Advertisement

What different types of NAC solutions are available today?

Both established security vendors and a growing legion of small companies are filling the media with promises, initiatives, architectures and products all designed to attract the attention and spending of early technology adopters. Many organizations are "putting their toes" into the water with NAC testbeds and small scale deployments. And some have already made major commitments, usually in the more basic types of NAC.

So what is NAC?

In a broad sense NAC deals with controlling what network and applications an authenticated user can access based on his identity, the identity and security posture of his device, how the device connects to a network, all security policies assigned to a user, and the behavior of the user device once it has been admitted to the network. Device behavior can be evaluated by analyzing data traffic on the network and what is actually happening on the endpoint. The security posture equals the active hardware and software components of the device both before and after it is admitted to a network, i.e, pre- and post-admission.

Some in the industry stretch the NAC definition even further including functions like full network monitoring, device and incident detection, alerts and correlation, security usually associated with network behavioral anomaly detection systems. So the confusion surrounding “what is NAC” is largely based on what layers of security one includes in solution-level NAC and the fact that vendors include different sets of security layers - beyond basic network admission control - in their NAC products.

For our additional perspectives on "What is NAC?" please read the following posts in the Secure Access Central blog:

Which NAC Are You Talking About? A Pragmatic Way to Classify NAC Products A Peek at BIG NAC & Nevis Networks LANenforcer 4.0

NAC Product Categories

Since there are no widely accepted categories of NAC products Breakaway Security uses the following categories of access control-related “security functions” to distinguish “NAC” products and solutions. While pure network admission control products are widely available most vendors offer products that combine two or more of the following security functions:

Category 1 – Network Admission Control (e.g., Endpoint Security Policy Enforcement)

Category 2 – Network Intrusion Prevention (i.e., blocks malicious traffic)

Category 3 – Network Access Control (e.g., VLANs, router or firewall ACLs)

Category 4 – Application Access Control (i.e., to individual application resources on LANs and VLANs)

Category 5 – SSL VPN-based, authentication and confidential communications

Options (all Categories) – Additional protection layers, e.g., device firewalls, application control, malicious code prevention, and USB controls; encrypted universal device detection; NAC bypass protection.

• Network admission control is designed to prevent authorized network users from unknowingly and unintentionally allowing their computers to infect other client devices and servers on a private network. To this end they perform pre-admission and post-admission “health checks” on devices. The primary focus is on authentication, ensuring endpoints are compliant with security policies and controlling the user access privileges at the network-level. The security posture includes all software running on the client including specific applications.
• Since even compliant devices can be infected by zero-hour attacks some NAC solutions also include traffic monitoring and network intrusion prevention capabilities. When suspicious activity on the network is detected offending devices are quarantined and these incidents are reported either in real-time or in audit files.
• Network access control is a term that traditionally refers to what networks a user can access. The most basic decision is whether a user can have any access to a production network. The next level of control is enabling users to access specific networks segments. For example users can be limited to resources on a shared VLAN which can physically extend across an entire network. And user connections can be limited by access control lists in the network infrastructure, e.g., firewalls, routers, L3 switches.
• Application access control determines what individual network resources (applications) a user can access based on their identity and policy-based privileges. Application access control is different from application usage control which determines what applications can run on an endpoint.
• Many remote access gateways use SSL VPN technology to authenticate devices and servers AND encrypt communications between them. This technology can also be used with LAN traffic.

All the above capabilities are controlled by a security administrator through a centralized policy manager.

Additional NAC Security Options

• Universal Device Discovery. Most organizations also face the difficult task of determining what users and devices are on their networks. Universal discovery enables organizations to monitor their networks and detect all devices directly connected to their network - and sometimes those indirectly connected.
• Rogue Device Prevention. All organizations want to keep unauthorized users and devices off their networks. These users might be intent either on maliciously attacking the network or simply bypassing admission controls. NAC products employ a variety of mechanisms to reduce the risk of this abuse.
• Endpoint and Data Protection. Many network admission control vendors include client software (“agents”) that implement deep endpoint posture checking capabilities. Sometimes they provide additional endpoint security features beyond personal firewalls, anti-virus/malaware/bot protection. Examples include usage controls over device peripherals and application client white/blacklisting. These capabilities are designed to either minimize the vulnerability of endpoints (and indirectly the network) or protect data residing on the device.

Additional Information on NAC

1. What security problems do organizations expect NAC to solve?

2. What different types of NAC solutions are available today?

3. Network Admission Control: An In-depth Review

4. Network Admission Control Best Practices

5. NAC Facts, Opinions and Misunderstandings

6. NAC Product Selection Guide (20 vendors)

7. Portal Blog

8. Interop iLabs NAC Resources