Since zero trust approaches have begun to make their way into security schemes companies, many IT departments are beginning to talk more and more about NAC (Network Access Control), a technique that prevents unauthorized users and unknown devices from accessing the organization’s private networks and therefore , to sensitive information of the same.
Although we are not talking about a technique, much less new (NAC began to be talked about in the middle of the last decade), it has been with the rise of BYOD, the mobility of workers and especially since the pandemic, when it has begun to become popular… And it is that in its new implementations, in addition to authenticating users, it also allows manage endpoints and apply security policies.
How does NACE work?
The NAC tools actually work quite simply. Once deployed, they detect all devices that have connected or want to connect to a corporate network, providing visibility into all of them.
From here and through a series of rules previously defined by the IT department, it prevents unauthorized users from connecting to the network; it also enforces security policies on endpoints that are allowed to connect to ensure they behave properly within the enterprise perimeter. In this sense, NAC solutions can ensure, among other things, that the laptop that wants to connect to the organization’s Wi-Fi network has an antivirus updated to its latest version and other tools anti-malware recommended.
Devices that do not meet these requirements may be denied access to the network altogether, but may also be “quarantined” (waiting for compliance) or may sometimes be allowed in but obtaining only limited privileges.
These types of tools actually work in two different stages. In the first, they identify users and verify their credentials. To do this, you can use all kinds of techniques, from the use of passwords or single-use pins, to biometric solutions.
In the second and more interesting, it applies a series of factors intended to ensure the safetyanalyzing, for example, the state of the device, the location where it is located, or the role that the user has, so that many only guarantee access to the corporate network based on the privileges that have been assigned to each one.
What kind of approaches are there?
Not all NAC tools work in the same way and in fact, different approaches coexist on the market.
The main differences, however, are found when examining when the devices that want to connect to a network are inspected and as information is extracted from that device. Taking this into account, we can find the following approximations:
Preadmission vs. Post admission: There are two ways that NAC authorizes access to end devices. In pre-admission designs, devices are inspected and policies are applied before they are granted access to the network. This approach is best suited for use cases where devices may not have antivirus and other network policies up to date.
In post-admission models, the focus is less on the device and more on the user to be authenticated, applying different policies based on role and behavior. This approach makes sense for use cases like guest access, where online activities tend to be limited to things like web browsing and checking email. The most popular solutions often allow network administrators to combine both approaches.
Agent-based design vs. agentless design: The other big difference that we find in these platforms is how the information is collected. Some NAC providers require users to download and install an agent on their devices that is responsible for collecting the information and transmitting it to the system.
in the solutions agentlessInstead, it is the NAC solutions themselves that constantly scan the network and make an inventory of the different devices they detect, then making appropriate decisions based on the behavior of each of them.
Main use cases
We have seen how greater mobility on the part of employees, the rise of BYOD and the need to respond to the phenomenon of hybrid work, have favored the development of stricter policies for access to the network. In the case of NAC solutions, some of the scenarios in which we will most frequently see this type of solution are the following:
Guest access: NAC solutions allow organizations to provide temporary and restricted access to guests, partners, clients… examining their devices and ensuring that they comply with the organization’s security policies.
BYOD and remote work: The pandemic has shown that it is perfectly possible to work remotely and stay productive, while combining it with an in-office presence. In this case, NAC solutions are used to authenticate users who may be using devices “unknown” to the company, in remote locations, to which the corresponding security policies are applied.
If instead users take their work tools home, NAC solutions are used both to authenticate them and to restrict their access to various resources based on factors such as their location or role in the organization.
IoT: NAC’s ability to provide visibility, device profiling, policy enforcement, and access management helps reduce the risks associated with IoT devices entering corporate networks.
NAC tools can inventory and tag each device as it enters the network, classify IoT devices into a group with limited permissions, and constantly monitor device behaviors.
Incident Response: Once a NAC platform is deployed, organizations can use it to share information with other third-party security products, enabling automated incident response.
In this sense, NAC systems can automatically respond to cybersecurity warnings offered by other tools, blocking and/or quarantining potentially compromised devices, without IT intervention.
As networks become more distributed and complex, cybersecurity teams must find ways to maintain visibility into the devices that connect to the edge of the organization’s network. NAC provides this capability with detection and visibility of all devices entering the network, centralized access control and policy enforcement on them.
