The Past, Present and Future of Network Access Control (NAC)
Network Access Control (NAC), ensures proper configuration and security posture on devices trying to access a network. It’s been around for a while, but acquired a bad reputation in its early days. I remember looking at some NAC solutions when they first hit the market, years ago, and they were expensive, clumsy, and more likely to keep out good folks than bad actors. However, that was then, and this is now. Let’s take a look at NAC today. First, I’ll review fundamental technologies and concepts. Then, I’ll examine what’s driving adoption, and look at capabilities that make next-generation NAC a valuable weapon in a security officer’s arsenal.
Broadly speaking, there are two methods of NAC: pre-connect (a.k.a. “pre-admission” or “comply to connect”), and post-connect (a.k.a. “post-admission”). The pre-connect method takes an un-constitutional “guilty until proven innocent” approach: it assumes any device trying to access a network is misconfigured, insecure or otherwise unworthy of admission to the inner sanctum. Guilty devices receive no punishment, however. Instead, they go to “computer rehab”, such as a dedicated subnet or VLAN, or perhaps a portal that provides automated tools or instructions for remediating the problems. When a machine receives a clean bill of health, it can dwell among the trusted and civilized machines inside the network. Even so, some machines are incorrigible, or maybe just a little untrustworthy, so NAC systems will let you restrict their access to specific areas of the network, or specific applications.
With a post-connect approach, you allow the unwashed masses through the door and fix the problems on the fly. Both approaches are useful, depending on the use case, and many installations will blend the two, depending on need. For instance, for guests at your company or organization, you might implement pre-connect, since you have little knowledge or control of those devices. Pre-connect might be too heavy-handed for your own employees, though, so it might make sense to let them in by default, and fix them on the fly.
Another element of NAC implementation is the agent – or not. Many early NAC implementations required installation of an agent on the endpoint. That was tolerable ten years ago when endpoints were likely to be laptops you provided and controlled, along with, well, more laptops you provided and controlled. Requiring an agent in today’s environment is more problematic. The types of devices are more varied, and the owners are more likely to be the users themselves rather than the organization. Moreover, the agent itself requires management. Even so, agents can provide some useful capabilities, so a choice of agentless or agent-based operation is important.
Now let’s look at the market dynamics behind the 50% increase in NAC adoption in 2015.
BYOD is one – but not the only -- force driving NAC adoption. NAC is one component in an overall security and IT ecosystems, so external industry trends drive its implementation and also shape its direction. Pesky BYOD devices are everywhere, virtual machines and cloud environments are proliferating, and the complexity and velocity of threats increases daily. Add compliance requirements to the mix, and you’ll see how NAC’s ability to control access to resources – and its ability to update and remediate client systems – is becoming essential to a solid security posture. The more NAC solutions cooperate with companion technologies – either ingesting their data, or feeding information to them – the more valuable it becomes.
So, let’s take a look at some of the features and functions in a next-generation NAC system. First, device visibility. Next-generation NAC solutions can detect and control endpoints, network devices, applications, and even users. While the NAC itself will use this information to detect and remediate security misconfigurations and policy violations, it can also feed asset management systems and security incident and event management (SIEM) systems for event correlation and incident response. Application whitelisting and blacklisting can facilitate software management and threat detection, and identity management systems can be leveraged to control privileges at the user level as well as the device level.
Perhaps the most important element of next-gen NAC is automated remediation. Many security technologies are good at generating alerts, but alerts are no good if you cannot fix the problem quickly, since the ever-increasing frequency and rapidity of attacks far exceeds any human’s ability to repair the weakness in real time. The hackers have automated their operations: organizations must automate responses to keep pace, and NAC solutions can help fill this need.
For more information on our NAC solutions, please visit our cyber security solutions page.