A network access control system allows organizations to restrict access to resources on their network. Traditionally used by financial institutions, corporations with high security requirements and some universities, NAC systems' usage is now increasing rapidly, thanks to the exponential increase in bring your own device policies and internet of things devices on the network, and the integration of NAC technology into mobile device management, SIEM, next-generation firewalls and threat detection products.
The primary group showing increased demand for NAC is large organizations. This is due to the unique demands enterprises have in regards to number of employees and granting access to contractors, visitors and third-party suppliers. As the risk of breaches associated with these groups becomes a board-level issue, so too does the demand for NAC to help mitigate the risk. Most NAC system vendors are also reporting an increase in demand in the small and medium-sized business (SMB) market. This has largely been propagated by media reports of breaches and the potential reputational damage they cause.
However, NAC is an expensive investment, particularly for SMBs, so organizations must consider whether it will provide a tangible security benefit before deciding to purchase network access control products. It is especially important to assess the risk to the organization from BYOD, the internet of things (IoT), weak access permissions and advanced persistent threats (APT).
NAC scenario No. 1: BYOD and IoT threats
BYOD and IoT have become key to increasing demand in NAC technology mainly because securely handling mobile devices is a key concern for CISOs tasked with providing secure network access with minimal disruption to end users.
As the line between personal and professional time blurs, end users are demanding to use not just corporate-owned devices -- smartphones, tablets, laptops, among others -- but personal ones for business as well. This greatly complicates endpoint and network security for organizations that need to support not just employees connecting devices to the network, but devices from third parties -- e.g., visitors, partners and contractors -- as well.
The addition of IoT into the enterprise workplace has caused NAC vendors to ensure their agentless detection can successfully assess and categorize these devices. This is only likely to increase in the future, with various monitoring systems for HVAC, security cameras and even devices for monitoring staff activity being deployed into offices.
There are hundreds of combinations of device type, model and operating system versions out there today. And mobile devices especially can be configured in innumerable ways with a vast selection of installed apps. Personal devices, meanwhile, generally do not have enterprise-level mobile device management (MDM) and antivirus products installed. Users quite commonly disable basic security settings or install apps that appear to be genuine but may actually perform actions that compromise the security of the device. This, worryingly, could lead to APT or ransomware infections spreading from the personal device to the corporate network.
All of this creates a unique challenge for organizations regarding how to allow these devices to connect and not compromise the security of the network; the more devices that connect, the greater the risk of the network getting compromised. Mobile devices, meanwhile, are increasingly being targeted by criminals, and apps containing malware have become a popular attack vector.
The top NAC products on the market today support Apple iOS, Android and Windows devices. NAC systems can play a vital role in automatically identifying devices as they connect to the network and providing access that does not potentially compromise security. For example, when a personal mobile device connects, it can be granted access only to the Internet and not to any corporate resources. The same can be done now for IoT-enabled devices, categorizing them based on defined criteria and blocking, or creating a safe network segment, for those that are not authorized.
NAC scenario No. 2: Delivering role-based network access
While NAC is generally thought of as a security technology that either allows or denies access to the network, one of the major advantages of it is the ability to deliver network access on a granular basis. This can be integrated with Active Directory controls to provide network access only to areas of the network that allow the particular owner of the device to perform their job role.
As most IT managers are aware, managing both Active Directory group membership and network share permissions in a large network is an often insurmountable task and inevitably leads to excessive network permissions. Being able to manage this centrally through an NAC system can allow greater control and flexibility for delivering access to shared folders.
Weak controls on network shares are often a key vulnerability that IT comes across during the network penetration tests. Having NAC products in such circumstances would go a long way toward solving this problem. NAC products either directly provide access to personally identifiable information or provide access to data that allows further enumeration of network resources. For example, If a misconfigured IT share allowed access to passwords for a number of key databases containing customer names, addresses, dates of birth and payment card details, having an NAC system would mitigated the risk posed to this data.
