Network Access Control is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to networknodes by devices when they initially attempt to access the network. NAC might integrate the automatic remediation process into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed. A basic form of NAC is the 802.1X standard. Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.
Example
When a computer connects to a computer network, it is not permitted to access anything unless it complies with a business defined policy; including anti-virus protection level, system update level and configuration. While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate any issues. Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined by the NAC system. NAC is mainly used for endpoint health checks, but it is often tied to Role-based Access. Access to the network will be given according to the profile of the person and the results of a posture/health check. For example, in an enterprise the HR department could access only HR department files if both the role and the endpoint meets anti-virus minimums.
Goals of NAC
Because NAC represents an emerging category of security products its definition is both evolving and controversial. The overarching goals of the concept can be distilled as:
* NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes.
* Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments attempt to do so based on authenticated user identities, at least for user end-stations such as laptops and desktop computers.
Concepts
Pre-admission and post-admission
There are two prevailing designs in NAC, based on whether policies are enforced before or after end-stations gain access to the network. In the former case, called pre-admission NAC, end-stations are inspected prior to being allowed on the network. A typical use case of pre-admission NAC would be to prevent clients with out-of-date antivirus signatures from talking to sensitive servers. Alternatively, post-admission NAC makes enforcement decisions based on user actions, after those users have been provided with access to the network
Agent versus agentless
The fundamental idea behind NAC is to allow the network to make access control decisions based on intelligence about end-systems, so the manner in which the network is informed about end-systems is a key design decision. A key difference among NAC systems is whether they require agent software to report end-system characteristics, or whether they use scanning and network inventory techniques to discern those characteristics remotely. As NAC has matured, software developers such as Microsoft have adopted the approach, providing their network access protection agent as part of their Windows 7, Vista and XP releases. There are also NAP compatible agents for Linux and Mac OS X that provide equal intelligence for these operating systems.
Out-of-band versus inline
In some out-of-band systems, agents are distributed on end-stations and report information to a central console, which in turn can control switches to enforce policy. In contrast the inline solutions can be single-box solutions which act as internal firewalls for access-layer networks and enforce the policy. Out-of-band solutions have the advantage of reusing existing infrastructure; inline products can be easier to deploy on new networks, and may provide more advanced network enforcement capabilities, because they are directly in control of individual packets on the wire. However, there are products that are agentless, and have both the inherent advantages of easier, less risky out-of-band deployment, but use techniques to provide inline effectiveness for non-compliant devices, where enforcement is required.
Network operators deploy NAC products with the expectation that some legitimate clients will be denied access to the network. Because of this, NAC solutions require a mechanism to remediate the end-user problems that deny them access. Two common strategies for remediation are quarantine networks and captive portals: ; Quarantine ; Captive portals
Mobile NAC
Using NAC in a mobile deployment, where workers connect over various wireless networks throughout the workday, involves challenges that are not present in a wired LAN environment. When a user is denied access because of a security concern, productive use of the device is lost, which can impact the ability to complete a job or serve a customer. In addition, automated remediation that takes only seconds on a wired connection may take minutes over a slower wireless data connection, bogging down the device. A mobile NAC solution gives system administrators greater control over whether, when and how to remediate the security concern. A lower-grade concern such as out-of-date antivirus signatures may result in a simple warning to the user, while more serious issues may result in quarantining the device. Policies may be set so that automated remediation, such as pushing out and applying security patches and updates, is withheld until the device is connected over a Wi-Fi or faster connection, or after working hours. This allows administrators to most appropriately balance the need for security against the goal of keeping workers productive.
