Each of these endpoints represents an opportunity for efficiency gains, but also increases the network’s attack surface, as each connected device also presents vulnerabilities that facilitate network breaches from both inside and outside of the organisation. In fact, Gartner found that in the past three years, 20 percent of organisations have been subject to an IoT-based attack. While traditional security solutions are able to protect the network perimeter, they cannot defend the devices and vulnerabilities originating from inside the network.
As a result, IT teams face the challenge of onboarding and securing a large number of device types and user groups. They need to do so while maintaining a diverse network and security infrastructure, and while satisfying their organisation’s need for a leaner IT in light of flat, or even declining budgets. To address these requirements, more and more organisations are adopting Network Access Control (NAC) solutions, which can effectively address the risk introduced by the growing device population, by securely managing and controlling access to the network.
Understanding the basics of NAC
The traditional definition of a NAC solution is a method of computer network security which combines endpoint integrity together with an access control solution such as 802.1X. However, NAC security has evolved to also encompass guest access management as well as bring your own device (BYOD) and IoT device security, as well as security posture analysis and control.
A traditional NAC solution provides endpoint assessment checks to ensure that each device has the required operating system, virus signatures, and software patches, among other considerations. Additionally, access to an enterprise network is controlled using predefined role-based access policies together with an authentication, authorisation, and accounting (AAA) solution.
However, the ways in which users and devices require network access have evolved over the years, and therefore NAC solutions have had to keep pace. Many NAC solutions now offer enhanced access capabilities to include guest access management, BYOD management, and security for IoT devices. NAC solutions have also grown to include fingerprinting capabilities to correctly identify devices’ make and operating system. With the growing acceptance of cloud computing, next generation NAC solutions will provide the ease and flexibility of cloud management and monitoring.
Authentication, authorisation, and accounting
Authentication, authorisation and accounting (AAA) is a key computer security concept that defines the protection of network resources.
Authentication is the verification of identity and credentials. Users or devices must identify themselves and present credentials, such as usernames and passwords or digital certificates. More secure authentication systems use multifactor authentication, which requires at least two sets of different types of credentials to be presented.
Authorisation determines if the device or user is authorised to have access to network resources, based on the type of device being used (laptop, tablet, or smartphone), time of day restrictions, or location.
Lastly, accounting refers to tracking the use of network resources by users and devices. It’s an important aspect of network security, used to keep a historical trail of who used what resource, when, and where.
Efficient NAC also needs to restrict system access to authorised users. After successful authentication, endpoint devices can be assigned defining network policies based on user roles, type of device, applications, time of day, location of the network, and other criteria. This process ensures that users only have access to the resources they need and not other, potentially confidential and sensitive information.
Remote Authentication Dial-In User Service (RADIUS) attributes – used to define specific AAA elements in a user profile – are often leveraged to assign different groups of users to different user traffic settings, including VLANs, firewall policies, bandwidth policies, and much more. Additionally, based on a change in the endpoint’s network behaviour or status, network access can be dynamically changed using RADIUS Change of Authorisation (CoA). To assist in policy enforcement, most NAC solutions fully integrate with switches, firewalls, mobile device management (MDM) solutions, intrusion detection systems (IDS), and third-party endpoint security applications.
Posture assessment
IT teams should be able to establish a set of rules to check the health and configuration of an endpoint and determine if it should be allowed access to the network. Posture assessment can be used to ensure endpoint integrity by validating up-to-date versions of device OS, antivirus, antimalware signatures, and application patches. Noncompliant endpoint devices can then be quarantined until they are updated.
NAC solutions can often also assist the user during the remediation process necessary to bring the device into compliance. Noncompliant devices can be quarantined and if desired, IT can allow self-remediation of issues, thus reducing the team’s workload.
Most posture assessments check the integrity on endpoint using preadmission checks before the endpoint can connect to the network. However, some NAC solutions also offer the capability to perform periodic post-admission checks, after an endpoint has already joined the network.
Traditionally, NAC solutions were used to secure wireless devices like laptops, smartphones or tablets, owned by employees, contractors or guests. The switch to Wi-Fi as the dominant access method funnelled large numbers of devices onto the network, with a variety of makes, models and operating systems. To be able to effectively secure the network, NAC solutions need to support all wireless corporate, BYOD, guest and IoT devices alike.
Because of the proliferation of personal mobile devices, a BYOD policy is needed to define how employees’ personal devices may access the organisational network. A modern-day NAC solution must be able to provide access based on predefined policies for BYOD endpoints in addition to company owned devices.
IT administrators must also manage the onboarding, access, and security policies of IoT devices connecting to the organisational network, most of which are inherently difficult to secure. This is because of their sheer numbers and because their capabilities with regard to features, operating systems and security functions vary greatly. At the same time, it is essential that they be provisioned with appropriately restricted network policies (regarding access to network resources, access duration, priority and others), be monitored for unexpected use, and be given periodic threat assessments. To accomplish this, despite the fact that IoT devices are not user-controlled, modern NAC solutions offer features that can automatically profile and identify IoT and other device types, and then onboard and provision them with IoT-specific network policies. These features significantly increase IoT security and can do so at scale since no IT intervention is required.
Addressing broad network needs
Current networking technology isn’t designed to understand or secure IoT. The challenge is finding a way in which to onboard potentially dozens, hundreds or even thousands of devices to the network, identify them within the network, monitor them and contain them. This could easily become a daunting task.
Organisations need an effective way to identify every ‘thing’ on their network and provide good security that IoT devices can actually use. They also need the infrastructure to intelligently understand what those ‘things’ should/should not be doing and provide mitigation where needed.
IT teams desire solutions that enable simplified, streamlined management of network security across the entire organisation. Cloud-managed NAC solutions allow centralised configuration, management and troubleshooting of NAC instanced at all corporate locations. This in turn ensures that network managers can apply and enforce consistent network policies across the network, which unifies and strengthens overall network security.
Author details: Tony De La Rosa is Sr. Director, Product Management, Aerohive
