Network access control (NAC) is a system that allows organizations to restrict access to resources on their internal network. Primarily used by financial institutions, corporations with high security requirements and some universities, NAC has (so far) failed to become the mainstream security product some thought it would when the technology first entered the market at the end of 2003.
Times are changing, however.
Thanks to the advent of bring your own device (BYOD) and the integration of NAC technology into mobile device management (MDM) products, NAC is enjoying a rise in popularity among enterprises in general. That's because a growing number of organizations are evaluating NAC as a useful IT security tool to better control device access to their networks.
Large organizations are the primary group showing an increased demand for NAC. This is due to the unique demands enterprises have in regards to number of employees and granting access to contractors, visitors and third-party suppliers. As awareness of the risk of breaches associated with these groups grows, so too does the demand for NAC to help mitigate the risk. Most NAC vendors are also reporting an increase in demand in the small and medium-sized enterprise (SME) market. This has largely been driven by media reports of breaches and the potential reputational damage they engender.
However, NAC is an expensive investment, particularly for SMEs, so organizations must consider whether it will provide a tangible security benefit before deciding to purchase network access control products. It is especially important to assess the risk to the organization from BYOD, weak access permissions and advanced persistent threats (APT).
NAC scenario #1: BYOD threats
BYOD is the key reason NAC is increasingly becoming an in-demand technology. That's because securely handling mobile devices is a key concern for CISOs tasked with providing secure network access with minimal disruption to end users.
As the line between personal and professional time blurs, end users are demanding to use not just corporate-owned devices (smartphones, tablets, laptops, among others.), but personal ones for business as well. This greatly complicates endpoint and network security for organizations, which -- meanwhile -- need to support not just employees connecting devices to the network, but devices from third parties (e.g., visitors, partners and contractors) as well.
There are hundreds of combinations of device type, model and operating system versions out there today; and mobile devices can be configured in innumerable ways with a vast selection of installed apps. Personal devices, meanwhile, generally do not have enterprise-level MDM and antivirus products installed. Users quite commonly disable basic security settings, or install apps that appear to be genuine but may actually perform actions that compromise the security of the device.
All of this creates a unique challenge for organizations regarding how to allow these devices to connect and not compromise the security of the network; the more devices that connect, the greater the risk that the network can be compromised. Mobile devices, meanwhile, are increasingly being targeted by criminals, and apps containing malware have become a popular attack vector.
This is where NAC can play a vital role -- the top NAC products on the market today support Apple iOS, Android and Windows devices -- in automatically identifying devices as they connect to the network, and providing access that does not potentially compromise security. For example, when a personal mobile device connects, it can be granted access only to the Internet and not to any corporate resources.
NAC scenario #2: Delivering role-based network access
While NAC is generally thought of as a security technology that either allows or denies access to the network, one of the major advantages of it is the ability to deliver network access on a granular basis. This can be integrated with Active Directory controls to provide network access only to areas of the network that allow the particular owner of the device to perform their job role.
As most IT managers are aware, managing both Active Directory group membership and network share permissions in a large network is an often insurmountable task, and inevitably leads to excessive network permissions. Being able to manage this centrally through a NAC product can allow greater control and flexibility for delivering access to shared folders.
For example, on most internal network penetration tests I've been involved in, weak controls on network shares are a key vulnerability that NAC products would have gone a long way toward solving. They either directly provide access to personally identifiable information or provide access to data that allows further enumeration of network resources. In one test, a misconfigured IT share allowed access to passwords for a number of key databases that contained customer names, addresses, dates of birth and payment card details. NAC technology would have mitigated the risk posed to this data.
NAC scenario #3: Reduce the risk from APTs
Although NAC does not provide functions that directly detect and thwart APTs -- malicious software that establishes remote, persistent access to a network to extract data in a stealthy manner over a period of time to limit the risk of detection -- it can stop the source of the threat from connecting to the network. Some NAC systems even integrate with APT detection products (such as FireEye), and automatically isolate affected systems before attackers can further access the network.
