What is NAC and why is it important for network security?

NAC plays a key role in Zero Trust network access (ZTNA), and is a powerful tool for securing IoT devices and protecting mobile and remote workers

cyber technology security protection monitoring concept advanced picture id1276687348

Network Access Control (NAC) is a cybersecurity technique that prevents unauthorized users and devices from entering private networks and accessing sensitive resources. Also known as Network Admission Control, NAC first gained a foothold in the enterprise in the mid-to-late 2000s as a way to manage endpoints through basic scan-and-block techniques.

As knowledge workers became increasingly mobile, and as BYOD initiatives spread across organizations, NAC solutions evolved to not only authenticate users, but also to manage endpoints and enforce policies.

How NAC works

NAC tools detect all devices on the network and provide visibility into those devices. NAC software prevents unauthorized users from entering the network and enforces policies on endpoints to ensure devices comply with network security policies. NAC solutions will, for instance, make sure that the endpoint has up-to-date antivirus and anti-malware protections.

Non-compliant devices may be blocked from the network, placed in quarantine, or be granted limited access rights.

NAC works in two stages. The first stage, authentication, identifies users and verifies their credentials. Most NAC tools support a variety of authentication methods, including passwords, one-time pins, and biometrics.

In the second stage, NAC enforces a number of policy factors, including device health, location, and user role. Most NAC devices also have the ability to limit access by role, granting users access to only the resources that are necessary to do their jobs.

If a user or device fails at either the authentication or authorization stage, the NAC tool blocks or quarantines the device and/or user.

What are the different types of NAC approaches?

NAC approaches may differ in a number of ways, but two common differences involve when devices are inspected and how the system gathers information from the network.

Pre-admission vs. post-admission: There are two ways NAC authorizes access to end devices. In pre-admission designs, devices are inspected and policies enforced before devices are granted access to the network. This approach is best suited to use cases where devices might not have up-to-date antivirus and anti-malware.

Alternatively, post-admission designs focus less on device postures and more on users, enforcing policy based on behaviors. This approach makes sense for use cases like guest access, where the online activities tend to be limited to things like web browsing and checking email.

Many NAC offerings provide a combination of these approaches, which may vary based on location, device type, or user groups.

Agent-based vs. agentless design: Another architectural difference is agent-based versus agentless information gathering. Some NAC vendors require users to download agent software on their client devices. The agents then report device characteristics back to the NAC system.

Alternatively, agentless NAC solutions constantly scan the network and inventory devices, relying on device and user behaviors to trigger enforcement decisions.

Core capabilities of a NAC system

NAC secures networks through several core capabilities. These include:

  • Authentication and authorization: Manages access to resources for both users and devices.
  • Centralized policy lifecycle management: Enforces policies for all users and devices, while managing policy changes throughout the organization.
  • Discovery, visibility, and profiling: Finds devices on the network, identifies them, places them into groups with specific profiles, while blocking unauthorized users and non-compliant devices.
  • Guest networking access: Manages guests and provides those with compliant devices temporary and often restricted access through a customizable, self-service portal.
  • Security posture check: Evaluates compliance with security policies by user type, device type, location, operating system version, and other security criteria defined by the organization.
  • Incidence response: Automatically blocks suspicious activity, quarantines noncompliant devices, and, when possible, updates devices to bring them into compliance – all without IT intervention.
  • Bi-directional integration: Integrates NAC with other security tools and network solutions through the open/RESTful APIs that enable NAC to share contextual information (IP and MAC addresses, user ID, user role, locations, etc.)

NAC and Zero Trust

Even though NAC is nearly a 20-year-old technology, its adoption has been mostly confined to medium and large enterprises. However, as the network edge continues to sprawl beyond physical enterprise perimeters and as the COVID-19 pandemic accelerates the acceptance of at-home, mobile, and hybrid work environments, NAC has become an enabling technology for Zero Trust security approaches.

With networks become more distributed and complex, cybersecurity teams must find ways to maintain visibility into the devices connecting to the farthest reaches of the organization’s network. NAC provides this capability with the detection of and visibility into all devices entering the network, centralized access control, and policy enforcement across all devices.  

Top use cases for NAC

Increasing employee mobility, a rising number of BYOD devices, and the need to support hybrid work environments due to the pandemic have driven the need for stronger network access controls. Common use cases for NAC include:

Guest and partner access: NAC solutions allow organizations to provide temporary, restricted access to guests, partners, and contractors. NAC solutions probe guest devices to make sure they comply with the organization’s security policies.

