I work in a lot of network environments and I see a lot of different approaches to security and networking. One constant I have found is that all IT professionals struggle to adequately identify and secure the devices that may be on their network. Aside from having insane levels of security and prohibitive onboarding practices for devices, it is almost impossible to dynamically assign network access without the use of a network access control solution. I will dive into the basics with my mostly vendor agnostic explanation.
At the most fundamental level, network access control systems are designed to help identify devices and users on your network and then do something with the identification. The solution often integrates with most directory or identity providers. It can be used for authentication, authorization, and access. (AAA) The system can leverage hard-coded attributes of the user or device and enforce a security posture to them. The NAC can also leverage other components like how the device is connecting, where the devices are connecting from, and other more nuanced dynamic characteristics of the connectivity and identity.
What the system does with that information is the most important part. As an example, it is rare that every person in a business network should have the same access. However, it is not rare that many people in a department or division would have very comparable access or restrictions. Similarly, devices that are generally doing the same job likely require identical network access. If the NAC can leverage user attributes like department or division then it can use similar attributes for a device. It understands that an HVAC air handler requires the same access as was assigned to the other air handlers that share the same device attributes.
With the use of what some vendors call roles with enforcement policies, one can automate the application of access based on identity. This allows for a scalable solution that can deliver the same application of security without the intervention of an administrator for every network connection. This concept is called role-based access.
I use the term application of security very loosely because each vendor accomplishes this task in different ways. Some will tunnel the user traffic to a firewall or wireless controller and apply stateful firewall policies to the user traffic. Others will change the network or VLAN the device is on so that the access is restricted to that network segment. Some rely on client-side software to enforce the application of a role assigned from the NAC.
A network access control solution is not the panacea that will make all your aliments cease. NACs by themselves hold a great deal of machine learning potential. It does require some semblance of initial administration to create the logic by which they will apply the enforcement of policies from. They are not infallible. Like any computing system, they do need some TLC when first deployed. Once they are up and running, you can sleep easier at night knowing that there is an intelligent application of security for anything connecting to your network.
I would recommend a NAC to anyone who runs a network with more than 100 users. If we assume that each person will likely have three computing devices, then that is 300 end-user devices. Not all of them being corporate-owned and managed, we would need to delineate access for each user group and device type. We will then need to ascertain if we want to apply different security based on how the device/user connects or if the device presents a risk to the company. This sounds like a lot of work and it can be. But, the work would only need to be done one time if we were programming logic into a NAC solution.
This is not meant as a comprehensive analysis of each of the major players in the marketplace. In fact, there are some decent open source and free NAC-like products out there that are relatively capable. Most of those do not support machine learning and cannot identify devices very well. However, they can provide authentication and authorization functions.
At the very least my hope was to impress upon anyone in the market that a NAC is a very necessary and essential component to your security arsenal. The days of having the same login for every switch and router are long behind us. Treating every user and device the same is also a thing of the past. If you desire the scalability that a network access solution provides, I suggest you reach out to your partner of choice. Inquire about what products they offer in this security space. Zunesis is available to help you find the right partner for your organization.