Network access control is the act of keeping unauthorized users and devices out of a private network. Organizations that give certain devices or users from outside of the organization occasional access to the network can use network access control to ensure that these devices meet corporate security compliance regulations.
The increasingly sanctioned use of non-corporate devices accessing corporate networks requires businesses to pay special attention to network security, including who or what is allowed access. Network security protects the functionality of the network, ensuring that only authorized users and devices have access to it, that those devices are clean, and that the users are who they say they are.
Network access control, or NAC, is one aspect of network security. There are many NAC tools available, and the functions are often performed by a network access server. Effective network access control restricts access to only those devices that are authorized and compliant with security policies, meaning they have all the required security patches and anti-intrusion software. Network operators define the security policies that decide which devices or applications comply with endpoint security requirements and will be allowed network access.
One advantage of network access controls is that users can be required to authenticate via multi-factor authentication, which is much more secure than identifying users based on IP addresses or username and password combinations.
Secure network access control also provides additional levels of protection around individual parts of the network after a user has gained access, ensuring application security. Some network access control solutions may include compatible security controls such as encryption and increased network visibility.
If an organization’s security policy allows any of the following circumstances, they need to think carefully about network access control to ensure enterprise security:
- Bring Your Own Device (BYOD): Any organization that allows employees to use their own devices or take corporate devices home needs to think beyond the firewall to ensure network security. Each device creates a vulnerability that could make it possible for cyber criminals to get around traditional security controls.
- Network access for non-employees: Some organizations need to grant access to people or devices that are outside of the organization and not subject to the same security controls. Vendors, visitors, and contractors may all need access to the corporate network from time to time, but not to all parts of the network and not every day.
- Use of IoT devices: The Internet of Things has given rise to a proliferation of devices that may fly under the radar of traditional security controls, often residing outside of the physical corporate building, but still connected to the corporate network. Cyber criminals can easily exploit these overlooked devices to find their way into the heart of the network without adequate network access controls. Network access control is an important aspect of edge security solutions.
One important function of network access control is limiting network access to both specific users and specific areas of the network. So, a visitor may be able to connect to the corporate network, but not access any internal resources. This type of security control would have helped Target avoid the 2013 attack when hackers gained access to a third-party vendor’s network and attacked Target when the vendor connected to its network.
Network access control can also prevent unauthorized access to data by employees. In this way, an employee that needs to access the corporate intranet still won’t get access to sensitive customer data unless their role warrants it and they have been authorized for that access.
In addition to limiting user access, a network access control also blocks access from endpoint devices that do not comply with corporate security policies. This ensures that a virus cannot enter the network from a device that originates from outside of the organization. All employee devices used for company business must adhere to corporate security policies before they are allowed access to the network.
Network access control will not work for every organization, and it is not compatible with some existing security controls. But for organizations that have the time and staff to properly implement network access controls, it can provide a much stronger and comprehensive layer of protection around valuable or sensitive assets.
IT departments that use virtual machines as part of their data center can benefit from network access control, but only if they are vigilant about the rest of their security controls. Virtualization poses special challenges for NAC because virtual servers can move around a data center, and a dynamic virtual local area network (LAN) can change as the servers move. Not only can network access control for virtual machines open unintended security holes, it can make it challenging for organizations to adhere to data audit control standards. This is because traditional security methods locate endpoints through their IP addresses. Virtual machines are dynamic, and move from place to place, making them more complicated to secure.
Additionally, virtual machines are also very easy and fast to spin up, meaning that inexperienced IT administrators may launch a virtual machine without all of the proper network access controls in place. Yet another vulnerability occurs when virtual machines are restored from a rest state. If new patches appeared while the server was in the rest state, they may not be applied when the machine is redeployed. An increasing number of organizations are adding application security to their network security controls to ensure that everything on their network, down to the application level, is secure.
There are two basic types of network access control. Both are important aspects of network security:
- Pre-admission: The first type of network access control is called pre-admission because it happens before access to the network is granted, when a user or endpoint device initiates a request to access a network. A pre-admission network control evaluates the access attempt and only allows entry if the device or user making the request can prove they are in compliance with corporate security policies and are authorized to access the network.
- Post-admission: Post-admission network access control happens within the network, when the user or device tries to enter a different part of the network. If the pre-admission network access control fails, the post-admission network access control can restrict lateral movement within the network and limit the damage from a cyber attack. A user or device must re-authenticate upon each request to move to a different part of the network.