In today’s digitally driven world, businesses are becoming increasingly reliant on network connectivity to operate effectively. But with increased connectivity also comes increased risk exposure. Cyberattacks are on the rise, and more businesses are succumbing to security breaches, data loss, and other security-related issues. In fact, cybercrime damages are expected to reach $10.5 trillion by 2025. 

Your ability to protect your network from cyberattacks and unauthorized access while maintaining network performance and compliance with regulatory requirements is not a nice-to-have—it’s essential. With a Network Access Control (NAC) system in place, you can safeguard your network infrastructure and your data while maintaining business continuity.

5 Reasons to Implement a Network Access Control System

NAC is a security solution that restricts access to network resources based on users’ identities, roles, and devices. Today, more businesses are turning to NAC solutions, and here’s why:

1. Improve security: Cyberattacks are a significant threat to businesses of all sizes. Cyber hackers are always looking for new vulnerabilities that make it easy to install malware, access sensitive data, and disrupt business operations. By preventing unauthorized access to your network to protect sensitive data and prevent malicious attacks, network access control systems provide an added layer of security for greater peace of mind. NAC systems can also be used to enforce security policies that ensure only authorized users can access the network. Even if a cyber hacker gets through one layer of security, they will be faced with additional security measures that make it infinitely more difficult to launch an attack.
2. Comply with regulatory requirements: Many industries have strict data protection and privacy regulatory requirements—and failure to comply can result in lofty fines and a tarnished reputation. NAC systems enforce security policies that restrict access to the network based on predefined rules, ensuring only authorized users and devices can access the network. Plus, with the ability to deliver greater visibility and control over all devices that connect to the network, NAS makes it easy for you to monitor and manage the access of devices across the network—and automatically remove a non-compliant or malicious device. And with simpler auditing and reporting capabilities, NAS also simplifies auditing and reporting to support various regulations and standards.
3. Improve performance: Offering a secure and efficient network environment, NAC solutions can help businesses optimize network performance and productivity. As network traffic increases, its performance can take a hit, disrupting operations. By reducing the number of unauthorized devices that connect to the network and ensuring critical business traffic receives priority over non-critical traffic, NAC solutions help to reduce network congestion to boost performance. And with the ability to identify and address issues with connected devices before they create a problem, NAC also improves uptime.
4. Simplify network management: NAC solutions offer a centralized approach to network security, making it easy for administrators to easily control and monitor access to the network and enforce security policies. By automating the process of identifying and authenticating users and devices, NAC eliminates the need for manual configuration and management of network devices, which minimizes the risk of human error, reduces the workload on IT teams, and improves overall network security.
5. Boost productivity: NAC solutions ensure only authorized users can access the resources they need, which reduces the risk of data breaches and other security incidents that can lead to network downtime and lost productivity. By providing visibility into all devices that connect to the network, your IT team can quickly resolve issues and enforce security policies, which allows employees to work with confidence and without interruption.

By implementing an NAC system, your IT team can ensure the network is secure, reliable, and always available, while supporting regulatory compliance, network management, and network performance.

At Zunesis, we can help you protect your network infrastructure, safeguard sensitive data, and maintain business continuity with ClearPass from Aruba, a leading provider of NAC solutions that help businesses secure their network infrastructure while ensuring compliance with regulatory requirements. Providing robust network access control with granular role-based policies for authentication, authorization, continuous monitoring and enforcement, Aruba ClearPass gives you anywhere, anytime connectivity while supporting simplified network security operations and enforcing security policies.

Network Access Control (NAC) – keeping the devices and users where they belong.

I work in a lot of network environments and I see a lot of different approaches to security and networking.  One constant I have found is that all IT professionals struggle to adequately identify and secure the devices that may be on their network.  Aside from having insane levels of security and prohibitive onboarding practices for devices, it is almost impossible to dynamically assign network access without the use of a network access control solution.  I will dive into the basics with my mostly vendor agnostic explanation.

 

What a NAC is.

At the most fundamental level, network access control systems are designed to help identify devices and users on your network and then do something with the identification. The solution often integrates with most directory or identity providers. It can be used for authentication, authorization, and access. (AAA) The system can leverage hard-coded attributes of the user or device and enforce a security posture to them.  The NAC can also leverage other components like how the device is connecting, where the devices are connecting from, and other more nuanced dynamic characteristics of the connectivity and identity.

What the system does with that information is the most important part. As an example, it is rare that every person in a business network should have the same access. However, it is not rare that many people in a department or division would have very comparable access or restrictions. Similarly, devices that are generally doing the same job likely require identical network access.  If the NAC can leverage user attributes like department or division then it can use similar attributes for a device. It understands that an HVAC air handler requires the same access as was assigned to the other air handlers that share the same device attributes.

 

Enforcement Policies

With the use of what some vendors call roles with enforcement policies, one can automate the application of access based on identity.  This allows for a scalable solution that can deliver the same application of security without the intervention of an administrator for every network connection. This concept is called role-based access.

I use the term application of security very loosely because each vendor accomplishes this task in different ways. Some will tunnel the user traffic to a firewall or wireless controller and apply stateful firewall policies to the user traffic. Others will change the network or VLAN the device is on so that the access is restricted to that network segment.  Some rely on client-side software to enforce the application of a role assigned from the NAC. 

Other helpful things a NAC can do

• Integrate with endpoint AV software to assess the vulnerability of a client and use that as an attribute for access.
• Apply the same security posture to both wired and wireless clients.
• Centralize the administration and logging for all AAA exchanges.
• Integrate with edge firewalls from Cisco, Palo Alto, Fortinet, and others

What a NAC is not

A network access control solution is not the panacea that will make all your aliments cease.  NACs by themselves hold a great deal of machine learning potential. It does require some semblance of initial administration to create the logic by which they will apply the enforcement of policies from.  They are not infallible.  Like any computing system, they do need some TLC when first deployed. Once they are up and running, you can sleep easier at night knowing that there is an intelligent application of security for anything connecting to your network.