Using the famous example of the attacks against Target in 2013, the original infection occurred when a third-party vendor that sold heating and air conditioning connected to Target's IT network. Hackers targeted the third party, whose connection was in turn used to attack and exploit Target's network.
NAC would have made it possible to automatically restrict access to the Target network by the HVAC vendor, thereby restricting access that the APT had to corporate data and resources. This would make it much more difficult for the attack to have the same level of impact it had, saving Target a lot of money and both the retail behemoth and its customers a ton of hassle.
Key questions to ask before deploying NAC products
NAC is not suitable for all businesses. The larger an organization -- and therefore the more devices that will connect to the network -- the more useful network access control products will be. That's why it is important to not just understand the use cases for NAC technology outlined above, but to also ask a few important questions when deciding whether or not to deploy NAC products:
- Do I know how many devices are connected to my network? What they are and who owns them?
If you don’t know the answers to all these questions, then an organization probably feels like it has little control over what is already connected to its network, and what will be connecting in the future. In this case, NAC is strongly worth considering, as it will provide visibility to existing infrastructure and any new devices connecting to the network.
- Who will be looking at the alerts generated by NAC?
The organization needs IT staff capable of interpreting these alerts and ensuring that network access is delivered securely but with minimum disruption to legitimate users. Bear in mind that this may be a full-time job dependent on how many endpoints are being managed by the NAC system. At the very least, the IT team will need to be assigned specific time for monitoring alerts generated by the NAC system.
- Do I feel I have control over the data leaving my network?
Devices connecting to the network are obviously one of the key ways that data then leaves the network. If an organization is concerned about what data is being removed from the network -- and specifically what type of data -- NAC could help deliver network access to only the data required for the specific purpose a user is connecting. In this way, if a malicious user accesses the network, the NAC system would restrict their access, limiting the damage done by the compromise.
- Do I have current security systems that would need to integrate with NAC?
Consider what security systems are already present on the network. Are these being used effectively, or are they just white noise? If an organization chooses to implement NAC, it should ensure it integrates with, for example, its MDM or security information and event management (SIEM) products. This will save the additional overhead of managing different IT security systems on separate platforms.
- Does the business need the ability to scale up deployment?
NAC products are often sold on a per-endpoint basis. Organizations will therefore need to consider the cost of adding more endpoint licenses as its infrastructure expands. For example, say an organization of 1,000 endpoints purchases a NAC product. However, because NAC licensing is delivered on a per-endpoint basis, if the organization expands greatly to 5,000 endpoints, the cost of the NAC product will increase dramatically as well.
Obstacles to NAC product deployment
Before deploying network access control products, consider the following obstacles:
1. Ensure there is sufficient time available to monitor alerts. Without monitoring and interpretation of alerts, the data provided by the system can be at best wasted and -- at worst -- disrupted (if network access is blocked for a user that requires it).
2. Look at the connections into the organization’s network. Do users connect via SSL VPN, or over a product such as Citrix? Ensure the NAC system integrates with the systems already established on the network or it won't work to full effect.
Choosing to implement NAC can drastically improve an organization's network security posture by allowing for greater control over what devices are accessing the network, and what they are granted access to. By effectively sandboxing untrusted parties (such as visitors or third parties) into protected areas of the network, the risk of an intentional or accidental breach can be reduced.
Consider whether the main benefits of NAC -- such as greater control over BYOD, more granular access to network shares and better protection against APTs -- is worth the investment. Take into account that implementing NAC not only requires upfront expenditure, it also entails ongoing investment in the form of additional licenses, training, monitoring of the NAC system and responding to alerts.
And, don't forget, NAC also needs to work harmoniously with existing IT security systems. A number of network access control products integrate directly with existing MDM or SIEM systems, which have central management consoles, and reduce costs associated with administration and training.
Check out these network access control policy and deployment guidelines
Learn how to achieve secure network access in the enterprise