was that they were typically limited by devices that had specific operating systems installed and/or that were capable of installing an included NAC agent. A big limiting factor in this is the design of the IEEE 802.1X standard. IEEE 802.1X requires that the end device have an installed and capable supplicant that was used to communicate with the central authentication server. This solution also required that a bypass mechanism exists for those devices that didn’t have an installed and/or supported supplicant including printers and other network peripherals.

Modern NAC Appliances

Modern NAC appliances greatly extend on the capabilities of their legacy successors. Some of these extended capabilities include:

  • Agentless Operation — One of the biggest changes between the legacy and the modern NAC systems is in their ability to support agentless operation. This single change in their abilities greatly expands on the flexibility of the solution. Supported devices are no longer limited to those running IEEE 802.1X supplicants or proprietary agents that only are able to be run on the most popular operating systems. (Note: This does not mean that IEEE 802.1X can’t be used just that detection and authentication is not limited to those supported devices and operating systems)
  • Extended Policy Capabilities — While the legacy options did a good job of offering policy options with a restricted set of agent supported clients, they were limited to a specific set of clients (Typically IEEE 802.1x/Supported Agents). With agentless operation, the NAC supports a wider number of devices that increases the number of different policy extensions that can be supported. This includes the ability to monitor and control, in real-time, what a user/device/application is doing and/or allowed to do on the network. This is done through the creation of a contextual profile of each user and their associated device and used applications, port, connected devices, etc.
  • Onboarding Support — One of the duties of IT that can take a large amount of time is the provisioning of new devices onto the network. This is extended considerably with the support for Bring Your Own Device (BYOD). Modern NACs offer the ability to automate the provisioning of these devices via a configurable portal.
  • Extended Guest Management — For certain businesses, a big part of their operation is dealing with how guests are able to gain access to network assets without exposing private resources. Most legacy NAC appliances offer the ability to limit the resources that a guest has access to. Modern NAC appliances extend on this by allowing guests to be given temporary access to specific internal resources by getting internal authorization as well as being able to be closely monitored by the NAC for out of the ordinary behavior.
  • Extended Profile Support — While legacy NAC appliances offer the ability to identify devices using authenticated user information, this was typically limited because a device logged in with a specific username would be given the same privileges as the same user logged in to another device. This could be a problem if the other device was a personal device. Modern NACs offer the ability to create a detailed profile from the available information including username, authenticated state, email address, IP Address, MAC address, hostname, device type, operating system, anti-virus, and user/device behavior among others.

For example, a user could be assigned a company laptop and a personal mobile phone. Modern NACs have the ability to alter the access of each device regardless of whether the user is the same between the two: the laptop could have access to all internal assets while the phone could be limited to email and Internet access.

  • Extended Endpoint Compliance — Modern NACs extend on the agent specific compliance that existed on many legacy solutions. This means that things like device health checks (patch level, virus scanner installed and updated, malware scanner installed and updated), updated software applications, and supported peripheral checks can be done without the need for an agent.
  • Advanced Threat Protection (ATP) and Mitigation — An important feature of a modern NAC is their ability to include or link into an Advanced Threat Protection and Mitigation system. Since the NAC is monitoring the users and devices on the network they are also able to potentially detect when they are acting outside of their expected behavior. These actions can then be mitigated automatically without IT support interaction.
  • Expanded Monitoring and Reporting (Visibility) — A part of any good NAC (Legacy or modern) is their ability to monitor the actions of the monitored network users and devices and report on what they are seeing. Modern NACs extend on this capability to make the viewing of the network and how the various users are behaving within a simple view and via expansive reporting options.

Extended System Integration and Interoperability – An important part of any modern NAC is in their ability to link with other related systems. IT has been well known for having a number of different systems that each exist well within their own sphere but that didn’t work well within other spheres. Most modern high level NACs offer the ability to link in with many of these other systems and work in unison with them. At a minimum, they should support integration with the following system types: Mobile Device Management (MDM), Security Information and Event Management (SIEM), Next Generation Firewalls (NGFW), and Database servers (e.g. LDAP (AD), Oracle, MySQL, SQL Server).