Network access control, or NAC, solutions support network visibility and access management through policy enforcement on devices and users of corporate networks.
Network access control is the act of keeping unauthorized users and devices out of a private network. Organizations that give certain devices or users from outside of the organization occasional access to the network can use network access control to ensure that these devices meet corporate security compliance regulations.
Challenges
Controlling all the things connecting to enterprise networks is daunting. IT and security architects implementing these systems face challenges that include:
The IoT and OT devices proliferating on enterprise networks can’t be authenticated or controlled with traditional agents
802.1X-based controls aren’t feasible across multivendor networks
Scheduled network scans don’t account for spoofing attempts and other threats that can emerge at any time
Many Zero Trust access alternatives are too costly and/or require too much manual effort
How can this technology help you?
If an organization’s security policy allows any of the following circumstances, they need to think carefully about network access control to ensure enterprise security:
Bring Your Own Device (BYOD)
Any organization that allows employees to use their own devices or take corporate devices home needs to think beyond the firewall to ensure network security. Each device creates a vulnerability that could make it possible for cyber criminals to get around traditional security controls.
Use of IoT devices
The Internet of Things has given rise to a proliferation of devices that may fly under the radar of traditional security controls, often residing outside of the physical corporate building, but still connected to the corporate network. Cyber criminals can easily exploit these overlooked devices to find their way into the heart of the network without adequate network access controls. Network access control is an important aspect of edge security solutions.
Network access for non-employees
Some organizations need to grant access to people or devices that are outside of the organization and not subject to the same security controls. Vendors, visitors, and contractors may all need access to the corporate network from time to time, but not to all parts of the network and not every day.
Advantages
The increasingly sanctioned use of non-corporate devices accessing corporate networks requires businesses to pay special attention to network security, including who or what is allowed access. Network security protects the functionality of the network, ensuring that only authorized users and devices have access to it, that those devices are clean, and that the users are who they say they are.
One advantage of network access controls is that users can be required to authenticate via multi-factor authentication, which is much more secure than identifying users based on IP addresses or username and password combinations.
Secure network access control also provides additional levels of protection around individual parts of the network after a user has gained access, ensuring application security. Some network access control solutions may include compatible security controls such as encryption and increased network visibility.
Network access control will not work for every organization, and it is not compatible with some existing security controls. But for organizations that have the time and staff to properly implement network access controls, it can provide a much stronger and comprehensive layer of protection around valuable or sensitive assets.
IT departments that use virtual machines as part of their data center can benefit from network access control, but only if they are vigilant about the rest of their security controls. Virtualization poses special challenges for NAC because virtual servers can move around a data center, and a dynamic virtual local area network (LAN) can change as the servers move. Not only can network access control for virtual machines open unintended security holes, it can make it challenging for organizations to adhere to data audit control standards. This is because traditional security methods locate endpoints through their IP addresses. Virtual machines are dynamic, and move from place to place, making them more complicated to secure.
Additionally, virtual machines are also very easy and fast to spin up, meaning that inexperienced IT administrators may launch a virtual machine without all of the proper network access controls in place. Yet another vulnerability occurs when virtual machines are restored from a rest state. If new patches appeared while the server was in the rest state, they may not be applied when the machine is redeployed. An increasing number of organizations are adding application security to their network security controls to ensure that everything on their network, down to the application level, is secure.