Given how complex the topic of cybersecurity is in today’s high-tech world, many organizations feel the need to tackle it from various angles. They procure an antivirus solution from one vendor, add a firewall from a different one, and use a totally separate system for managing access permissions.
But lately, the trend has shifted to a more centralized approach, embracing the concept of network access control (NAC). NAC solutions are designed to boost the overall security of your internal infrastructure by enforcing policies across all users and devices.
Get the Free Pen Testing Active Directory Environments EBook
A single NAC product may not block all potential cyberattacks, but it will significantly lower the risk level of your organization’s most critical data assets.
- NAC Capabilities
- Ins and Outs of NAC
- Implementation Steps
- How to Choose a Solution
- Network Access Control FAQ
Why Invest in a Network Access Control (NAC) Solution?
NAC solutions have become an extremely valuable tool in recent years, as mobile devices and the Internet of Things (IoT) have surged to prominence in various industries across the world. These new pieces of emerging technology come with their own set of vulnerabilities, which poses a challenge to IT security experts.
Fortunately, NAC products are designed to handle large enterprise networks that have a range of device types trying to connect at all times. Without a NAC in place, companies take on a huge amount of risk by adopting a bring-your-own-device (BYOD) policy, which allows employees and vendors to use their own smartphones and tablets on the local network. NAC solutions require an upfront investment but prove their worth in the long run.
Capabilities of Network Access Control Solutions
The primary goal for any NAC product is to defend the entire perimeter of an organization’s network, including both the physical infrastructure and any cloud-based systems that are linked together. NAC tools are mainly proactive in nature, meaning they seek to block or stop attacks before they become a reality. But some monitoring solutions like Varonis will also help an IT group run incident management from one central portal.
NAC for Vendors or Partners
In order to succeed in a fast-paced industry, enterprises need to be able to easily and efficiently integrate with their third-party vendors and partners. Sometimes this can be accomplished through the sharing of raw data feeds, but in many cases, true network-to-network integration is required for a seamless experience.
When it comes to network access controls, the tricky part is providing network access to your vendors and partners without exposing yourself to new channels of attack. A NAC solution will often include a virtual private network (VPN) client to allow external users to access internal resources through a secure channel. Of course, all activity will be logged through the NAC tool so that it can be monitored.
NAC for Incident Response
Newer NAC products are now being built on top of artificial intelligence and machine learning technologies. What this means for IT teams is that certain parts of the incident response process can be automated. Instead of wasting effort trying to isolate an issue and prevent it from spreading, you can now focus on returning systems to full capacity.
For example, let’s say that a hacker manages to hijack an IoT sensor located within your corporate network. The NAC tool will be able to identify that this piece of hardware has been compromised and disable its access automatically to limit the scope of the attack.
NAC for BYOD
As mentioned earlier, the vast majority of companies today are adopting a BYOD policy to allow employees to use their own personal devices at work instead of wasting funds to purchase each person their own dedicated hardware. But this makes the task of IT security much harder since you don’t have full control over how the devices will function on your network.
With a NAC solution, usually, the rule is that any new device will be blocked from the internal network until it meets the criteria of the organization’s security policy. As an employee, this means you must install the NAC-approved app or client on your device in order to gain full access to internal resources.
NAC for IoT
When employees bring their own hardware into work, usually the devices use a common operating system that can be easily controlled. The same is not true for IoT products, which don’t have normal user interfaces and might be running proprietary software. That said, NAC solutions are still capable of including IoT hardware in their access policies.
One key function of any NAC system is the ability to inventory and tag every unknown piece of hardware inside the network. That way, you can categorize IoT devices into groups that have limited permission with what they can and cannot do. NAC tools will constantly monitor IoT activity to ensure the devices themselves have not been hijacked by outsiders as happened with the infamous Mirai botnet incident back in 2016.
The Ins and Outs of a Network Access Control Policy
Out of the box, a NAC tool can bring a lot of value to your organization by monitoring the network perimeter for threats and attacks. However, the system will not truly prove its worth until you build a network access control policy within it. A NAC policy is a list of rules, specific to your enterprise, which dictates who can access which resources.
What Is Network Access Control System? And How to Use It
The NAC system is responsible for storing the organization’s access policies and applying them to every request that is submitted. This is typically done through a two-stage process: authentication and authorization. If either step fails, the request is blocked to preserve the safety of the network. This is what’s known as zero-trust security.
During authentication, the NAC system prompts the user to enter credentials to verify their identity. This could be done through either a username/password check or a biometric scan. After authentication is complete, the NAC system moves on to the authorization stage, where it consults the local access policies and checks whether the user’s request is approved or not.
How to Create a Network Access Control List
Setting up a NAC list for the first time can be a little bit tedious. You need to look at every piece of hardware inside your network and every user within your organization to understand how the security should be configured. Fortunately, there are some best practices you can follow to make the process more efficient.
First, adopt a role-based structure for your NAC list. This means that instead of setting up policies for each and every user, you group employees into roles based on their job function and build access policies that way. The other key step is to use the principle of least privilege (POLP) which instructs IT teams to only provide users with the access levels they absolutely need to fulfill their duties.
