member sign-in
Forgot password? Create new account Close

Network Access Control

One important variable in effectively protecting the data in the network is represented by the users. A method to minimize the risk associated to the users is the Network Access Control – NAC.

The NAC is an access control framework capable of controlling the way users can access the resources in the internal network, by creating a unique, dynamic access control policy, per user and per session based on:

  • User Identity
  • User access device security state and
  • Network location.

The NAC framework functions as a “AAA” architecture – Authentication, Authorization and Accounting.

1. Authentication

At the very “entry” of the user in the network, the user has to authenticate – depending on who he is, he will be provisioned with access to the appropriate resources.

The user authetication can be “simple” password authentication – in a web portal -, either “strong” dual-factor authentication with certificates or OTP. In this case, an agent might have to be installed on the user access device.

2. Authorization

The authorization is based on two factors – user identity (a user can have multiple identities / roles within an organization) and the user access device state (the access device has to meet a minimum security compliance state: antivirus updates, OS patches, custom application client installed, etc). In order to properly assess the device compliance state, an agent on the device is involved.

Once authorized, the user is provided with granular application access (per IP address/protocol/port).

3. Accounting

Once the user has authenticated and the user device state has been assessed, the user is granted with proper access in the network. Throughout the user session, the user’s activity is being closely monitored.

After these 3 steps, the NAC appliance provisions dynamically user access on all the network appliances needed “along the way” so that the user can access the applications and resources he is authorized to access.

Usually, NAC solutions work closely with IPS systems which monitor for unauthorized or malicious traffic of authorized users.

If the IPS detects malware or unauthorized traffic, it signals the NAC appliance which takes appropriate actions based on pre-defined policies – isolate user, block user access in the network or any other action available.

Products supporting this technology