Network Access Control: A Paramount for the Cybersecurity Industry
Guest WriterGuest Writer
As organizations are increasingly focusing on interoperability and information sharing, IoT devices, virtual servers/cloud services, routers, switches, firewalls, and bring-your-own-device (BYOD) are being flocked to their networks periodically. This poses a cumbersome task for network guardians to authenticate and authorize the endpoints in a network.
In the present scenario wherein users can access business networks from virtually any part of the world via various technologies and devices, network administrators have felt the need to transition from conventional solutions like antivirus, spywares, and firewalls that can handle tasks like simple onboarding and guest management to advanced technologies like network access control (NAC) for attaining robust and dynamic role-based functionalities.
With the megatrends of IoT devices and BYOD reshaping the network perimeters and increasing the vulnerability of systems, NACs play a vital role in identifying and securing endpoints by knowing who, when, where, and how a device has connected to a network. Technically, NAC basically conducts a pre- and post-connection risk assessment of any access control device that attempts to connect to a network by using policies triggered by predefined protocols.
Adding to the complexity are factors like the growing prevalence of smartphones & mobile devices; unregulated BYODÂ policies; and advent of IoT, lack of device configuration standardization for IoT and BYOD; possibility of myriad permutations of device type, brand, operating system, and security health status; and lack of enterprise grade security in the majority of devices that accentuate the complexity.
Thus, organizations have been opting for advanced NAC solutions that facilitate triage and quarantine functions in real-time without manual intervention.
Furthermore, the leap-frogging nature, intensity of security attacks, and growing need for scalability have augmented the demand for best-in-suite solutions to mitigate the risks of attacks and enable virtual as well as physical expansion in the future.
With massive proliferation of endpoints, NAC providers are developing advanced solutions. Security automation and orchestration solution (SA&O), agentless solutions capable of automated security orchestration, and others offer granular policies for both the user and the device, facilitate scalability, enable security orchestration and automation, and offer collation of security data at a central server for easy tracking.
Based on design, NACs are of two types, i.e., pre-admission NAC and post-admission NAC. The former is based on the principle of inspecting end stations prior to being allowed on the network. While, the latter is used for making enforcement decisions based on user actions after their entry into the network.
Another fundamental difference in NAC systems depends on the need to use agent software to report end system characteristics. Such systems continuously operate in the background of the device to monitor security compliance, and send updates to the policy server. The second, which being a more advanced form, is the agentless NAC that does not require end point agents to authenticate and manage devices.
These systems ensure compliances at both endpoints before a user is granted access to the network. However, the major drawback of this system is that users are authorized by assessing the network traffic. This can make it easier for cyber criminals to gain unauthorized access to the network.
The third point of classification is based on the use of agents on end stations. Agent software is used on end systems to enforce policies, and report lapses to a central console through switches. This type of NACs are known as out-of-band systems. In contrast, there are inline solutions or single box solutions, which secure the network by acting as an internal firewall in access layer networks, and enforce policies in case of an intrusion.
Depending on the need to deploy software or hardware appliances, NACs are categorized into hardware-based network access control and dynamic network access control. The former uses a device, which is preinstalled on the network, and operates in accordance with the network traffic.
The major limitation of this type is the periodic need to make changes in infrastructure and operational practices to permit defined access to end users. Moreover, the chances of failure are higher than other systems due to the constant changes in server configuration.
Alternately, dynamic NACs neither require software or hardware installations nor changes in the network configuration. It works on specific computers that are connected to a local area network, which are considered to be trusted systems. In case of an unauthorized user trying to gain entry into the network, the trusted systems would not grant access, and subsequently communicate the information to the main server.
A quarantine network provides routed access to only certain hosts and applications. It is implemented via VLAN assignment. While, a captive portal prevents HTTP access to web pages, and redirects users to a web application that provides instructions and tools for updating their computer. Until their computer passes the inspection, it cannot gain entry to the network, but would have access to the captive portal.
NAC products control the type and level of access to all the devices connected to the NAC network on a per NAC device basis, and also enable granular control for every action to ensure compliance with the internal policies. These controls are triggered by predefined policies configured in a central control system. Some policies are based on creating a whitelist of media access control (MAC) addresses, which makes it difficult for intruders to connect to the network.
The true cost of deploying a network access control system also depend on other factors like installing add-on modules; support costs, including training; and staff time. Generally, NAC vendors centrally manage these systems using an NAC appliance or virtual machine. While, some vendors include training as a part of their package to demonstrate the features of the equipment, configuring policies, and alerting systems.
With the burgeoning number of devices trying to gain access to networks and the plethora of security threats haunting enterprises, it is essential for them to deploy solutions that are robust and provide dynamic role-based permissions for easily and automatically accommodating users and devices to the network as the same time maintaining NAC security.
Nevertheless, organizations need to understand that NAC is not a silver bullet that can protect their network against all types of threats, rather it should be used along with other systems, such as intrusion prevention system (IPS), mobile device management (MDM), next-generation firewall (NGFW), security information and event management (SIEM), and threat detection software to ensure complete network access protection.
On the global scale, the NAC market is catered by two key players, viz. ForeScout Technologies and Cisco Systems, Inc. The other providers in the sector include Microsoft, Auconet Inc., Avaya Inc., Bradford Networks, Extreme Networks Inc., Hewlett Packard Enterprise Development LP, Impulse Point, Key Innovator, Portnofx, and Pulse Secure, LLC.
Written by Soumya Das, Editor at Progressive Markets.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode
Recent Articles