Network Access Control

INTRODUCTION
Network access control is the act of keeping unauthorized users and devices out of a private network.
Organizations that give certain devices or users from outside of the organization occasional access to the
network can use network access control to ensure that these devices meet corporate security compliance
regulations.
Network security protects the functionality of the network, ensuring that only authorized users and devices
have access to it,
Network access control, or NAC, is one aspect of network security. There are many NAC tools available, and
the functions are often performed by a network access server. Effective network access control restricts access
to only those devices that are authorized and compliant with security policies, meaning they have all the
required security patches and anti-intrusion software. Network operators define the security policies that
decide which devices or applications comply with endpoint security requirements and will be allowed network
access.
 Common use cases for NAC

If an organization’s security policy allows any of the following circumstances, they need to think carefully about
network access control to ensure enterprise security:
 Bring Your Own Device (BYOD): Any organization that allows employees to use their own devices or take
corporate devices home needs to think beyond the firewall to ensure network security. Each device creates a
vulnerability that could make it possible for cyber criminals to get around traditional security controls.
 Network access for non-employees: Some organizations need to grant access to people or devices that are
outside of the organization and not subject to the same security controls. Vendors, visitors, and contractors
may all need access to the corporate network from time to time, but not to all parts of the network and not
every day.
 Use of IoT devices: The Internet of things has given rise to a proliferation of devices that may fly under the
radar of traditional security controls, often residing outside of the physical corporate building, but still
connected to the corporate network. Cyber criminals can easily exploit these overlooked devices to find their
way into the heart of the network without adequate network access controls. Network access control is an
important aspect of edge security solutions.
 Example

When a computer connects to a computer network, it is

not permitted to access anything unless it complies with
a business defined policy; including anti-virus protection
level, system update level and configuration. While the
computer is being checked by a pre-installed software
agent, it can only access resources that can remediate
(resolve or update) any issues. Once the policy is met,
the computer is able to access network resources and
the Internet, within the policies defined by the NAC
system. NAC is mainly used for endpoint health checks,
but it is often tied to Role-based Access. Access to the
network will be given according to the profile of the
person and the results of a posture/health check. For
example, in an enterprise the HR department could
access only HR department files if both the role and the
endpoint meets anti-virus minimums.
 Types Of NAC

i. Pre-admission: The first type of network access control is called pre-admission because it happens
before access to the network is granted, when a user or endpoint device initiates a request to access a
network. A pre-admission network control evaluates the access attempt and only allows entry if the
device or user making the request can prove they are in compliance with corporate security policies
and are authorized to access the network.
ii. Post-admission: Post-admission network access control happens within the network, when the user
or device tries to enter a different part of the network. If the pre-admission network access control
fails, the post-admission network access control can restrict lateral movement within the network and
limit the damage from a cyber attack. A user or device must re-authenticate upon each request to
move to a different part of the network.
Elements of Network Access Control System
Network Access Enforcement Methods

 IEEE 802.1X – makes use of EAP for authentication process

 VLANs – enterprise network consisting of interconnected LANs is
segmented logically into a number of virtual LANs
 Firewall – provides a form of NAC by allowing or denying network
traffic between an enterprise host and an external user
 DHCP management – dynamic allocation of IP addresses to hosts
Advantages Of NAC

 Protect against known and unknown malware.

 Restrict who can access sensitive financial or customer records.
 Prevent Against Data Breach
 Keep Track of Who Comes and Goes.
 Save Money and Energy.
 Give Employees the Freedom to Work When They Need To.
NAC Limitations

 Low visibility into IOT and unmanaged devices

 Network access control for wired networks
 Monitoring for threats post-access
 Ability to establish policies for devices
Final Thoughts

 In today’s world of cyberattacks and data breaches, trusting a

single antivirus tool or firewall is not enough to protect the
enterprise’s infrastructure and systems.
 For most organizations, digital data is the most valuable asset they
have.
 The goal should always be to restrict access to only authorized
individuals and devices that meet the security standards of the
organization.
Extensible Authentication Protocol

 Framework for network access and authentication

protocols
 Provides a set of protocol messages that can encapsulate
various authentication methods to be used between a
client and authentication server
Authentication Methods
EAP Protocol Exchanges