What is Network Access Control (NAC)?
The term Network Access Control (NAC) has been around (seemingly) forever. It’s one of those terms that a lot of vendors use but everyone has defined it in a different way. Microsoft has their flavor with what they call Network Access Protection (NAP) that pushes updates and patches to windows machines. Cisco has their product called Clean Access that loads an agent on devices connecting to the network to scan the devices for potential security risks before allowing a device to connect. Then there are a bunch of other vendors out there that talk about NAC…all defining the solution in a little different way.
But what is NAC and what is it trying to accomplish?
If you’re running any large scale network these days and specifically large campus wireless networks, you need to consider how you’re going to control all of the different types of devices and the user groups that are connecting to your network. With that, of course, comes the risk of letting all of those devices that you don’t own connect to the network and how you can ensure that 1) they don’t introduce a virus or malware to your network and 2) they don’t violate the security policies on your network (i.e. content filtering, illegal downloads, etc.)
At SecurEdge, we design, deploy, and support large scale secure wireless networks. One of the first things a school or hospital wants when they deploy a campus wireless network is to allow people to bring their own devices and connect to the network securely. This is where NAC comes into play.
There are two things that a NAC solution should accomplish.
1) Role Based Access Control - The system has to be able to integrate with active directory and know if this device owner is an authorized user, what role they should be assigned, and should be able to put them into that specific role on the network. If they are not in directory services they get assigned a “Guest” Role if you chose to.
For example: a student connects to a university Wi-Fi network. They log in with their windows credentials; the system assigns them the student role, which gives them access to the internal student servers, web privileges, and email…but nothing else.
2) Policy Enforcement- this can be called Endpoint Compliance, Integrity Checking, and a bunch of other things. What this boils down to is you have to be able to control the devices connecting to the network and specifically the behavior of the device, including the applications they are using internally and externally. Your policies have to protect the end user, the rest of the users, your organization (…..and your job).
For Example: the student that you provided a role to (because you have Role Based Access Control) now needs to have a specific security policy assigned to them that will keep them from accessing content not approved, downloading a virus, or spreading a virus through the campus network. This is what policy enforcement must do.
NAC can be delivered using a number of different products…and is usually delivered by integrating a number of different platforms to build a NAC system. It’s not a plug and play kind of a solution. It requires an understanding of specifically what the organization has in place and what policies they need to enforce on their networks.
At SecurEdge, we have years of experience dealing with network access control. We build these kinds of large scale secure wireless systems with NAC integrated to allow secure access for user groups. If we can be a resource for you, feel free to contact us here to talk to one of our engineers.
Philip is the founder and CEO of SecurEdge Networks. He’s the consummate strategist and frequently writes for the strategy blog. You can follow him at @philipwegner