Network Access Control (NAC) is a set of hardware and/or software technologies solutions that support network visibility and access management through policy enforcement on devices and users of enterprise networks. This determines what, if any, access a device is allowed on the network It is often stated that 802.1X (port-based authentication using RADIUS for example) is a form of NAC, but that is not an entirely accurate statement. While 802.1X does control network access by requiring authentication, the broader term of NAC refers not just to authentication, but to host profiling, scanning, compliance assessment, authorization, and several other techniques that assess devices, then make intelligent decisions about the network access to be assigned to those devices.
The first step in a modern NAC solution is to provide full visibility into every network-connected device (IT, OT, ICS…). Once that has been achieved, NAC should provide a means of dynamically handling (restricting) network access for devices that are found to be vulnerable or in violation of policies. It should be able to integrate with a wide variety of network infrastructure devices regardless of vendor. NAC is then able to restrict network traffic, such as by assigning a different VLAN or applying an Access Control List (ACL) for wired devices or changing the WLAN configuration for wireless devices.
Next-gen NAC should be able to combine pre-connect (such as 802.1X) and post-connect (policy-based device assessment) models and then implement controls on both users and devices as needed. Additionally, modern NAC should not stop at analyzing devices, but should also have the capability to orchestrate workflows. This provides the ability to extend NAC assessment functionality and to provide data sharing with other tools in the network security enclave.
NAC Next Steps
At ACES, we believe in the ever maturation of an enterprise’s environment. NAC is one step in that process. The reason ACES has partnered with Forescout, who is not only be an industry leader in modern, cutting-edge Network Access Control solutions but mature security solutions beyond NAC. The Forescout solution encompasses all the key features one might require from a truly modern access control system, including pre-connect and post connect evaluation models, compliance, auto-remediation, a wide array of network level access controls, automation of workflows, and the ability to integrate with the network security systems already in place in the environment.
NAC is the baseline for properly securing and managing an enterprise. If this baseline is faulty or does not take the environment’s entire enterprise and security goals in mind, then changes are continuously required. This takes unnecessary time and money while additional solutions are implemented. Because Forescout and ACES focus on working with multiple product vendors and working with the tools currently in place to decrease these costs and come to a faster more cost-effective solution. The Forescout solution for NAC also provides several other capabilities such as automatic and transparent internal network threat detection and anomaly remediation, dynamic network segmentation, cross-segment traffic control, traffic-based notifications, guest registration for network access (captive portal), as well as an extensive library of host device profiles to accurately identify and assess the ever-growing number and type of devices (IT, IoT and OT) found in the modern network.