As the Network Access Control (NAC) market continues to expand, we examine the key functions that exist in modern NAC solutions and what organizations should look for when choosing and implementing NAC.

The Network Access Control (NAC) market has continued to expand at an increasing pace as the technologies to support it have finally evolved to live up to the promise of truly useful access control across all device types. According to Gartner, the NAC market grew 36 percent in 2014 and it is estimated that it will continued to grow another 20 percent in 2015. Today we take a look at the key functions that exist in most top level NAC solutions and what they offer to the potential implementing organizations.

A Brief History Of Network Access Control

The term NAC and what it brings with it has been around for some time. Many have heard it come up in conversation, but the ability for it to offer a complete solutions across all device and user types was often limited to specific hardware and/or software restrictions.

Legacy NAC offered the ability to implement a policy management server, which could dictate the activities that identified users and devices were able to use a specific network, typically using IEEE 802.1X. This included the ability to enforce network restrictions based on organizational policies and procedures as well as meeting requirements put forward in certain governmental regulations. It also offers the ability to restrict devices based on their current operational condition; for example, was it up to date with operating system patches? Did it have an active firewall, virus, and/or malware solution installed? Are any restricted applications installed?

A large restriction of these solutions was that they were typically limited by devices that had specific operating system installed and/or that were capable of installing an included NAC agent. A big limiting factor in this is the design of the IEEE 802.1X standard. IEEE 802.1X requires that the end device have an installed and capable supplicant that was used to communicate with the central authentication server. This solution also required that a bypass mechanism exists for those devices that didn't have an installed and/or supported supplicant including printers and other network peripherals.

Modern NAC Appliances

Modern NAC appliances greatly extend on the capabilities of their legacy successors. Some of these extended capabilities include:

• Agentless Operation -- One of the biggest changes between the legacy and the modern NAC systems is in their ability to support agentless operation. This single change in their abilities greatly expands on the flexibility of the solution. Supported devices are no longer limited to those running IEEE 802.1X supplicants or proprietary agents that only are able to be run on the most popular operating systems. (Note: This does not mean that IEEE 802.1X can’t be used just that detection and authentication is not limited to those supported devices and operating systems)
• Extended Policy Capabilities -- While the legacy options did a good job of offering policy options with a restricted set of agent supported clients, they were limited to a specific set of clients (Typically IEEE 802.1x/Supported Agents). With agentless operation, the NAC supports a wider number of devices that increases the number of different policy extensions that can be supported. This includes the ability to monitor and control, in real-time, what a user/device/application is doing and/or allowed to do on the network. This is done through the creation of a contextual profile of each user and their associated device and used applications, port, connected devices, etc.
• Onboarding Support -- One of the duties of IT that can take a large amount of time is the provisioning of new devices onto the network. This is extended considerably with the support for Bring Your Own Device (BYOD). Modern NACs offer the ability to automate the provisioning of these devices via a configurable portal.
• Extended Guest Management -- For certain businesses, a big part of their operation is dealing with how guests are able to gain access to network assets without exposing private resources. Most legacy NAC appliances offer the ability to limit the resources that a guest has access to. Modern NAC appliances extend on this by allowing guests to be given temporary access to specific internal resources by getting internal authorization as well as being able to be closely monitored by the NAC for out of the ordinary behavior.
• Extended Profile Support -- While legacy NAC appliances offer the ability to identify devices using authenticated user information, this was typically limited because a device logged in with a specific username would be given the same privileges as the same user logged in to another device. This could be a problem if the other device was a personal device. Modern NACs offer the ability to create a detailed profile from the available information including username, authenticated state, email address, IP Address, MAC address, hostname, device type, operating system, anti-virus, and user/device behavior among others.

For example, a user could be assigned a company laptop and a personal mobile phone. Modern NACs have the ability to alter the access of each device regardless of whether the user is the same between the two: the laptop could have access to all internal assets while the phone could be limited to email and Internet access.

• Extended Endpoint Compliance -- Modern NACs extend on the agent specific compliance that existed on many legacy solutions. This means that things like device health checks (patch level, virus scanner installed and updated, mal-ware scanner installed and updated), updated software applications, and supported peripheral checks can be done without the need for an agent.
• Advanced Threat Protection (ATP) and Mitigation -- An important feature of a modern NAC is their ability to include or link into an Advanced Threat Protection and Mitigation system. Since the NAC is monitoring the users and devices on the network they are also able to potentially detect when they are acting outside of their expected behavior. These actions can then be mitigated automatically without IT support interaction.
• Expanded Monitoring and Reporting (Visability) -- A part of any good NAC (Legacy or modern) is their ability to monitor the actions of the monitored network users and devices and report on what they are seeing. Modern NACs extend on this capability to make the viewing of the network and how the various users are behaving within a simple view and via expansive reporting options.
• Extended System Integration and Interoperability -- An important part of any modern NAC is in their ability to link with other related systems. IT has been well known for having a number of different systems that each exist well within their own sphere but that didn’t work well within other spheres. Most modern high level NACs offer the ability to link in with many of these other systems and work in unison with them. At a minimum, they should support integration with the following system types: Mobile Device Management (MDM), Security Information and Event Management (SIEM), Next Generation Firewalls (NGFW), and Database servers (e.g. LDAP (AD), Oracle, MySQL, SQL Server).

• NAC Solutions Comparison

  It is getting to the time where the technologies of NAC have caught up with the original hype that was generated when it was first discussed. With modern NACs, organizations have the ability to closely monitor each device that connects to their network, control their ability to gain access to the network via a number of different policies, and stop the devices from accessing the network should specific events be seen outside the normal of a user and/or device type. The potential advantages of these types of systems can't be underestimated. Hopefully this article will give you a glimpse of what is possible with these newer systems.