Network Access Control
Encyclopedia
Network Access Control (NAC) is an approach to computer network security that attempts to unify endpoint
security technology (such as antivirus, host intrusion prevention
, and vulnerability assessment
), user or system authentication
and network security enforcement.
networking
solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes
by devices when they initially attempt to access the network. NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system
is operating securely before interoperability is allowed.
Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.
Initially 802.1X was also thought of as NAC. Some still consider 802.1X as the most simple form of NAC, but most people think of NAC as something more.
Mitigation of zero-day attacks
Policy enforcement
Identity and access management
As NAC has matured, Microsoft now provides their network access protection (NAP)
agent as part of their Windows 7, Vista and XP releases. There are NAP compatible agents for Linux and Mac OS X that provide near equal intelligence for these operating systems.
and enforce the policy. Out-of-band solutions have the advantage of reusing existing infrastructure; inline products can be easier to deploy on new networks, and may provide more advanced network enforcement capabilities, because they are directly in control of individual packets on the wire. However, there are products that are agentless, and have both the inherent advantages of easier, less risky out-of-band deployment, but use techniques to provide inline effectiveness for non-compliant devices, where enforcement is required
Two common strategies for remediation are quarantine networks and captive portal
s:
Quarantine
Captive portals
throughout the workday, involves challenges that are not present in a wired LAN
environment. When a user is denied access because of a security
concern, productive use of the device is lost, which can impact the ability to complete a job or serve a customer. In addition, automated remediation that takes only seconds on a wired connection may take minutes over a slower wireless data connection, bogging down the device. A mobile NAC solution gives system administrators greater control over whether, when and how to remediate the security concern. A lower-grade concern such as out-of-date antivirus
signatures may result in a simple warning to the user, while more serious issues may result in quarantining the device. Policies may be set so that automated remediation, such as pushing out and applying security patches
and updates, is withheld until the device is connected over a Wi-Fi
or faster connection, or after working hours. This allows administrators to most appropriately balance the need for security against the goal of keeping workers productive.
Communication endpoint
A communication endpoint is an interface exposed by a communicating party or by a communication channel. An example of the latter type of a communication endpoint is a publish-subscribe topic or a group in group communication systems....
security technology (such as antivirus, host intrusion prevention
Host-based intrusion detection system
A host-based intrusion detection system is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network interfaces...
, and vulnerability assessment
Vulnerability assessment
A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply...
), user or system authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
and network security enforcement.
Background
Network Access Control (NAC) is a computerComputer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
networking
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes
Node (networking)
In communication networks, a node is a connection point, either a redistribution point or a communication endpoint . The definition of a node depends on the network and protocol layer referred to...
by devices when they initially attempt to access the network. NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...
is operating securely before interoperability is allowed.
Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.
Initially 802.1X was also thought of as NAC. Some still consider 802.1X as the most simple form of NAC, but most people think of NAC as something more.
In plain English
When a computer connects to a computer network, it is not permitted to access anything unless it complies with a business defined policy, including anti-virus protection level, system update level and configuration. While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. NAC is mainly used for endpoint health checks, but it is often tied to Role based Access. Access to the network will be given according to profile of the person and the results of a posture/health check. For example, in an enterprise, the HR department could access only HR department files if both the role and the endpoint meets anti-virus minimums.Goals of NAC
Because NAC represents an emerging category of security products, its definition is both evolving and controversial. The overarching goals of the concept can be distilled to:Mitigation of zero-day attacks
- The key value proposition of NAC solutions is the ability to prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination of computer wormComputer wormA computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
s.
Policy enforcement
- NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxesMiddleboxA middlebox is a device in the Internet thatprovides transport policy enforcement. Examples of these devicesinclude firewalls, network address translators , signature management for intrusion detection...
.
Identity and access management
- Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments attempt to do so based on authenticatedAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
user identities, at least for user end-stations such as laptops and desktop computers.
Pre-admission and post-admission
There are two prevailing design philosophies in NAC, based on whether policies are enforced before or after end-stations gain access to the network. In the former case, called pre-admission NAC, end-stations are inspected prior to being allowed on the network. A typical use case of pre-admission NAC would be to prevent clients with out-of-date antivirus signatures from talking to sensitive servers. Alternatively, post-admission NAC makes enforcement decisions based on user actions, after those users have been provided with access to the network.Agent versus agentless
The fundamental idea behind NAC is to allow the network to make access control decisions based on intelligence about end-systems, so the manner in which the network is informed about end-systems is a key design decision. A key difference among NAC systems is whether they require agent software to report end-system characteristics, or whether they use scanning and network inventory techniques to discern those characteristics remotely.As NAC has matured, Microsoft now provides their network access protection (NAP)
Network Access Protection
Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
agent as part of their Windows 7, Vista and XP releases. There are NAP compatible agents for Linux and Mac OS X that provide near equal intelligence for these operating systems.
