Frustrated with the slow wifi speed in my hotel room — and irritated at the hard upsell to a “premium” tier speed — I took matters into my own hands and plugged my travel router directly into the hotel's unthrottled wired network. I didn’t actually expect this to work; surely an international hospitality chain would have some sort of basic network access control (NAC) in place. But my instantaneous speed upgrade suggested two things: 1) I was successful in my quest, and 2) this hotel group might need to work on network security.
In this blog, we’ll answer important questions such as, “What is network access control and how does it work?”, “Why is NAC needed?” and “How can NAC technology help fight modern cybersecurity threats for all types of organizations?”
- What is network access control?
- What is a network access control policy?
- Types of network admission control
- Top network access control use cases
- How to implement NAC solutions in five steps
- How to choose an NAC solution
- Comparing five NAC products and solutions
- Network access control FAQ
Get the Free Pen Testing Active Directory Environments EBook
What is network access control?
NAC is a generic term for a solution that selectively grants network access to devices based on one or more criteria. Those criteria could be based on authentication (only authorized users are granted access to the network), security posture (only devices with up-to-date operating systems and antivirus software can connect), or any number of other criteria (device manufacturer, employee access level, etc).
Modern NAC solutions can be both flexible and powerful, with policy-based enforcement allowing for very granular but still scalable levels of access control. NAC security can be applied to both wired and wireless networks.
Why invest in an NAC solution?
Most of the underlying protocols and standards in computer networking can be lacking from a modern network security perspective. Ethernet, for example, was designed for connectivity and has no inherent authentication or authorization mechanism, which is why I didn’t have to prove my identity when connecting to my in-room wired network. NAC changes this equation, adding a definable set of conditions that devices must meet before being granted access to a network.
NAC solutions have become a valuable tool in enhancing network security, serving to address the increase in Bring Your Own Device (BYOD) and Internet of Things (IoT), as well as helping to mitigate advanced zero-day threats, segment production, and guest traffic, simplify the provisioning of devices like VoIP phones and more.
Corporate wifi networks are perhaps the best way to illustrate the benefits of network access control. At home, your family members and close friends probably use the same pre-shared key to connect many different devices to wifi. Scaled up to a large enterprise network, this already insecure model becomes even riskier: the password is likely to become public knowledge and a breach would require changing the passwords on every device connected to the network. NAC technology allows each employee (or device) to uniquely authenticate and provides a much more robust mechanism to trace all of those logins in the case of an incident.
What makes up an NAC solution?
NAC solutions are built around NAC policies, which are defined on a central policy server and enforced by elements of the network infrastructure (switches, routers, firewalls, and so on). A separate server(s) may also be used for authentication, authorization, and accounting. Many commercial NAC solutions leverage the IEEE 802.1x protocol for authentication and enforcement and often use proprietary software for the policy server and endpoint agent.
Early NAC solutions consisted primarily of policy management and enforcement. Today’s solutions typically build on that, adding features such as endpoint profiling, guest management, visibility, and analytics, and expanded support for BYOD environments. Many products skirt the traditional boundaries between NAC and other types of solutions and are often marketed or sold as part of a larger security offering.
What is a network access control policy?
Many of the top network access control benefits come from policies. Rather than manually approve/deny access on a per-device or user basis, a network or system admin can define the conditions that are necessary for access. NAC isn’t necessarily all-or-nothing, and more advanced policies might grant guests or contractors a different level of network access than full-time employees. Devices can also be “quarantined,” giving them just enough access to update software or take other corrective action without allowing them to touch the rest of the internal network.
The policy-based model used in most network access control solutions allows a great deal of scalability and flexibility. Admins can add or edit policies at any time, and almost instantly change the rules that govern access for tens of thousands of devices. This is a critical capability when faced with fast-moving threats such as worms or ransomware that may exploit recently-publicized vulnerabilities. During high-stakes moments such as WannaCry or NotPeyta, an organization can drastically reduce its risk by isolating unpatched machines from the rest of the network.
Types of network admission control
There are a large number of NAC solutions out there and each may operate in different ways. As a general rule of thumb, there are two ways that network control can be enforced:
- Pre-admission control applies NAC policies before a device is granted access to the network. If the device does not meet policy conditions, it will not be admitted. Most NAC implementations use pre-admission control.
- Post-admission control applies NAC policies after a device has already been granted network access. Perhaps there’s suspicious traffic emanating from the device or it connects to something it was not meant to access, or policies have been updated as new security threats are uncovered.
