Categories Topics
Network Access Control (NAC)

Network Access Control (NAC) is a security control used to authenticate authorized devices to allow network access. NAC consists of a network and host-based agent solution used to allow authorized devices onto the network based on a predefined set of rules that each device or endpoint must have (e.g. machine certificate, NAC agent, Anti-virus, current patches). Unauthorized devices would be denied access to the network.

Network Access Control or NAC is a powerful security control that generally consists of network infrastructure, systems and endpoint software used to ensure only authorized devices may connect to the network.  Imagine the malicious user or "visitor" that could connect their laptop to the organization's network using an available network connection.  If unchecked,  the visitor could potentially infect the network with malware and/or scan the network for potential vulnerabilities to exploit and breach sensitive information.

NAC should first start with defining the security posture or "rules" required for new devices to be allowed on the network.  For example, the organization should establish the following minimum criteria:
  • Standard operating system and workstation platform approved by the organization (e.g. HP Deskpro running Windows 7)
  • NAC agent and a machine certificate used to identify a "certified" image
  • Anti-virus agent
  • Latest security patches and secure configurations

NAC infrastructure (e.g. devices, appliances or servers) would be used to evaluate and enforce the access control policy rules set forth on the endpoints.  If a device is detected that may be missing AV agent or NAC agent/certificate, for example, the device would be routed to a quarantine or guest network with no access to the production network.  On the other hand, authorized devices would be authenticated by NAC device to connect to the network as business as usual.  

Availability and performance should also be considered when implementing NAC.  For instance, too many rules that need to evaluated on the endpoint could potentially degrade performance and delay the time it takes devices to authenticate and connect to the network.  This may make your users unhappy unless you can ensure NAC is invisible to your users.  It would be advised to start small and focus on simple rules to start (e.g. ensure NAC agent and AV) and should also be applied to remote access rules if using as part of VPN solution.

Finally,  there will be numerous device types that don't meet the standard platform requirements (e.g. printers, polycom devices, audio visual, etc.) but will still need to connect to the network.  To minimize impact, NAC devices can be configured for "MAC authentication bypass" to use the MAC address of the connecting device to grant or deny network access. In other words, authorized device types would "bypass" the NAC rules so those devices can function as designed to meet business requirements.

Topic Category
Network Security
Network Security
News Articles
Key Reinstallation Attackswww.krackattacks.com10/16/2017
D-Link DIR-130 and DIR-330 routers vulnerablewww.scmagazine.com3/16/2017
Chinese firm recalls webcams over botnet DDoS
Massive cyber attack 'sophisticated, highly distributed', involving millions of IP addresseswww.cnbc.com10/22/2016
Security man Krebs' website DDoS was powered by hacked Internet of Things
Imperva: Application layer DDoS attacks are on the rise.www.networkworld.com8/23/2016
Juniper Crypto Bug Lets Attackers Eavesdrop on Router, Switch Trafficthreatpost.com7/15/2016
Worm infects unpatched Ubiquiti wireless deviceswww.networkworld.com5/20/2016
DDoS attacks: Getting bigger and more dangerous all the timewww.zdnet.com3/11/2016
90% of SSL VPNs are ‘hopelessly insecure’, say
Cisco Releases Security
LinkedIn patches serious persistent XSS vulnerabilitywww.zdnet.com11/20/2015
Security updates address vulnerabilities in Cisco IOS softwarewww.scmagazine.com9/25/2015
Attackers install highly persistent malware implants on Cisco routerswww.computerworld.com9/15/2015
Popular Belkin Wi-Fi routers plagued by unpatched security flawswww.computerworld.com9/1/2015
Controlling Outbound DNS
Dutch DNS server 'hack': Thousands of sites serve up malwarewww.zdnet.com8/9/2013
White Papers
Akamai Releases First Quarter 2015 'State Of The Internet' Reportwww.akamai.com6/24/2015
DISA Network Access Control White Paperiase.disa.mil3/24/2010