The importance of NAC systems in network security. Why are they needed now as never before?
What is NAC?
Network Access Control (NAC), is the system responsible for checking if devices can connect to the network. Based on this, a device may be allowed or denied access. Such access control is provided through a technology known as 802.1X, which provides three important functions called Authentication, Authorization, and Accounting (AAA).
Authentication is the process of verifying the identity of a user or device connecting to the network. This is usually done through the end-user entering a username/password. In some cases, the MAC address and digital certificates may be used for authentication.
Authorization is the process of determining what network resources an authenticated device can access and what actions are allowed. Depending on the type of authenticated device or group of identified users, network, and service may be restricted.
Accounting is a process that allows a device to keep records of network access and use it for future billing or security purposes. This allows you to create reports on access to network resources. Thanks to them, you see who used what device, when, where, and how (e.g. every connection to the server or use of services is recorded).
The evolution of NAC systems.
The evolution of the NAC systems market can be divided into four phases:
The first generation of NAC is user and device authentication based on 802.1X protocols. If a device tried to connect to switch ports or wireless access points, it was required to provide a username/password or certificate, to be approved by a RADIUS server. This approach allowed or denied access at the level of the switch port or the wireless access point. This method, while effective can be difficult to implement and is not compatible with all devices.
The second generation of NAC expanded to information gathering capability through SNMP with network devices. This generation of NAC systems has also improved the methods of protecting and monitoring devices using wireless networks. This era coincided with an increasing shift to IoT solutions and the BYOD trend.
The third generation of NAC expanded into automation. The focus was on creating a cooperative security model through integration with various systems. For example, a security system operating in the perimeter of the network such as an IDS or firewall may be able to identify threats, but at best, it can only block traffic that flows through it. Integrating with a NAC provides the ability to quarantine malicious devices from the rest of the LAN. NAC system can also share detailed endpoint and user information to other security systems to enhance their functioning.
The fourth generation, and thus the currently developed generation of NAC systems, will use artificial intelligence and machine learning to even better secure the rapidly changing network environment.
Problems addressed by NAC
Entry by unauthorized devices
Networks that do not implement NAC may be accessed by any device that is plugged into a switch port or connects to a wireless access point. Even if password protection is enabled, a user may still log into the network with an unapproved device. This carries a substantial risk of introducing malware into the network. NAC can safeguard against these threats by denying access by unapproved devices.
Lack of detailed IP tracking
Most security systems leave an IP address in the audit trail but may not associate that IP with a user, or a device. This means that in environments with changing IP addresses, it is difficult to determine which device or user may be responsible for a security violation tied to an IP. NAC can keep track of all the connected endpoints through continuous network monitoring and can provide various information about the endpoint that used the IP at a certain point of time in the past.
Difficulty in managing all devices on the network
Today's IT environment is much more complex than in the past due to BYOD, IoT, and so on. These conditions require a thorough assessment to properly manage assets and ensure compliance with regulatory standards. However, it is difficult for administrators to accurately identify IT assets and check their status at all times. To reduce administrative burden, NAC can provide endpoint details such as the manufacturer, product name, name, location (switch port or physical location), user name, network connection /disconnection time, etc.
Poor WLAN Security
As mobile devices such as smartphones spread into business environments, they expand the usage of wireless LAN. In many networks, a shared password is used. Shared passwords can be easily exposed and it is difficult to trace because they cannot be linked to a specific user. The company's shared password should, in principle, be changed if an employee who knows the password leaves the company. However, this is not an easy change to manage. To solve this problem, an 802.1X system is required to allow authentication using a personal password when accessing a wireless LAN. By default, NAC supports 802.1X, allowing for better wireless security.
Manually managing IP addressing
Managing the IP address and the necessary services such as DNS and DHCP from one integrated console makes the work of administrators much easier. It allows you to simplify adding a new device or changing network parameters for existing devices. Planning of addressing using NAC systems allows you to change the IP addressing policy within minutes, even in large and distributed organizations. In addition, administrators have the ability to easily access up-to-date network administration data in one place. The NAC system enables the creation of complex policies for individual network segments or device types. Integrated DNS services can ensure reliable operation in distributed networks with many interfaces. Using the flexibility of NAC systems, it is possible to integrate the current DNS services in the organization on one platform.
Insecure operating systems
The most important thing for the security of endpoint is the application of the latest security patch. NAC continuously monitors the endpoint and isolates unpatched endpoints from the network. This is different from typical endpoint management software, in that the control operates at the network level that the endpoint has reached. Through network control, administrators can make strong regulations that users cannot bypass.