BYOD and work-from-anywhere: As knowledge workers have become increasingly mobile, NAC is used to authenticate users who may be on unknown devices and in unknown locations, while also enforcing policies on those users and devices. If employees take corporate devices home, NAC ensures that no outside malware infiltrates the network when the devices reenter the organization’s network.  

The work-from-home and hybrid work-from-anywhere environments that arose during the COVID-19 pandemic have followed a similar pattern, with NAC solutions authenticating users, ensuring policy compliance on devices, and restricting access to resources based on factors such as location and user role.

IoT: NAC’s ability to provide visibility, device profiling, policy enforcement, and access management helps reduce the risks associated with IoT devices entering corporate networks. NAC tools can inventory and tag each device as it comes onto the network, categorize IoT devices into a group with limited permissions, and constantly monitor IoT device behaviors. NAC will automatically enforce rules to ensure that devices comply with business, security, and compliance-related policies.

Medical devices: For IoT devices in highly regulated healthcare settings, NAC can not only detect and block unauthorized access to devices and medical records, but also enforce the policies that ensure that devices in healthcare networks remain compliant with regulations, such as HIPAA. NAC can also enforce policies when medical professionals remotely access the network.

Incident response: Once a NAC system is deployed, organizations may use it to share information, such as user IDs, device types, and contextual information, with third-party security point products. This enables automated incident response, with NAC systems automatically responding to cyber security warnings by blocking and/or quarantining potentially compromised devices, without IT intervention.

NAC and regulatory compliance

As more industries regulate how businesses handle consumer data and protect privacy, regulatory compliance has become a driver for NAC adoption. NAC systems can help organizations maintain compliance with a range of regulations, including but not limited to HIPPA, PCI-DSS, GLBA, SOX, GDRP, and CCPA.

The requirements of these privacy protections typically focus on understanding who, what, when, and where users and devices are on the network, while limiting access to sensitive data to only those with a legitimate need. Proving that you have done all this via repeatable and auditable processes is also essential for compliance.

NAC can meet various regulatory requirements through access control, policy enforcement across users and devices, network visibility, and audit trails. Furthermore, many NAC providers have built in features to help organization automatically comply with common regulations, such as HIPPA, PCI-DSS, and SOX.

Who are the main NAC providers?

Based on their long track records and market share estimates from research firms such as Gartner, Research and Markets, and Global Market Insights, the following vendors are the leading NAC providers in the market today:

Aruba (HPE) – Aruba’s ClearPass Policy Manager provides role- and device-based secure network access control for IoT, BYOD, and corporate devices, as well as employees, contractors, and guests across multivendor wired, wireless, and VPN infrastructures.

Cisco – Cisco’s Identity Services Engine’s (ISE) NAC capabilities enable a dynamic and automated approach to policy enforcement and secure network access control. ISE empowers software-defined access and automates network segmentation within IT and OT environments.

Extreme Networks – Extreme Network’s ExtremeControl provides dynamic access based on user roles and contextual identity information. ExtremeControl applies granular, targeted policies to users and devices in order to streamline compliance.

Forescout – Forescout NAC implements access controls across heterogeneous networks, identifing every device on the network, assessing its security posture, and triggering remediation workflows when necessary. It continuously monitors all connected devices and automates responses when noncompliance or unusual behaviors are detected.

Fortinet – Fortinet’s FortiNAC provides visibility, control, and automated responses for everything that connects to an enterprise network. FortiNAC protects against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking and security events.

Juniper – Juniper recently bulked up its NAC offering through the acquisition of the startup WiteSand, which provides cloud-native NAC. Juniper’s EX Series of Ethernet switches provide NAC capabilities that include discovery, visibility, and access management. The addition of WiteSand will eliminate the need for on-premises NAC solutions for Juniper customers and will further enable automation through AI-based capabilities.

Portnox – Portnox CLEAR is a cloud-native NAC platform that provides visibility into devices and policy enforcement across heterogeneous networks. CLEAR identifies where devices are located and the risks associated with the location and the device posture. CLEAR continuously monitors risks for IoT, BYOD, remote use, and other common NAC use cases.

(Jeff Vance is an IDG contributing writer and the founder of Startup50.com, a site that discovers, analyzes, and ranks tech startups. Follow him on Twitter, @JWVance, or connect with him on LinkedIn.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2022 IDG Communications, Inc.