How to Choose a Network Access Control Solution that is Right For Your Network

Traditional IT security has always focused on static, well-controlled IT environments. However, with the advent of BYOD policies and more and more mobile devices connecting to workplace networks, a new, more fluid paradigm has evolved. How does IT make the shift and take charge of these dynamic and very difficult to control environments?

Network Access Control (NAC) has emerged as a very attractive technology for dealing with the growth of mobile devices in the workplace and is particularly useful in helping IT departments control their IT infrastructure in this new fluid environment. After all, the network is still something that IT controls.

So what is NAC? To put it simply, the most sophisticated NAC products immediately discover any device that attempts to connect to a network. They can categorize that device by type (Android, PC, iOS, etc.) and detect whether it’s a company or personal device.

Digging a little deeper, NAC solutions can also run a health check of each device, block, allow or limit access to certain network resource, remediate any security problems on the device, and continuously monitor that device for the duration of the session.

But how does all this big brother stuff work in the real world? Networks are complicated things comprising endpoints and pieces from many different vendors, all configured differently, and added piecemeal over time.

Implementing any form of network access control is a complex process. To help explain, DLT partner, ForeScout, has identified three criteria that any NAC solution must deliver on in order to address these challenges:

1. Detection and Interrogation of Endpoints

A key part of any NAC solution is detecting connecting devices and ensuring they are in compliance with your network security policies. However, if not all the endpoints are easily identified or known what are your options? ForeScout stresses that, while there’s no silver bullet: “several types of inspection mechanisms need to be considered in order to get maximum interrogation with minimum IT management overhead for all detected and identified endpoints.”

One such mechanism are software agents. These have become a common part of endpoint security and provide the ability to get detailed knowledge of the system they reside on before allowing network access to a device. This is all well and good until a non-agent based device is introduced to the network. Any device lacking an agent is denied access to the network or, worse, is given wholesale access without any endpoint inspection.

Agent-based NAC systems pose other challenges and quickly become impractical in large, enterprise networks, suggests ForeScout. Going agentless, therefore, offers several advantages.

• Agentless systems are scalable. Because a software agent isn’t needed on the endpoint, the scalability of an agentless NAC system is “virtually unlimited”, says ForeScout. "Agentless systems provide the ability to detect any IP-based device, allowing the complete coverage of a global infrastructure without prior knowledge of any of the connecting devices.” Another advantage is that users don’t need to be trained by IT on how to use agentless systems.

• Management is reduced. Agentless NAC systems reduce the amount of management overhead needed to enforce security policies – big time! Without interoperability issues between connecting devices, IT can focus on other things.

2. NAC Policy Creation and Enforcement

The primary reason for a NAC solution is to ensure that all connected devices comply with your network security policies. For example, checking for up-to-date antivirus definitions, etc. as well as enterprise-specific policies. The problem arises, however, when determining which policies need to be enforced and what actions need to be taken to enforce them, explains ForeScout. This policy creation process is key to selecting a NAC system: “An enterprise-level NAC solution must enable IT management to create customized, granular, and enterprise specific policies to effectively address the security concerns of any organization.”

The problem however falls on IT to enforce policy on an automated system, which brings with it the risk of network disruption. The industry, however, has made great strides towards network-based enforcement, including ForeScout’s own ForeScout MDM solution which uses digital certificates to authenticate mobile devices.

But what if a connected device then starts to violate security policy? Once authenticated and granted access, ForeScout stresses that post-connection policy enforcement is a critical element of any effective NAC system and connected devices must continue to be monitored to ensure compliance with security policies. And finally, “Malware detection and mitigation is a must-have feature for any NAC system, to ensure infected devices are detected and blocked/quarantined before they have a chance to unleash an outbreak across the entire enterprise network.”

3. Deploying Network Access Control

Now you’ve got a good grasp of the key essentials of any solid NAC solution, it’s important to understand the deployment process.

Switched-based NAC is a legacy approach, that has since fallen out of favor, largely because it offers a snapshot of the connected device at the moment it connects, and not afterwards. Another option is an inline NAC deployment. This is based on the premise that all data traffic passes through the device to detect, inspect, and enforce security policy. An inline appliance detects each packet. The problem with this approach is that it adds another hardware component to the flow of traffic and another point of failure, plus the inherent latency risks – all of which disrupts the user experience.

A third option is an out-of-band NAC. This uses the existing network to do all the work. The NAC appliance is attached to the network through a span port on a managed switch or through a network tap. From here, the NAC can monitor all network traffic, without data having to pass through it. It’s a method that allows IT to deploy a NAC system without any changes to the existing network configuration -  saving time and money. “The out-of-band approach is by far the least disruptive method for NAC deployment,” explains ForeScout.

The Bottom Line

In summary, a NAC system should provide flexible and granular policy-based coverage with the least amount of network and user disruption. ForeScout’s NAC product, CounterACT, is a clientless, out-of-band NAC appliance that delivers granular policy creation with a full spectrum of enforcement actions. CounterACT lets IT define the appropriate responses to policy violations, effectively delivering a measured approach of enforcement to keep networks safe while minimizing the end-user disruptions.

Read more about Choosing a Network Access Control Solution that is Right for your Network.