NAC can also be configured based on how the decision-making and enforcement mechanisms are placed within the network:
- Out-of-band solutions typically use a policy server that is not directly in the flow of network traffic. The policy server communicates with network infrastructure devices, such as switches, routers, and wireless access points, which will apply the NAC policies and allow or deny traffic as is appropriate.
- Inline NAC solutions combine both the decision-making and enforcement on one point that sits within the normal flow of traffic. This can require plenty of resources for larger networks, and has the potential to adversely impact network performance if something goes wrong.
Top network access control use cases
NAC solutions can be used for a variety of purposes, but some of the top use cases include:
NAC for guest and partner access
Many organizations need to provide network access to outside parties, such as vendors, partners, and guests. NAC solutions can facilitate this access while maintaining appropriate network segmentation. Non-employees can be routed to register through a captive portal or can be given throttled internet-only access, meaning they are unable to connect to internal resources.
NAC for BYOD
In addition to guest and partner access, most organizations are now contending with a mix of managed and personal devices on their network infrastructure. BYOD doesn’t equate to sacrificing security if you have well-implemented network access control. You can choose to allow only patched and secured devices, limit unmanaged devices to a separate guest virtual local area network (VLAN) or network segment, or mandate that personal devices be enrolled in the company’s mobile device management solution.
NAC for IoT
While any NAC solution is likely to introduce some administrative overhead, it can also simplify certain tasks while enhancing security. Devices such as printers, VoIP phones, and other IoT devices frequently belong on their own slice of the network (this is especially true of IP phones, as specialized quality-of-service settings may be applied to maintain call quality). Thanks to their extensive profiling capabilities, NAC solutions can largely automate this process by steering IoT devices into an appropriate VLAN without the need for manual provisioning. The same functionality helps prevent rogue access points and other forms of shadow IT.
NAC for incident response
NAC can be an invaluable tool during all phases of the incident response process. Changing NAC policies on-the-fly can help contain a ransomware outbreak or data breach in progress. Most implementations of network access control also offer a great deal of visibility into network traffic that wouldn’t otherwise be present — a crucial piece of the puzzle when it comes to investigating and remediating an incident.
Many vendors also sell solutions that go far beyond what traditional NAC technology offers. A range of integrations and built-in artificial intelligence capabilities mean that today’s most advanced solutions can spot anomalous network traffic and take action faster than a human security analyst. This is similar to the way Varonis uses user and event behavior analytics to spot the behavioral deviations in vast amounts of data.
How to implement NAC solutions in five steps
It might be tempting to run out and purchase an NAC solution from the first vendor you can find, but network access control requires careful planning, implementation, and tuning to realize its true benefits. The following steps can help as you begin to look at the implementation process:
1. Gather data
If you’re going to restrict how your users access the network, you’ll first need to understand how they’re using it. Who’s connecting to what, and from which devices? Is there a business requirement behind their current level of access? Don’t forget to consider servers, printers, phones, IoT devices, and anything else connected to the network.
2. Catch up on identity management
If like most organizations, you plan on including an authentication component in your NAC policy, you’ll need to make sure you’re on top of identity management. If a new hire can’t get online because your active directory servers aren’t syncing with an HR database, then that shiny new NAC solution might wind up costing the company more money than it’s worth. On the other hand, NAC security won’t help you if you never bothered to de-provision an employee who left the company six months ago.
3. Determine permissions and access levels
It's up to you to decide how to apply the capabilities of your NAC solution. Ideally, you’d implement the purest form of the principle of least privilege and limit all users to the minimum network resources needed to carry out their jobs. However, most large networks simply aren’t segmented enough to strictly adhere to this principle. Implementing role-based access control can be a good middle ground without compromising too much on security.
4. Test your setup
Most NAC solutions can be configured in a “monitor” mode, meaning the impact of policies can be measured before actually enforcing them. This is an important step, as it allows you to spot any potential problems before they generate a large volume of support tickets. It’s a good idea to test your NAC policies both before you implement them and as you make changes.
5. Monitor and tune
Network access control is not a “set it and forget it” type of security control. You’ll need to make adjustments as the organization (and the threats facing it) evolve over time. Make sure you have the resources needed to continually monitor and optimize the solution before beginning an NAC implementation journey.
