Network Access Control (NAC) solutions deliver a comprehensive approach to identifying, controlling, and securing access to critical network communications. Well architected NAC solutions proactively manage whether a trusted user, a guest, or a device can connect to a network and what they are authorized to do once connected; this is all based on policy criteria such as device and user identity, business role, time of day, location, and health of the end system. Comprehensive NAC solutions use both agent-based and agent-less assessment technologies, along with proactive and reactive policy enforcement to provide a solid pre-connect and post-connect end system security offering.
NAC is an acronym which stands for Network Access Control. Sometimes it is also referred to as Network Admission Control. NAC is a common term within IT organizations today, but there is much discussion around what NAC involves and what it does not. Some view NAC as simple registration and authorization of network connected end systems. Some view NAC as a solution to protect the network environment from viruses and worms. Some view NAC as a gatekeeper function to control how end systems and guest systems, which are not compliant with corporate computing guidelines, can access the network. A well architected NAC solution is actually all of these things. Network Access Control is the integration of several technologies to provide a solution that proactively and reactively controls end system communication on the network. There are a number of individual functions that make up a comprehensive NAC solution.
• Detect - Detection and identification of new devices connecting to the network
• Authenticate - Authentication of users and/or devices
• Assess - Assessment of end systems regarding their compliance and/or vulnerabilities
• Authorize - Authorization to use the network based on the results of the authentication and the assessment
• Monitor - Monitoring users and devices once they are connected to the network
• Contain - Quarantine problem end systems and/or users to prevent them from negatively impacting the overall network environment
• Remediate - Remediation of problems with the end system and/or user A well architected solution should integrate highly advanced, policy-enabled network infrastructure, along with advanced security applications and centralized management to deliver all of the required functions for pre and post-connect secure network access.
Phase Wise Implementation
A phased approach for implementing a NAC solution is the preferred method. In general, a NAC implementation can be separated into the following phases:
Phase 1: End-System Detection and Tracking
Phase 2: End-System Authorization
Phase 3: End-System Authorization with Assessment
Phase 4: End-System Authorization with Assessment and Remediation
Phase 1: Collects information about all end systems without altering any existing network access. This is basically an inventory of end systems attached to the network. This can be done with or without authentication.
Phase 2: Considers pre-defined rules and restrictions related to network access. This typically requires authentication to ensure unique network access policies can be enforced for each end system and user.
Phase 3: Assessment of all end systems. This data can be accessed via an external management system (for software distribution), an agent, or a network scanner. Typical information would be: operating system, vulnerabilities, and open ports.
Phase 4: Further network access policy rules are enforced to individual end systems, using assessment data results. The user should be informed about this assessment and should be given the opportunity to remediate if not in compliance with appropriate security policies.