Network Access Control: Explained

Remote-based services need robust network security to protect and authenticate their devices. Network Access Control is just what it sounds like: the practice of controlling access to the network. It’s achieved by having a means of identifying users and devices and authorizing (or denying) varying levels of access to the network.

In this article, we’ll be examining how NAC works and why it’s integral to modern cloud security.

How does NAC Work?

First, an important clarification. NAC is both a conceptual paradigm and a category of networking tools and applications. Ultimately, the goal is to enhance overall network security by excluding unauthorized users and devices from private networks or domains.

Benefits of Network Access Control System

Broadly speaking, NAC is your tool to implement Zero Trust Network Architecture by only providing access to necessary resources and by requiring reauthentication for new requests.

  • NAC enables corporations to have a well-defined set of rules (policies) for authorizing and authenticating access requests made by different entities.
    • For example, you can implement Role Based Access Control or Attribute Based Access Control (or both!)
    • Segment groups with similar needs into VLANs that have their access limited to only the essentials.
  • NAC enables network administrators to utilize alternate authentication methods, such as multi-factor authentication (MFA), in addition to or instead of traditional methods such as passwords or IP address-based authentication.
  • Some NAC tools, like a Public Key Infrastructure (PKI), can add rich identity context to your authentication. You have higher identity assurance when variables like password swapping are eliminated.

TYPES OF NETWORK ACCESS CONTROL

NAC is generally classified based on the timing of the solution, which can fall into two different categories: pre-admission and post-admission.

  • Pre-Admission NAC: As the name suggests, this type of network access control performs its action before granting access to the request made by users or devices. It permits the user only if the request complies with the policies of the organization.
  • Post-admission NAC: This type of NAC usually takes action within a network only when endpoint users or devices try to access the network access server components in the system. It generally acts as backup protection if the pre-admission NAC fails to perform in the primary stage. Here the users need to verify their identity to receive access privileges.

Common NAC Tools:

802.1X

Devices attempting to connect to a LAN or WLAN require an authentication mechanism. IEEE 802.1X, a standard for Port-Based Network Access Control (PNAC), provides protected authentication for secure network access.

802.1X includes four major components:

  • Client / supplicant
  • Access-point/switch
  • RADIUS server
  • Identity provider

Client + Supplicant

In order for a device to participate in the 802.1X authentication, it must have a piece of software called a “supplicant” installed. The supplicant is necessary as it will participate in the initial negotiation of the EAP transaction with the switch or controller and package up the user’s credentials in a manner compliant with 802.1X. If a client does not have a supplicant, the EAP frames sent from the switch or controller will be ignored and the switch will not be able to authenticate.

Fortunately, almost all devices we might expect to connect to a wireless network have a supplicant built-in. SecureW2 provides an 802.1X supplicant for devices that don’t have one natively.

Switch / Access Point / Controller

The switch or wireless controller plays an important role in the 802.1X transaction by acting as a ‘broker’ in the exchange. The client does not have network connectivity until there is a successful authentication, and the only communication is between the client and the switch in the 802.1X exchange.

RADIUS Server

The RADIUS server acts as the “security guard” of the network; as users connect to the network, the RADIUS authenticates their identity (by confirming their credentials and permissions in the directory) and authorizes them for network use.

Identity Provider / Directory

The Identity Provider (IDP) refers to the entity in which authorized client information, such as usernames and passwords, are stored. This can be broadly split into two categories:

  • Legacy on-premise identity providers, almost always Active Directory Microsoft environments, that require physical servers and service only the local area network (LAN).
  • Modern cloud identity providers are usually SAML-based (such as Azure AD, Okta, and Google).

On-premise and cloud environments, as well as the software designed for each, are typically incompatible. Depending on the infrastructure you have in place, you may be locked into one or the other.

Read here for a case study about how SecureW2 helped an organization looking to transition to the cloud.