How to choose an NAC solution
NAC solutions come in many different variations to cover different deployment models, use cases, and organization sizes. This variation means that there’s no “right” or “best” solution, as what works for one organization may be wholly inappropriate for another. Ask yourself some of the following questions when researching potential solutions:
1. Does it integrate with our existing infrastructure?
To help narrow down your search, it may be helpful to first look at what’s already in use at your organization. If you’ve invested heavily in networking gear from a particular vendor, it might make sense to take a close look at that same vendor’s NAC solution, so that everything works together seamlessly. While it’s true that 802.1x is an open standard, the advanced capabilities touted by many vendors are often proprietary, and may not be available in a mixed environment.
2. Will it work with our network architecture?
Early NAC solutions were designed primarily with large, wired corporate networks in mind. Today’s networks are much more complex, with wireless and remote access now standard. You may find that some solutions offer better support for different types of network environments.
3. How well does it align with our use cases?
All network access control solutions aim to give you the power to decide what devices can access your network, but support for use cases can vary considerably. If you’re looking for something that makes managing guest access a breeze, you’ll want a solution with strong support for captive portals, self-registration, and segmentation capabilities. On the other hand, managing IoT or BYOD scenarios might require looking at a solution with strong device-profiling and posture capabilities.
4. Does it offer scalability?
NAC solutions scale in different ways depending on the vendor and deployment model. For example, inline network access control tends not to scale well in busy networks. Remember to look beyond the NAC product as a standalone: if you’re using existing network infrastructure devices to enforce NAC policies, the additional overhead could be taxing on older routers, switches, and access points.
5. What will it cost?
Both price point and pricing models can be an important consideration, especially if you’re expecting a large number of BYOD devices. Some NAC solutions are priced on a per-device or per-user basis, while others might be offered at a flat rate. Both perpetual and subscription licensing models exist. You’ll also want to look at scalability as it relates to high availability; one solution might require a greater number of policy server instances to support a given number of endpoints than another solution.
Comparing five NAC products and solutions
There are dozens — if not hundreds — of NAC solutions on the market, but let’s take a look at five of the most popular options:
- Cisco Identity Services Engine (ISE) - Cisco was an early player in the network access control category and has offered several different solutions over the years. The latest offering, Cisco ISE, integrates with many other parts of the Cisco ecosystem to offer segmentation, visibility, and automated response, in addition to traditional NAC technology.
- Ivanti Policy Secure - Formerly known as Pulse Policy Secure, this NAC solution plays nicely with a variety of third-party products, and provides the crucial policy management, profiling, visibility, and behavioral analytics features expected in a modern network access control platform.
- Aruba ClearPass - You’ll find Aruba ClearPass in use in a variety of hospitality and university environments, often paired with the company’s wireless networking products. This tight integration between hardware and software can yield real-time information about how devices are being used on the network.
- FortiNAC - Fortinet is best known for their firewalls, but the company sells a range of network access control products under the FortiNAC brand. Fortinet touts its range of profiling methods, scalability reaching into “millions of devices,” and support for network infrastructure devices from more than 150 vendors.
- Portnox CLEAR - Portnox differs from traditional vendors by offering a cloud-native NAC platform delivered in a software-as-a-service fashion, in addition to their on-premise options as well. The combined cloud authentication and policy server functionality could be an attractive option for organizations that don’t want to set up and maintain their own remote authentication dial-in user service servers.
Network access control FAQ
Let’s review some of the most common questions that arise when evaluating different NAC options and products.
Q: Are there any variables an NAC list cannot use to filter traffic?
A: One variable that can be difficult to track is the geographic location. Because of the way wide area networks and VPNs are configured, IP addresses don’t always correspond to physical coordinates. This means you can’t necessarily filter access controls based on where a person is located.
Q: How long has network access control been around?
A: Many of the core concepts of NAC have existed for decades, but weren’t widely implemented until the early 2000s. Early offerings were largely vendor-specific, with Cisco offering a product called Network Admission Control and Microsoft building a similar Network Access Protection feature into several versions of Windows. By the early 2010s, terminology and technology both began to standardize.
Q: Where is the NAC layer located?
A: Network access control is typically implemented at either the data link (layer two) or network layer (layer three) of the open standards interconnection model. Enforcement mechanisms vary between different products, and some have multiple options.
Network access control can provide a tremendous boost to an organization’s network security, but it’s important to remember that this is only one aspect of the complete security picture. Good data security is just as important as locking down who can access your network. The Varonis Data Protection Platform makes this a breeze, with powerful features for managing, classifying, and protecting your most important data.
Get a live demo to see how Varonis augments your NAC solution!
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Robert is an IT and cyber security consultant based in Southern California. He enjoys learning about the latest threats to computer security.