subscribe: Daily Newsletter

 

It’s time to get granular with network access control

0 comments

The network access control (NAC) market is expanding and evolving constantly in an attempt to deliver truly useful access control across device types, wries Simeon Tassev, MD of Galix Networking.
NAC is once again a hot topic in light of the mobile diversity of today’s workforce that has exposed the shortcomings of traditional NAC technologies and methodologies, which are no longer sufficient in the face of a security threat landscape that is also constantly evolving. What can IT security professionals do in the face of a flood of devices accessing business resources, when these devices are not necessarily managed and controlled by the organisation?
It’s time to shift from the traditional mode of NAC thinking to a modern approach.
Traditionally, NAC was based on specific technologies built into network switches and each device that connected to a port on a switch had to authenticate against that port. If it did not authenticate, the port shut down and the user was denied access. This technology soon showed its limitations. It was often vendor-specific and an agent for authentication was also required on the connecting device. This became a hindrance with mobile devices as it was difficult to import an agent on to a cell phone and with more companies instituting bring your own device (BYOD) mobility policies, it became cumbersome to manage who connected to the corporate network and how.
It was for these reasons that NAC technology has evolved to become vendor independent, and the focus has since shifted to using technologies to authenticate and to profile users. NAC has now advanced beyond the ability to disable or enable a port on the network, by focusing on delivering different levels of access depending on user profiles. It is not enough to authenticate with a username and password, it is also necessary to authenticate based on the device with which the user is attempting to access the network.
So, for example, different access types could be granted depending on whether the user is connecting from a smartphone, mobile tablet or public device. This means NAC is now concerned with issuing access based on a specific policy that is triggered by the user device and no longer is access (remote or otherwise) given based on username and password authentication.
From a security and compliance point of view, the crux of the issue is control. But the type of control necessary is more granular, and so the question that needs to be asked here is: what kind of access must be given to which users, and what will they be allowed to do with that access? NAC security technologies are now able to specify and allow access to the network, to an application, or certain areas of the network, and it is no longer the all-or-nothing approach of the past.
Furthermore, in light of the fact that wireless as a standard has evolved to the IEEE 802.11ac standard, the access that is provided to wireless users needs to be the same as any other network access, which is to say it needs to be the same as wired access. This highlights further the need for deeper profiling and more specific security policy-based access.
Modern NAC appliances have addressed the shortcomings of their legacy predecessors, by extending their capabilities. These appliances are now capable of agentless operation, and extended policy capabilities means that the NAC setup can support a wider number of devices, with an increased number of different policy extensions. This offers the real-time ability to monitor and control what a user, device, or application is doing or is allowed to do on the network.
By creating a contextual profile of each user that is informed by their associated devices and the applications and ports that they use, granular access control is achieved. NAC appliances today also automate onboarding support and new devices can be provisioned onto the network by means of a configurable portal, which takes the headache out of BYOD for the IT department.
Previously, another pain point lies with legacy NAC measures. Guest management delivers the ability to grant guests temporary access to specific internal resources with internal authorisation and such access, and can now be monitored by the NAC for behaviour that beyond the scope of what was granted. At a security level, a modern NAC can ensure that unauthorised users, applications and devices are not permitted access to a secure network. This is done by ensuring that authorised endpoints are properly configured, that host-based security applications have been verified, and that they are up-to-date and running correctly.
A modern NAC setup is also capable of advanced threat protection, and has sophisticated visibility tools to ensure network security is not compromised. It is also capable of ensuring network availability to keep users productive, and can allow, deny or limit access based on device posture and security policies.
Bearing in mind the benefits of modern equipment and various approaches, it’s clear that NAC is an empowering technology. If an organisation is unable to answer the question as to how many devices connect to their network and who owns those devices, NAC is definitely worth considering as it can provide visibility to existing infrastructure and any new devices connecting to the network.