Out-of-band versus inline
In some out-of-band systems, agents are distributed on end-stations and report information to a central console, which in turn can control switches to enforce policy. In contrast the inline solutions can be single-box solutions which act as internal firewalls for access-layer networksHierarchical internetworking model
The Hierarchical internetworking model, or three-layer model, is a network design model first proposed by Cisco. Thethree-layer model divides enterprise networks into three layers: core, distribution, and access layer. Each layer provides different...
and enforce the policy. Out-of-band solutions have the advantage of reusing existing infrastructure; inline products can be easier to deploy on new networks, and may provide more advanced network enforcement capabilities, because they are directly in control of individual packets on the wire. However, there are products that are agentless, and have both the inherent advantages of easier, less risky out-of-band deployment, but use techniques to provide inline effectiveness for non-compliant devices, where enforcement is required
Remediation, quarantine and captive portals
Network operators deploy NAC products with the expectation that some legitimate clients will be denied access to the network (if users never had out-of-date patch levels, NAC would be unnecessary). Because of this, NAC solutions require a mechanism to remediate the end-user problems that deny them access.Two common strategies for remediation are quarantine networks and captive portal
Captive portal
The captive portal technique forces an HTTP client on a network to see a special web page before using the Internet normally. A captive portal turns a Web browser into an authentication device. This is done by intercepting all packets, regardless of address or port, until the user opens a browser...
s:
Quarantine
- A quarantine network is a restricted IP network that provides users with routed access only to certain hosts and applications. Quarantine is often implemented in terms of VLAN assignment; when a NAC product determines that an end-user is out-of-date, their switch port is assigned to a VLAN that is routed only to patch and update servers, not to the rest of the network. Other solutions use Address Management techniques (such as Address Resolution ProtocolAddress Resolution ProtocolAddress Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
(ARP) or Neighbor Discovery ProtocolNeighbor Discovery ProtocolThe Neighbor Discovery Protocol is a protocol in the Internet Protocol Suite used with Internet Protocol Version 6 . It operates in the Link Layer of the Internet model and is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer...
(NDP)) for quarantine, avoiding the overhead of managing quarantine VLANs.
Captive portals
- A captive portal intercepts HTTP access to web pages, redirecting users to a web application that provides instructions and tools for updating their computer. Until their computer passes automated inspection, no network usage besides the captive portal is allowed. This is similar to the way paid wireless access works at public access points.
- External Captive Portals allow organizations to offload wireless controllers and switches from hosting web portals. A single external portal hosted by a NAC appliance for wireless and wired authentication eliminates the need to create multiple portals, and consolidates policy management processes.
Mobile NAC
Using NAC in a mobile deployment, where workers connect over various wireless networksWireless network
Wireless network refers to any type of computer network that is not connected by cables of any kind. It is a method by which homes, telecommunications networks and enterprise installations avoid the costly process of introducing cables into a building, or as a connection between various equipment...
throughout the workday, involves challenges that are not present in a wired LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
environment. When a user is denied access because of a security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
concern, productive use of the device is lost, which can impact the ability to complete a job or serve a customer. In addition, automated remediation that takes only seconds on a wired connection may take minutes over a slower wireless data connection, bogging down the device. A mobile NAC solution gives system administrators greater control over whether, when and how to remediate the security concern. A lower-grade concern such as out-of-date antivirus
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
signatures may result in a simple warning to the user, while more serious issues may result in quarantining the device. Policies may be set so that automated remediation, such as pushing out and applying security patches
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
and updates, is withheld until the device is connected over a Wi-Fi
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
or faster connection, or after working hours. This allows administrators to most appropriately balance the need for security against the goal of keeping workers productive.
Spyware
Some NAC software, such as Impulse SafeConnect, require the installation of a client agent. This agent is used to verify that the user is in compliance with the site network access agreement. This allows for locking down network access to any client running unauthorized software, unmaintained updates, or for any other violation detected.File Sharing
Some colleges and universities used NAC systems in order to ban illegal, as well as legal, file sharing applications.Network Speed
Implementing a NAC requires additional resources and expenses. This reduces access times and uses bandwidth.See Also
- Network Access ProtectionNetwork Access ProtectionNetwork Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
- Network Admission ControlNetwork Admission ControlNetwork Admission Control refers to Cisco's version of Network Access Control, which restricts access to the network based on identity or security posture. When a network device is configured for NAC, it can force user or machine authentication prior to granting access to the network...
- Trusted Network ConnectTrusted Network ConnectTrusted Network Connect or TNC is an open architecture for Network Access Control, promulgated by the Trusted Network Connect Work Group of the Trusted Computing Group . -History:...