Here are a few other things they cannot do

• NACs are not meant for IP address management. I see a lot of people trying to use them as this and most are ill-suited for the task. Just because it has a record of the IP address does not mean it should be used as a database.
• They are not plug and play. No matter what the vendor tells you it will be a very involved deployment.
• Not every NAC integrates with every other product. Each vendor has their own special sauce that makes using their NAC with their equipment more appealing. Cisco, Aruba, FortiNet all have features that are only available when you are using their equipment with their NAC.

Use Cases

I would recommend a NAC to anyone who runs a network with more than 100 users.  If we assume that each person will likely have three computing devices, then that is 300 end-user devices.  Not all of them being corporate-owned and managed, we would need to delineate access for each user group and device type. We will then need to ascertain if we want to apply different security based on how the device/user connects or if the device presents a risk to the company.  This sounds like a lot of work and it can be. But, the work would only need to be done one time if we were programming logic into a NAC solution.

 

Best application of NACs

• Securing wired ports – We all know that users will bring in devices from home to use so why not protect your environment from the inevitable.
• Wireless for everybody – Just because the device is connected to the same SSID as all the other devices, it does not have to mean that they have the same security applied or are on the same logical network.
• Dynamic logins for your most sensitive devices – Securing your switches, routers, and firewalls with Radius or TACACS+ is how you protect against getting hacked from the inside.

This is not meant as a comprehensive analysis of each of the major players in the marketplace. In fact, there are some decent open source and free NAC-like products out there that are relatively capable.  Most of those do not support machine learning and cannot identify devices very well. However, they can provide authentication and authorization functions.

At the very least my hope was to impress upon anyone in the market that a NAC is a very necessary and essential component to your security arsenal.  The days of having the same login for every switch and router are long behind us. Treating every user and device the same is also a thing of the past. If you desire the scalability that a network access solution provides, I suggest you reach out to your partner of choice. Inquire about what products they offer in this security space. Zunesis is available to help you find the right partner for your organization.

Network Management Suites available today through HPE

 

Network management has been around since the dawn of networking. In the early days, companies like Cisco and Hewlett Packard Enterprise (HPE) would create their own proprietary management software to manage their switching products (i.e. Procurve Manager was originally an HPE-only tool until it was updated with limited 3^rd party support).

 

This all changed in the early 2000’s when a protocol called SNMP (Simple Network Management Protocol) was standardized and introduced to switches. This allowed the management plane of the switch to communicate live statistics such as response times, CPU utilization, etc., back to a centralized network management solution in an open-standards manner. It also allowed network admins to have a “single pane of glass” into the basic statistics of their multi-vendor network. SNMP has gone through various revisions to this day but the basic principle remains the same – allowing network admins to manage a multivendor network environment from one tool.

 

 

How They’re the Same:

 

Airwave and IMC both utilize SNMP to communicate with 3^rd party devices, and both have an extensive list in the thousands of devices that are supported from 3^rd party vendors from Cisco to Netgear.

 

 

How They’re Different:

 

The product differentiation comes down to how these tools will be utilized by the Network Admins:

 

Airwave

Airwave is directed more at “campus” environments (think carpeted office space, K-12, higher ed campuses, etc.) due to how easy it is to use compared to the more daunting setup involved in IMC. Another reason for this positioning is because Airwave is a much more capable wireless management tool, giving customers much better insight into the health of their wireless network then IMC can provide.

 

An example of this would be the VisualRF plugin in Airwave. VisualRF provides a real-time view of their RF coverage and client positioning. This visual tool allows network engineers to see their actual RF coverage inside of a building, giving them a good idea of any existing gaps in coverage that they might need to add an additional AP to support. Airwave is licensed per device on the network, and those licenses give you access to the full software suite.

 

IMC

Intelligent Management Center, or IMC, is committed to being a true “nuts and bolts” engineer tool, even allowing access to IMC’s APIs, giving customers the freedom to program their own modules within the platform. For this reason, HPE has started positioning this as more of a Datacenter focused “NOC” (networks operation center) tool.

 

Administrators can get much more in depth with the types of SNMP traps, alarms/alerting, and even the types of information that can be reported on with the tool. The initial setup is much more intensive than an Airwave deployment, and the interface is much less user friendly than Airwave, However, you can get extremely detailed real-time information out of the IMC platform – especially when it’s monitoring Aruba (ProCurve) or Comware switches. An example of this would be the QoS Manager plugin, which gives network administrators the ability to define a new global policy or make changes to an existing QoS policy and push those changes out to the network.

 

Currently, the only wireless management that IMC supports is for the legacy HPE wireless solutions MSM and Unified Wireless, but an “Airwave plugin” is in the works to bridge the gap to include Aruba wireless deployments. IMC is sold as modular software – the base platform is very capable; but to get some specific functionality, such as the QoS Management, you need to license the module. IMC is also licensed by device count in the base platform; however, some of the modules have different licensing schemes.

 

HPE has committed to continued product development on both platforms. As of right now, there are no early warning signs of one product cannibalizing the other. Choosing which product is rightyou’re your environment really depends on what you are hoping to get out of the platform. If you’re looking for something that’s easy to use with awesome built-in reporting, look into Airwave. If, on the other hand, you need an extremely customizable tool that can report on virtually any network statistic under the sun, IMC is your ticket. If you’re not sure which is the better fit for your organization, we are happy to sit down, discuss your needs, and dive deeper into the platforms in order to make the appropriate recommendation.