Other NAC Solutions

There are many other methods to implement NAC that aren’t covered under the umbrella of 802.1X. Some common examples are:

  • Firewalls
  • VPN

WHAT IS ROLE-BASED ACCESS CONTROL (RBAC)?

Role-Based Access Control (RBAC) is the policy of assigning users permissions based on their current role in the organization. As a part of Zero Trust Network Architecture (ZTNA), the guiding principle behind RBAC is to only give users enough access to complete tasks within the scope of their position.

For example, there’s little reason for a developer to have access to payroll information; likewise, the HR person shouldn’t have the ability to access the source code for your software. Denying users’ broad permissions is very effective in controlling the amount of damage caused by a breach.

Still, many organizations have a hard time implementing efficient Role-Based Access Control practices. For example, updating the permissions of a person who has made a lateral transfer from engineering to HR. Or, if HR fires someone and removes them from payroll, immediately propagating the removed permissions across the network to prevent retaliation from a disgruntled employee.

The solution is to use certificate-based authentication. Certificates aren’t modified, only issued and revoked, so anyone changing roles would necessarily have all of their access and permissions updated before they can begin.

What is Attribute-Based Access Control (ABAC)?

Like RBAC, ABAC is pretty self-explanatory. Instead of applying policy to broad swaths of the workforce based on their job, you might choose to implement NAC on a more granular level for finer decision making.

Directories can store all kinds of information about the entities they contain. There’s the obvious stuff, like name, email address, and password, but there are more interesting options as well.

An example of a complex but useful policy would be one that allows access to the network only if the user is authorized and requesting access from the correct geographical location. This might prevent harvested credentials from accessing your local network.

However, applying attribute-based access control could be difficult depending on your network configuration. Some directories don’t support certain attributes you might require. Furthermore, credential-based authentication typically has a very rigid collection of data that it communicates, so some attributes won’t be recognized.

That’s one of the major reasons SecureW2 advocates for passwordless certificate-based authentication. Certificates can be customized per user with any attribute, which allows policy rules to be communicated at the time of authentication.

NAC USE CASES

Organizations need to ensure their NAC policies include these elements:

  • Internet of Things (IoT)
  • BYOD
  • Managed Devices
  • Third-Party Vendors

Internet of Things

Our increasingly connected world sees more and more devices becoming network-capable, there’s a dizzying array of speakers, smart thermostats, door locks, and more vying for bandwidth. Every network connection is a potential vulnerability, so onboarding IoT exponentially increases your attack surface as the number of endpoint devices increases. Worse, IoT devices typically don’t use standard operating systems and are incompatible with normal cybersecurity measures.

Your printer almost certainly does not support WPA2-Enterprise, so 802.1X is out of the question. However, MAC Authentication Bypass is a network access control solution for IoT that only requires the Media Access Control (MAC) address of a physical device.

While MAC auth bypass alone is neither novel nor particularly secure, it’s a very robust option when paired with other identity management solutions. Using a sophisticated NAC solution like SecureW2’s JoinNow Suite allows you to identify, authenticate, and monitor connected IoT devices of nearly any type.

Managed Devices

Organizations with managed devices, like office computers or work phones, understand the need to secure and manage those devices at scale. It’s not feasible to go to every workstation and hit “update” every time there’s a Windows update, especially for a global company.

A mobile device management (MDM) solution provides the needed tools to remotely configure, patch, and otherwise manage your organization’s devices. Through the MDM, you can extend security policies to every device simultaneously.

SecureW2 does not provide an MDM, but it is compatible with every major vendor. In fact, we have industry-unique certificate autorevocation features for two of the biggest MDMs – Intune and Jamf.

BYOD

Remote-based jobs have dramatically changed the business landscape, allowing employees to work at home or in public using their personal devices. Of course, this flexibility requires they be able to access organizational resources from wherever they work, causing sensitive information to be sent over unsecured networks.

