Intro to Modern NAC
What is Network Access Control?
It’s a simple question, right? Actually, NAC is a broad term in a category that is rapidly evolving. At a high level, NAC just describes a security policy in which specific devices receive differing levels of network access based on a given set of conditions. Early NAC solutions used 802.1X pre-authentication only, and had only basic options for how to implement access controls—typically in the form of an on/off switch. These early solutions are no longer relevant in the modern IT environment, with a vastly increasing number of headless Internet of Things (IoT) devices on networks everywhere. Modern NAC solutions are far more elegant. They have the ability to identify unique endpoints, collect large amounts of data from a wide variety of sources and use it to make highly informed decisions on how to best implement controls.
What to look for in a NAC solution
Security policies, network and IT systems designs and requirements vary wildly from organization to organization. That’s why you want to look for the solution that gives your organization the most options and flexibility to handle the countless unique situations that exist on corporate networks today—and those that will come tomorrow. Here are a few key capabilities to look for:
- Endpoint Data Visibility
The more data you can feed into your NAC solution, the more informed decisions it can make, and the more you can automate your network access control policy. For some environments, a router/switch vendor-agnostic solution is key, so make sure your network device vendors are fully supported by your intended NAC solution. Additionally, look for points of integration between your existing network and security tools, like vulnerability scanners or mobile device management solutions. Integrations such as these will allow your NAC solution to share data with these other tools, empowering both to make smarter security decisions. Lastly, make sure you can create your own custom integrations. This can be key to realizing a truly automated approach to access controls in any given environment.
- Inline vs. Out-of-Band
An inline solution can observe real-time network traffic, make decisions on properties and take actions at the network and transport layer to stop unwanted traffic. The downside is the extra time it takes all of your network traffic to enter or exit your internal networks. With an out-of-band solution, there is no impact on traffic entering or exiting your networks, but being able to see real-time network traffic becomes more of a challenge. Find a product that offers the benefits of both. In addition, make sure it is not entirely dependent on network traffic visibility to perform its core functions, as it’s unlikely in a large enterprise that one solution will be able to see all east/west traffic at all locations.
- Pre-Connect vs. Post-Connect
At a very high level, pre-connect means that access control decisions are made before a device is granted access to production resources. This approach prioritizes security over the user experience, as a NAC solution must authenticate, inspect or otherwise affirm system safety while the user waits. Classic 802.1X solutions, which strictly use authentication, fall into this category. Post-connect is the opposite, and the more common, modern approach, particularly for wired networks. Endpoints are allowed onto the production network and immediately inspected. If they don’t meet requirements, some or all of their access is removed. This approach favors user experience and uptime over ultimate security. Ideally, you want a system that can do both. For example, wireless networks should only have user systems on it, so a pre-connect 802.1X authentication approach best fits the bill. But wired networks have critical infrastructure or a user base that needs to stay productive 100 percent of the time; so a non-interrupting, post-connect background evaluation of all systems may be the better approach. Look for a product that doesn’t lock you down to one approach across all your networks.
- Agent vs. Remote Inspection
I know what you’re saying: “not another agent!” You don’t want to bog down your endpoints with another piece of software that has to be running all the time in order for it to gain network access. Find a solution that can inspect and manage endpoints remotely, without an agent at all, on as many operating systems as you can think of. But also, find one that has an agent, so that it can be used in those weird situations, such as old Windows XP systems, that must stay running to support your legacy applications. You may not be able to manage an XP system from the domain level, so in cases like these, you can gain deep inspection of the system with an agent. Ensure that the agent can be used like this, instead of a global switch requiring the use of agents everywhere or nowhere.
How a NAC solution implements controls describe the end game capabilities for denying or restricting access to your network and having multiple options is key to having an answer to every situation. Differing network implementations and configurations between local sites may make it impossible to standardize a basic network access control policy which blocks unwanted systems from the network. So, you want a solution that can restrict access on multiple levels of the OSI model, at least layers 1 through 4. Additionally, deep inspection of managed endpoints allows for any number of compliance checks to be performed and each compliance-based control could represent a very different network restriction than any of the others. For this, you want controls to be granular enough to separately and effectively target all use cases without having to remove more network access and thereby impede productivity.
Stay tuned for my next blog on 802.1X and the rising tide of IoT. I’ll explain how each has shaped access controls and how they fit into a modern access control strategy.