Network access control systems use endpoint security to control access to an organization's network. Devices are not allowed to connect unless they meet a predefined business policy, which is enforced by network access control products.
The technologies and processes that make up network access control (NAC) security have been around in various guises for many years -- originally as part of intrusion prevention systems (IPS) or integrated into various other products, such as wireless systems. However, in the past, NAC security wasn't delivered in the unified manner with which it can now be deployed.
Organizations would traditionally leverage NAC technologies to detect and protect against rogue devices connected to the physical network, usually in the form of Windows desktops or laptops. However, as technology has progressed and the number and types of network-connected devices have proliferated, network access control systems have been updated to account for wireless networks, mobile devices and BYOD culture, as well as cloud-based services. Recently, particular focus has been paid to integrating NAC with the internet of things (IoT), to the point where one of the major NAC vendors now refers to itself as an IoT company.
BYOD and IoT have hugely impacted the face of the NAC market, with controlling personal devices, primarily smartphones and tablets, becoming one of the most important roles that NAC products play. As a result, NAC product vendors are increasingly partnering with mobile device management (MDM) vendors in order to ensure that mobile devices are handled correctly, in addition to integrating with various other vendors to ensure maximum visibility of IoT-enabled devices.
Partnerships between MDM and NAC providers usually involve integrating mobile management modules to a NAC system. There are a number of advantages when MDM providers integrate their products with NAC. MDM software is only aware of devices that are already enrolled in the system; but, by integrating with NAC, it can be aware of new devices connecting to the network, as well.
Also, MDM does not typically control network access, only access to applications and the enforcement of encryption. NAC integration can provide the same policy enforcement and access control to mobile devices as it does with desktops and laptops, and can enforce the installation of the MDM agent before network access is permitted. Integration also means there is only one system to manage, which leads to less conflict between MDM and NAC policies.
Why network access control?
Network access control systems are useful because they enable organizations to control the myriad of different endpoints connected to corporate networks, thereby helping to protect them from rogue and compromised devices. They do this by enforcing predefined policies, which require connected endpoints to meet prerequisites, such as a type of device or the presence of up-to-date patching and antivirus software.
While NAC products can be used by organizations of all sizes, they are most relevant to those that have a large number of employees with many different devices -- for example, mobile devices and laptops. In addition, NAC aids IT in the enormous challenge of securing network access when a company has many satellite offices. This challenge has become more difficult as IoT-enabled devices have started to become embedded in organizations on a much larger scale.
How network access control systems work
When deployed, network access control systems immediately discover all the devices connected to a network, categorize them by type and then react to them based on preconfigured compliance rules implemented by the organization's security team. NAC products enable device access to a network based on a specific, per device basis, with granular controls over what type and level of access is allowed. These controls are delivered by policies that are defined in a central control system.
Policies that might be defined would be to disallow all Android smartphones and tablets, for example, or to disallow all devices that run Microsoft Windows that do not have the latest service pack. Admins could even block devices based on a whitelist of Mac addresses, making it more difficult for rogue devices to connect to the network.
The importance of NAC integration
What is becoming increasingly important for organizations is that network access control systems seamlessly integrate with existing security infrastructure, especially security information and event management (SIEM), IPS, MDM, advanced threat detection services and next-generation firewalls (NGFW). NAC systems can use alerts generated by these integrated products to better react to changing network status.
Using extensive research into network access control systems, TechTarget editors focused on vendors that were in the top 80% of the NAC market. We chose vendors that represented both pure play and infrastructure factions of the market. Our research included internal TechTarget reports and Gartner reports.
Examples of this would be blocking all new device connections if an intrusion attempt is flagged, or blocking a single device based on its behavior -- e.g., the device is initiating port scans -- as well as blocking a device based on the information received; be it because a specific device is initiating attacks on the network or because it has been compromised. Recent integrations with vulnerability assessment and threat detection tools can block devices based on indicators of compromise, and can alert IT teams immediately to a potential intrusion or advanced persistent threat infection.
Most network access control systems can also integrate with Active Directory in order to control network access based on group policy, ensuring users only have the network access required to fulfill their jobs. For example, an organization wouldn't want a call center agent to have access to the human resources database, or for a contractor to have access to pension information.
Agent and agentless network access control
The first task NAC must achieve is to inventory all the devices connected to the network. This can be done with agents -- or an app for mobile devices -- that are installed on each endpoint to gather this data, or it can be agentless. Whether inventory is performed with or without an agent, or a combination of the two, varies from NAC product to NAC product.
Agents gain detailed information about devices by accessing their registries, running processes and file structure in order to enumerate the installed OS and software versions, hardware makeup -- processor, memory, storage and the like -- and to detect any security concerns.
There are certain limitations to agent-based NAC that organizations should be aware of, however. First, network access control systems need to be able to handle devices that connect without an agent. Relying on an agent would only leave admins with two options: deny all access or grant access to everything. Neither of these is a valid response because denying all access would make it impossible to add new devices to a network, and allowing all access would defeat the purpose of the network access system.
Additionally, individual agents do not work with all OSes, and they certainly can't be installed on devices such as printers, routers or voice over IP systems. That's a problem because an all-encompassing NAC system should be able to control access for all types of devices.
There can also be problems if a device is required to connect to a different network because it may not have the correct agent installed. This can be alleviated if the agent is nonpersistent and, therefore, only installs temporarily while connected to the network.
In agentless installs, information is gathered either through passive or active discovery. Passive discovery monitors the network for traffic emanating from endpoints and uses information that is present within the traffic to discover information about the endpoint -- for example, the manufacturer and software versions.
Active discovery can gather much more detailed information, and it achieves this by logging onto connected devices using Active Directory credentials -- in the case of Windows devices -- or by using port scanning and fingerprinting techniques for other devices. Agentless capability is particularly important for NAC systems that are able to handle IoT-enabled devices, as it would be impossible to force an agent install.
Once a NAC product has inventoried all the devices connected to the network, it continues to monitor them for changes and malicious activity. Any activity from an endpoint that is deemed to be a security risk, such as a port or vulnerability scan, can therefore be detected and stopped.
The cost and management of network access control systems
NAC systems are sold either as virtual or physical appliances. Pricing depends on the number of endpoints that the system will need to handle, but typically ranges from around $12,000 to $30,000. On top of this, there are ongoing support costs of around $2,500-$3,000 a year, plus any additional costs in providing training to staff members responsible for managing the product.
The technology is managed centrally using an appliance or virtual machine provided by the NAC vendor. Some vendors provide training as part of the package to teach staff how to use the equipment, how to configure policies and how to manage the alerting systems. With this in mind, organizations that are looking to implement NAC systems should be aware that time, and potentially money, will need to be dedicated to training, and internal admins will need to have part of their job role dedicated to managing the NAC product.
NAC is a powerful security product when implemented correctly, and it can help an organization feel in control of the network and the devices connected to it, especially with the huge number and different types of devices that are now being used. It is not a silver bullet that protects against all network threats, however. Network access control systems should be used in conjunction with other systems, such as SIEM, NGFW, IPS, MDM and threat detection tools.
In addition, implementation of NAC should be backed up with security testing to ensure that the specific NAC product chosen by the organization is a good fit with existing IT security. And it should not either over-zealously block resources or provide too much access.
Use these approaches to create cyber safe work environments
Compare these network access control products and see which one is best for you
Learn how to vet network security tools