Any IT admin recognizes the serious challenge this poses to corporate network security. How do you securely grant access to network resources on a personal device without endangering your network?

You need a BYOD Onboarding solution, a core part of a comprehensive NAC suite. BYOD onboarding is inherently an end-user self-service operation, so you need to ensure it’s as simple and user-friendly as possible. Operating under those principles is why SecureW2’s JoinNow app is the #1 rated onboarding app on every app store. It’s a foolproof, guided self-service onboarding application for any OS that configures the device to remotely authenticate to your network access server.

Third-Party Vendors

No org is an island; over the course of a regular workday, the average employee interacts with dozens of applications that are ultimately controlled by someone else. Oftentimes these services integrate into secure parts of your network, or need to communicate sensitive information. How can you extend your access policies to these third parties?

A proper NAC implementation will configure policies third parties must follow to access the network, such as using a VPN or authenticating via RADIUS. Ensure that your NAC solution is vendor-neutral or vendor-agnostic like SecureW2 for maximum interoperability.

Who is Network Access Control for?

Enterprise

Enterprises will see the most use from NAC solutions, as their broad range of business activities gives them an equally broad attack surface to defend. Fortunately, the scale of enterprises works to their advantage in this case – cybersecurity measures are far more cost effective when deployed en masse.

Here are some common places to see NAC at work in Enterprise:

  • Deploying guest Wi-Fi for visitors and contractors
  • Onboarding new employees to the network
    •  and segmenting them into groups with appropriate access levels
  • Failsafes for removing access to employees that change roles or leave the company (to prevent sabotage)
  • Managing and monitoring managed devices

Small Business

Small businesses run the gamut from a one person mechanic shop to several hundred people across several locations. As such, their NAC needs can vary quite widely. The most important considerations here are having a user-friendly experience (to encourage participation) and being cost-effective.

Here are some NAC implementations we see in SMB:

  • Upgrading from a preshared key network to WPA2-Enterprise with individual logins (or even certificate based authentication!)
  • Being able to onboard personal devices such as the laptops employees use to work remotely
  • Sophisticated network segmentation and VLAN usage to access on-premise resources if necessary

Education

SecureW2 works with lots of organizations in the education space, from K-12s to universities. It’s a unique vertical because the primary users of the network are the organization’s “customers” (or students; often children!).

With that in mind, education orgs frequently use NAC for:

  • Onboarding BYOD devices and authenticating them (using your cellphone on campus)
  • Fleets of managed devices need to be as tightly locked down as possible (you never know what those kids will get into)
    • Access controls restricting some parts of the internet as well as the intranet
  • Creating high-assurance identity context by removing the opportunity to share passwords (so you know precisely who is using an account)
  • Enabling network roaming solutions like eduroam
    • See here how we facilitate eduroam for hundreds of universities like this one

Healthcare

Healthcare is also uniquely challenging from a network access control standpoint. There are a couple of significant obstacles: namely the (strictly mandated) need for privacy and the very diverse device environment.

Here are some specific examples of how NAC is used for healthcare:

  • Securing IoT devices (the myriad types of medical equipment), each with different OSs and networking capabilities
  • Advanced network segmentation that goes beyond RBAC. Ensuring patient info is only accessible on a need-to-know basis
  • HIPAA compliance in general

How to Implement Effective Network Access Control

Many organizations are reluctant to dive headfirst into configuring NAC because of its perceived complexity and cost. Those concerns are well-founded, which is why SecureW2 offers a suite of managed cloud NAC solutions to streamline the process and reduce overhead. From onboarding users to creating customized access policies, or monitoring network activity and deploying passwordless certificate-based authentication, SecureW2’s JoinNow Suite has got you covered.

We have affordable options for organizations of all sizes. Our totally vendor-neutral network access control suite can be implemented a la mode, integrating into your existing architecture to upgrade your authentication and scale at your pace. Click here to see our pricing.