Network Access Control (NAC) – keeping the devices and users where they belong.
I work in a lot of network environments and I see a lot of different approaches to security and networking. One constant I have found is that all IT professionals struggle to adequately identify and secure the devices that may be on their network. Aside from having insane levels of security and prohibitive onboarding practices for devices, it is almost impossible to dynamically assign network access without the use of a network access control solution. I will dive into the basics with my mostly vendor agnostic explanation.
What a NAC is.
At the most fundamental level, network access control systems are designed to help identify devices and users on your network and then do something with the identification. The solution often integrates with most directory or identity providers. It can be used for authentication, authorization, and access. (AAA) The system can leverage hard-coded attributes of the user or device and enforce a security posture to them. The NAC can also leverage other components like how the device is connecting, where the devices are connecting from, and other more nuanced dynamic characteristics of the connectivity and identity.
What the system does with that information is the most important part. As an example, it is rare that every person in a business network should have the same access. However, it is not rare that many people in a department or division would have very comparable access or restrictions. Similarly, devices that are generally doing the same job likely require identical network access. If the NAC can leverage user attributes like department or division then it can use similar attributes for a device. It understands that an HVAC air handler requires the same access as was assigned to the other air handlers that share the same device attributes.
With the use of what some vendors call roles with enforcement policies, one can automate the application of access based on identity. This allows for a scalable solution that can deliver the same application of security without the intervention of an administrator for every network connection. This concept is called role-based access.
I use the term application of security very loosely because each vendor accomplishes this task in different ways. Some will tunnel the user traffic to a firewall or wireless controller and apply stateful firewall policies to the user traffic. Others will change the network or VLAN the device is on so that the access is restricted to that network segment. Some rely on client-side software to enforce the application of a role assigned from the NAC.
Other helpful things a NAC can do
- Integrate with endpoint AV software to assess the vulnerability of a client and use that as an attribute for access.
- Apply the same security posture to both wired and wireless clients.
- Centralize the administration and logging for all AAA exchanges.
- Integrate with edge firewalls from Cisco, Palo Alto, Fortinet, and others
What a NAC is not
A network access control solution is not the panacea that will make all your aliments cease. NACs by themselves hold a great deal of machine learning potential. It does require some semblance of initial administration to create the logic by which they will apply the enforcement of policies from. They are not infallible. Like any computing system, they do need some TLC when first deployed. Once they are up and running, you can sleep easier at night knowing that there is an intelligent application of security for anything connecting to your network.
Here are a few other things they cannot do
- NACs are not meant for IP address management. I see a lot of people trying to use them as this and most are ill-suited for the task. Just because it has a record of the IP address does not mean it should be used as a database.
- They are not plug and play. No matter what the vendor tells you it will be a very involved deployment.
- Not every NAC integrates with every other product. Each vendor has their own special sauce that makes using their NAC with their equipment more appealing. Cisco, Aruba, FortiNet all have features that are only available when you are using their equipment with their NAC.
I would recommend a NAC to anyone who runs a network with more than 100 users. If we assume that each person will likely have three computing devices, then that is 300 end-user devices. Not all of them being corporate-owned and managed, we would need to delineate access for each user group and device type. We will then need to ascertain if we want to apply different security based on how the device/user connects or if the device presents a risk to the company. This sounds like a lot of work and it can be. But, the work would only need to be done one time if we were programming logic into a NAC solution.
Best application of NACs
- Securing wired ports – We all know that users will bring in devices from home to use so why not protect your environment from the inevitable.
- Wireless for everybody – Just because the device is connected to the same SSID as all the other devices, it does not have to mean that they have the same security applied or are on the same logical network.
- Dynamic logins for your most sensitive devices – Securing your switches, routers, and firewalls with Radius or TACACS+ is how you protect against getting hacked from the inside.
This is not meant as a comprehensive analysis of each of the major players in the marketplace. In fact, there are some decent open source and free NAC-like products out there that are relatively capable. Most of those do not support machine learning and cannot identify devices very well. However, they can provide authentication and authorization functions.
At the very least my hope was to impress upon anyone in the market that a NAC is a very necessary and essential component to your security arsenal. The days of having the same login for every switch and router are long behind us. Treating every user and device the same is also a thing of the past. If you desire the scalability that a network access solution provides, I suggest you reach out to your partner of choice. Inquire about what products they offer in this security space. Zunesis is available to help you find the right partner for your organization.