Network access control is the act of keeping unauthorized users and devices out of a private network. Organizations that give certain devices or users from outside of the organization occasional access to the network can use network access control to ensure that these devices meet corporate security compliance regulations.
The increasingly sanctioned use of non-corporate devices accessing corporate networks requires businesses to pay special attention to network security, including who or what is allowed access. Network security protects the functionality of the network, ensuring that only authorized users and devices have access to it, that those devices are clean, and that the users are who they say they are.
Network access control, or NAC, is one aspect of network security. There are many NAC tools available, and the functions are often performed by a network access server. Effective network access control restricts access to only those devices that are authorized and compliant with security policies, meaning they have all the required security patches and anti-intrusion software. Network operators define the security policies that decide which devices or applications comply with endpoint security requirements and will be allowed network access.
One advantage of network access controls is that users can be required to authenticate via multi-factor authentication, which is much more secure than identifying users based on IP addresses or username and password combinations.
Secure network access control also provides additional levels of protection around individual parts of the network after a user has gained access, ensuring application security. Some network access control solutions may include compatible security controls such as encryption and increased network visibility.
If an organization’s security policy allows any of the following circumstances, they need to think carefully about network access control to ensure enterprise security:
One important function of network access control is limiting network access to both specific users and specific areas of the network. So, a visitor may be able to connect to the corporate network, but not access any internal resources. This type of security control would have helped Target avoid the 2013 attack when hackers gained access to a third-party vendor’s network and attacked Target when the vendor connected to its network.
Network access control can also prevent unauthorized access to data by employees. In this way, an employee that needs to access the corporate intranet still won’t get access to sensitive customer data unless their role warrants it and they have been authorized for that access.
In addition to limiting user access, a network access control also blocks access from endpoint devices that do not comply with corporate security policies. This ensures that a virus cannot enter the network from a device that originates from outside of the organization. All employee devices used for company business must adhere to corporate security policies before they are allowed access to the network.
Network access control will not work for every organization, and it is not compatible with some existing security controls. But for organizations that have the time and staff to properly implement network access controls, it can provide a much stronger and comprehensive layer of protection around valuable or sensitive assets.
IT departments that use virtual machines as part of their data center can benefit from network access control, but only if they are vigilant about the rest of their security controls. Virtualization poses special challenges for NAC because virtual servers can move around a data center, and a dynamic virtual local area network (LAN) can change as the servers move. Not only can network access control for virtual machines open unintended security holes, it can make it challenging for organizations to adhere to data audit control standards. This is because traditional security methods locate endpoints through their IP addresses. Virtual machines are dynamic, and move from place to place, making them more complicated to secure.
Additionally, virtual machines are also very easy and fast to spin up, meaning that inexperienced IT administrators may launch a virtual machine without all of the proper network access controls in place. Yet another vulnerability occurs when virtual machines are restored from a rest state. If new patches appeared while the server was in the rest state, they may not be applied when the machine is redeployed. An increasing number of organizations are adding application security to their network security controls to ensure that everything on their network, down to the application level, is secure.
There are two basic types of network access control. Both are important aspects of network security: