Network Access Control: Secure Your Network

The digital world is witnessing many changes regarding how users connect to various networks. Network Access Control is becoming more essential in networks.

That necessity includes enterprise networks, small offices, home office SoHo networks, and publicly opened networks like hotspots. With the emergence of new phenomena like Bring Your Own Device (BYOD) and the growth of mobile devices used to access the network, Network Access Control (NAC) is at the heart of a secure network.

What is NAC and Why Is It So Important?

Network Access Control, as the name implies, is a solution that controls access to the network.

Long ago, clients' devices' need to connect to the network was predetermined and static. For instance, it was common to see an enterprise with hundreds or maybe thousands of fixed PCs, with a good probability that the same vendor provided all those PCs.

Controlling such an environment was a piece of cake for most network administrators. This simple task can be accomplished using a combination of access control lists, ACLs, and Port Security features of the managed access switches.

But things started to change with the exponential growth of mobile device usage, and things began to go out of control for most network administrators. That is why administrators needed a dynamic solution that could scale, disregarding the number and the type of connected clients' devices. Here was NAC's first and most basic functionality, controlling WHO to access the network.

This Who functionality of NAC systems can be achieved by utilizing the 802.1X feature in access switches or wireless access points or controllers, as well as the various Extensible Authentication Protocols EAP and identity database servers such as active directory servers.

Is This Function Enough for Modern NACs?

Despite the importance of the Who functionality of NAC, this solution had to grow to include more advanced functions and features. For instance, a modern Network Access Control should provide, in addition to the Who functionality, What functionality.

"What functionality" indicates the type of connected user/device. "Where functionality" means the location of the user/device trying to connect, whether it is trying to connect using a wired connection, a wireless connection, or even a remote connection using the different VPN technologies.

And finally, "When functionality" helps administrators get a deep insight into the different activities running inside their networks.

What Type of Services and Features Should We Expect from a Modern NAC?

The list of services and features provided by NAC may differ depending on the vendor. However, in general, a modern Network Access Control should have the following capabilities:

1.     Extended Profile Support: Modern Network Access Control solutions should be able to identify users/devices (the Who functionality) by using extended information. This information can be obtained from the devices trying to connect. Such information can be a username, operating system, device type, MAC address, or IP address. By combining such information, the system can accurately identify the user/device trying to connect, thus assuring that the right profile is associated with the correct authentication request.

2.     Advanced Guest Management: Guests' requests to access enterprise networks are becoming increasingly common. A traditional Network Access Control can control guests. Therefore, they are entirely isolated from internal network resources.

However, modern Network Access Control systems go further by allowing very controlled access for the guests to the required internal resources. 

According to the business requirements, this access can be monitored, so no extra resources are exposed except for the required ones. Any abnormal behavior from the guest clients can be detected, and proper actions can be taken accordingly.

3.     Agentless Operation: Traditional NAC systems depend on an agent. This agent should be installed on the end devices to get the required information during the authentication phase and to get the feeds needed to monitor the activities of the connected device/user. 

The model needed to be more scalable. Modern Network Access Control systems can achieve most of their functionality without installing any agents on the clients' devices. This way, the system can be more scalable. It can cover a broader range of clients' devices, disregarding their type and operating systems.

4.     Advanced Policy Capabilities: Modern Network Access Control solutions can build a contextual profile for the associated users. Therefore, it can control the different activities of the different devices of that particular user.

5.     Support of Advanced Onboarding: As mentioned earlier, one of the main motivations for implementing Network Access Control solutions is the Bring Your Own Device (BYOD) phenomenon. Modern NAC solutions can automate the onboarding of new devices for different users (including users' personal devices). They do this by allowing users to provision their own devices by themselves using a portal offered by the NAC system. This way, a considerable burden on the network administrators is eliminated.

6.     Advanced Endpoint Compliance: The new BYOD model allows users to use different and uncontrolled devices to access the network. This may open a security hole in the network defense systems because the device may be infected by various viruses or malware. Thus, checking endpoints' health before they are admitted to the network is crucial to avoid such scenarios. 

Such checks may require an agent to be installed on the endpoint (depending on the vendor). They can cover many aspects of the health of the devices' operating systems. Many factors can be checked before admitting the device to connect to the network, such as the update status, installed patches, installed software, and Antivirus program status.

Which Vendor Should You Choose for the Network Access Control Solution?

Network Access Control systems entertain vendors with a promising market. Among many different competing vendors, Cisco Systems is one of our choices. We decided like this for various reasons:

·       Cisco Systems offers a highly advanced Network Access Control solution, Cisco Identity Services Engine ISE, which has all of the above features and much more.

·       It offers its users highly flexible deployment options, including Virtual machine-based and appliance-based deployments to fit the needs of different customers.

·       Cisco ISE can integrate with the rest of Cisco products, including Cisco ASA Next-Generation Firewalls, to offer the market's most complete and robust security solution.

You can CONTACT US now so our CCIE-Level engineers can assist you in choosing the suitable model and the appropriate licenses for your particular needs.