NAC scenario No. 3: Reduce the risk from APTs
Although NAC does not provide functions that directly detect and thwart APTs, it can stop the source of the threat from connecting to the network. Some NAC systems even integrate with APT detection products, such as FireEye, and automatically isolate affected systems before attackers can further access the network.
Using the famous example of the attacks against Target in 2013, the original infection occurred when a third-party vendor that sold heating and air conditioning connected to Target's IT network. Hackers targeted the third party, whose connection was in turn used to attack and exploit Target's network.
Using an NAC system would have made it possible to automatically restrict access to the Target network by the HVAC vendor, thereby restricting access that the APT had to corporate data and resources. This would have made it much more difficult for the attack to have the same level of impact it had, saving Target a lot of money and both the retail behemoth and its customers a ton of hassle.
Key questions to ask before deploying NAC products
NAC is not suitable for all businesses. The larger the organization, the more devices that will connect to the network and, therefore, the more useful the network access control products will be. That's why it is important to not just understand the use cases for NAC technology outlined above, but to also ask a few important questions when deciding whether or not to deploy NAC products:
Do I know how many devices are connected to my network, what they are and who owns them?
If you don't know the answers to these questions, then NAC is strongly worth considering, as it will provide visibility to existing infrastructure and any new devices connecting to the network.
Who will be looking at the alerts generated by NAC?
The organization needs IT staff capable of interpreting these alerts and ensuring that network access is delivered securely but with minimum disruption to legitimate users. Bear in mind that this may be a full-time job depending on how many endpoints are being managed by the NAC system. At the very least, the IT team will need to be assigned specific time for monitoring alerts generated by the NAC system.
Do I feel I have control over the data leaving my network?
Devices connecting to the network are obviously one of the key ways that data leaves the network. If an organization is concerned about what data is being removed from the network -- and specifically what type of data -- NAC could help deliver network access to only the data required for the specific purpose a user is connecting. In this way, if a malicious user accesses the network, the NAC system would restrict their access, limiting the damage done by the compromise.
Do I have current security systems that would need to integrate with NAC?
Consider what security systems are already present on the network. Are these being used effectively, or are they just white noise? If an organization chooses to implement NAC, it should ensure it integrates with, for example, its MDM or SIEM products. This will save the additional overhead of managing different IT security systems on separate platforms.
Does the business need the ability to scale up deployment?
NAC products are often sold on a per-endpoint basis. Organizations will therefore need to consider the cost of adding more endpoint licenses as their infrastructures expand. For example, say an organization of 1,000 endpoints purchases a NAC product. However, because NAC licensing is delivered on a per-endpoint basis, if the organization expands to 5,000 endpoints, the cost of the NAC product will dramatically increase as well.
Obstacles to NAC product deployment
Before deploying network access control products, consider the following obstacles:
- Ensure there is sufficient time available to monitor alerts. Without monitoring and interpretation of alerts, the data provided by the system can be, at best, wasted and, at worst, disrupted -- if network access is blocked for a user that requires it.
- Look at the connections into the organization's network. Do users connect via SSL VPN, or over a product such as Citrix? Ensure the NAC system integrates with the systems already established on the network or it won't work to full effect.
Choosing to implement NAC can drastically improve an organization's network security posture by allowing for greater control over what devices are accessing the network, and what they are granted access to. By effectively sandboxing untrusted parties, such as visitors or third parties, into specific network segments, the risk of an intentional or accidental breach can be reduced.
Consider whether the main benefits of NAC -- such as greater control over BYOD and IoT, more granular access to network shares and better protection against APTs -- is worth the investment. Take into account that implementing NAC not only requires upfront expenditure, it also entails ongoing investment in the form of additional licenses, training, monitoring of the NAC system and responding to alerts.
And, don't forget, NAC also needs to work harmoniously with existing IT security systems. A number of network access control products integrate directly with existing MDM or SIEM systems, which have central management consoles, and reduce costs associated with administration and training.
The five questions to answer before buying NAC
Familiarize yourself with enterprise NAC products