As organizations are increasingly focusing on interoperability and information sharing, IoT devices, virtual servers/cloud services, routers, switches, firewalls, and bring-your-own-device (BYOD) are being flocked to their networks periodically. This poses a cumbersome task for network guardians to authenticate and authorize the endpoints in a network.
In the present scenario wherein users can access business networks from virtually any part of the world via various technologies and devices, network administrators have felt the need to transition from conventional solutions like antivirus, spywares, and firewalls that can handle tasks like simple onboarding and guest management to advanced technologies like network access control (NAC) for attaining robust and dynamic role-based functionalities.
What is Network Access Control?
Network access control, generally known as NAC, is a tool used for controlling and managing network access based on compliance with a network and its policies. These policies are devised based on various parameters like user identity, device location, device health, among others.
With the megatrends of IoT devices and BYOD reshaping the network perimeters and increasing the vulnerability of systems, NACs play a vital role in identifying and securing endpoints by knowing who, when, where, and how a device has connected to a network. Technically, NAC basically conducts a pre- and post-connection risk assessment of any access control device that attempts to connect to a network by using policies triggered by predefined protocols.
Evolution of NAC
Earlier, NACs were based on the principle of authenticating and authorizing endpoints through a simple scan-and-block mechanism. With technological advancements, providers are offering network access control solutions to address the burgeoning need to manage and restrict guest access to enterprise networks.
Adding to the complexity are factors like the growing prevalence of smartphones & mobile devices; unregulated BYOD policies; and advent of IoT, lack of device configuration standardization for IoT and BYOD; possibility of myriad permutations of device type, brand, operating system, and security health status; and lack of enterprise grade security in the majority of devices that accentuate the complexity.
Thus, organizations have been opting for advanced NAC solutions that facilitate triage and quarantine functions in real-time without manual intervention.
Furthermore, the leap-frogging nature, intensity of security attacks, and growing need for scalability have augmented the demand for best-in-suite solutions to mitigate the risks of attacks and enable virtual as well as physical expansion in the future.
With massive proliferation of endpoints, NAC providers are developing advanced solutions. Security automation and orchestration solution (SA&O), agentless solutions capable of automated security orchestration, and others offer granular policies for both the user and the device, facilitate scalability, enable security orchestration and automation, and offer collation of security data at a central server for easy tracking.
Types of Network Access Controls
Organizations across the globe have been leveraging NAC systems to detect and protect against rogue devices. However, selection of the right product is an arduous task which includes scrutinizing network configuration compatibility, internal set up, and end users. Depending on the modus operandi of NACs, these systems are classified on the basis of characteristics and functionalities.
Based on design, NACs are of two types, i.e., pre-admission NAC and post-admission NAC. The former is based on the principle of inspecting end stations prior to being allowed on the network. While, the latter is used for making enforcement decisions based on user actions after their entry into the network.
Another fundamental difference in NAC systems depends on the need to use agent software to report end system characteristics. Such systems continuously operate in the background of the device to monitor security compliance, and send updates to the policy server. The second, which being a more advanced form, is the agentless NAC that does not require end point agents to authenticate and manage devices.
These systems ensure compliances at both endpoints before a user is granted access to the network. However, the major drawback of this system is that users are authorized by assessing the network traffic. This can make it easier for cyber criminals to gain unauthorized access to the network.
The third point of classification is based on the use of agents on end stations. Agent software is used on end systems to enforce policies, and report lapses to a central console through switches. This type of NACs are known as out-of-band systems. In contrast, there are inline solutions or single box solutions, which secure the network by acting as an internal firewall in access layer networks, and enforce policies in case of an intrusion.
Depending on the need to deploy software or hardware appliances, NACs are categorized into hardware-based network access control and dynamic network access control. The former uses a device, which is preinstalled on the network, and operates in accordance with the network traffic.
The major limitation of this type is the periodic need to make changes in infrastructure and operational practices to permit defined access to end users. Moreover, the chances of failure are higher than other systems due to the constant changes in server configuration.
Alternately, dynamic NACs neither require software or hardware installations nor changes in the network configuration. It works on specific computers that are connected to a local area network, which are considered to be trusted systems. In case of an unauthorized user trying to gain entry into the network, the trusted systems would not grant access, and subsequently communicate the information to the main server.
Can a Legitimate User be Denied Access?
NAC products are deployed to prevent some legitimate clients from gaining access to an enterprise network. This process is known as remediation. Thus, network access control solutions need a way to remediate such end-user problems that deny access. The two common ways of remediation include quarantine networks and captive portals.
A quarantine network provides routed access to only certain hosts and applications. It is implemented via VLAN assignment. While, a captive portal prevents HTTP access to web pages, and redirects users to a web application that provides instructions and tools for updating their computer. Until their computer passes the inspection, it cannot gain entry to the network, but would have access to the captive portal.
How Does NAC Work?
NAC system, when deployed, first creates an inventory of the devices connected to the network, categorizes them based on attribute, and implements policies based on predefined rules created by the internal security team.
NAC products control the type and level of access to all the devices connected to the NAC network on a per NAC device basis, and also enable granular control for every action to ensure compliance with the internal policies. These controls are triggered by predefined policies configured in a central control system. Some policies are based on creating a whitelist of media access control (MAC) addresses, which makes it difficult for intruders to connect to the network.
The Cost Factor
NAC systems are available as either physical devices or VMware-based virtual appliances. The cost of these systems mainly depends on the number of endpoints required to be handled. However, on an average, these systems have an upfront cost of about $12,000–$30,000. Added to this, there are other support costs ranging around $2,500–$3,000 per annum, apart from the costs involved in imparting training to personnel for managing the product.
The true cost of deploying a network access control system also depend on other factors like installing add-on modules; support costs, including training; and staff time. Generally, NAC vendors centrally manage these systems using an NAC appliance or virtual machine. While, some vendors include training as a part of their package to demonstrate the features of the equipment, configuring policies, and alerting systems.
With security threats growing and changing at a frantic pace, and the daunting task of combating zero-day exploits, organizations are facing a formidable challenge of deploying real-time automated threat response systems. Advancements in NAC systems have assisted organizations to promote scalability and augment visibility, control, and response to the avalanche of threats and alerts.
With the burgeoning number of devices trying to gain access to networks and the plethora of security threats haunting enterprises, it is essential for them to deploy solutions that are robust and provide dynamic role-based permissions for easily and automatically accommodating users and devices to the network as the same time maintaining NAC security.
Nevertheless, organizations need to understand that NAC is not a silver bullet that can protect their network against all types of threats, rather it should be used along with other systems, such as intrusion prevention system (IPS), mobile device management (MDM), next-generation firewall (NGFW), security information and event management (SIEM), and threat detection software to ensure complete network access protection.
On the global scale, the NAC market is catered by two key players, viz. ForeScout Technologies and Cisco Systems, Inc. The other providers in the sector include Microsoft, Auconet Inc., Avaya Inc., Bradford Networks, Extreme Networks Inc., Hewlett Packard Enterprise Development LP, Impulse Point, Key Innovator, Portnofx, and Pulse Secure, LLC.
Written by Soumya Das, Editor at Progressive Markets.