Steps to Implement NAC Solutions
It can be tempting to run out and purchase a NAC product and then quickly install it on your hardware, especially if you are concerned that your enterprise might be susceptible to cyberattack. However, it’s important to take a step back and plan the entire implementation of your NAC solution. Here are the main steps to follow:
1. Gather Data
Before you can successfully implement a NAC solution, you must perform an exhaustive survey of every endpoint inside your network. This includes every device, server, and piece of equipment that has to interface with digital resources. Without this information, your NAC system will struggle to protect the entire organization.
2. Manage Identities
Next, you must decide how you will manage user identities within your organization. This gets back to the topic of authentication and authorization. Your existing directory systems should be set up to verify user identities, and then you can go about determining how permission roles should be configured.
3. Determine Permissions
Remember the POLP rules when creating permission policies: only grant access at the level absolutely required for an individual to perform their duties. Otherwise, you run the risk of opening your systems up to attack through security gaps that you didn’t know existed.
4. Apply Permissions
Within your NAC tool, you should be able to integrate your existing directory system or else import your permission policies directly. Every employee, partner, and vendor should be registered in the NAC system as a user so that their access levels and activity can be traced.
5. Update As Needed
Always keep in mind that managing network access controls is not a one-time task. Your IT team must continue to monitor security operations and make adjustments to permission policies based on how the organization evolves over time.
How to Choose a Network Access Control Solution
As discussed earlier, today’s NAC products aim to cover a wide range of use cases to boost the overall security of your enterprise. That can make it challenging to find the right solution for your company, especially if you don’t know what your internal security weaknesses are.
What to Look for in a NAC Solution?
To help narrow down your search for NAC products, you should first focus on tools that offer native integration with your enterprise’s existing software. You don’t want to have to change your infrastructure or network design in order to bring the NAC solution online. If you are heavily dependent on a cloud architecture, then look for solutions that are fully supported by your hosting provider.
Next, think about what kind of proactive tools come included with the NAC suite. Some vendors offer all-in-one packages that feature a full virus scanning utility and firewall mechanism alongside everything else in the NAC. If your IT security strategy is not very mature, this kind of suite may be very helpful.
Of course, one key factor when looking at NAC options is the price point. Some vendors will sell their products at a flat rate, while others are quickly going the route of Software as a Service (SaaS) subscription, an increasingly-popular business model that requires a monthly payment and ongoing contract. Think about the state of your IT budget while remembering that the upfront investment could save you lots of money down the road.
5 Network Access Control Products and Solutions
Now let’s look deeper at five NAC options and how they stack up to one another in terms of features and functionality.
- Cisco Identity Services Engine — Cisco is one of the leaders in networking technology, so it’s no surprise that they have a robust NAC solution. It supports 1.5 million endpoints per deployment and includes AI features for faster incident response.
- Pulse Policy Secure — The NAC solution offered by Pulse Secure is fully capable of protecting mobile devices and IoT hardware on your network. Permission policies can be created through an easy-to-use wizard and can be scaled up to support 50,000 concurrent users in your organization.
- Aruba ClearPass — The focus of Aruba’s NAC solution is all about providing real-time information about what devices are on your network and how they are being used. It can be partnered with the Aruba Policy Enforcement Firewall to reduce the risk of external attacks.
- FortiNAC — The Fortinet company offers a range of security solutions, including a NAC product that can handle both physical and virtual environments. Best of all, FortiNAC is specially designed to integrate with over 150 vendor products to help complete your cybersecurity strategy.
- ForeScout CounterACT — The NAC product from ForeScout is designed to bring together all of your security silos and create a single management portal. It is specially designed to handle any kind of IoT hardware and help you automate the security monitoring of those devices.
Network Access Control FAQ
Let’s review some of the most common questions that arise when evaluating different NAC options and products.
Q: What Is Not A Variable That A Network Access Control List Can Filter Traffic With?
A: One variable that can be difficult to track is the geographic location. Because of the way wide area networks and VPNs are configured, IP addresses don’t always correspond to physical coordinates. This means you can’t necessarily filter access controls based on where a person is located.
Q: How Long has Network Access Been Around?
A: The concept of network access control has been around since the early days of the Internet, but the term itself did not gain popularity until 2006. That was when big companies like Microsoft and Cisco began putting together standards for how access permissions should be managed.
Q: What Does The Network Access Control Layer Do?
A: The Network Access Control Layer is responsible for handling the authentication and authorization of user requests. This typically occurs at Layer 2 of the Open Systems Interconnection (OSI) model, also known as the data link layer.
Q: What Is Social Network Analysis Access Control?
A: Social Network Analysis Access Control is the practice of how public social media sites and applications manage the complex network of permissions, which control how users can view or modify different pieces of data.
Q: How Do You Test Network Access Control Devices?
A: With a practice known as penetration testing, enterprises will hire external groups to test the strength of a network perimeter and see what types of devices could be vulnerable to access control issues.
In today’s world of cyberattacks and data breaches, trusting a single antivirus tool or firewall is not enough to protect your enterprise’s infrastructure and systems. For most organizations, digital data is the most valuable asset they have and a tool like Varonis is capable of managing, classifying, and protecting that data.
With that level of oversight, you can implement an overall network access control system to help secure your systems from external threats. The goal should always be to restrict access to only authorized individuals and devices that meet the security standards of your organization.
Check out the Live Cyber Attack Demo to see how Varonis augments your NAC solution.
Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.