Network Access Security – a simplified view
Over the last year, network security has come back into focus in a big way. Organizations are implementing upgraded security measures to make sure their data is safe. Client devices are targeted all the time, making the networks they join vulnerable. If any of these devices join your network, they can infect it – causing widespread disruption and chaos. So, while we know that our end-user devices should have anti-virus software – shouldn’t we arm our network too?
Security should start right with the building blocks of network infrastructure and then extend out all the way to the edge. Networks need to be armed to prevent infected machines from joining them. Not only should they be stopped at access – but there should be a way to get them to comply throughout the time they are connected. This is where Network access security and control comes in.
A Network Access Control (NAC) Server allows the authorization, authentication, and accounting of network connections. It works with network infrastructure devices to enable access or change of authorization decisions for all end-user devices. It performs pre-admission endpoint security checks and post-admission controls over where users can connect on the network.
Let’s take a look at some of the key terms associated with a NAC –
- Posture assessment – evaluation of system security based on applications and other configured settings
- Quarantine – restricted IP network that provides incompliant users with routed access to only certain hosts and applications for remediation purposes
- CoA (Change of Authorization) – enables dynamic reconfiguration of a device session ( this can include VLAN settings and user profiles) from an external server
- NAC-Agent – can be persistent or dissolvable. The primary purpose is to perform authentication and compliance check. Agentless options available for IoT devices.
So how does a NAC onboard a client device?
- When a device first connects – wired or wirelessly – it is isolated/quarantined from the main network, and a health-check/posture assessment is done.
- If detected to be out of compliance, the device is given access to whitelisted applications for remediation.
- Once the device is cleared, it is allowed onto the main network using CoA
- A NAC agent can be used to continually monitor the device while it is connected. Any anomaly detection will prompt a new health-check.
This entire process is accomplished by changing the access VLANs for the client device in coordination with the network infrastructure (switch or access point).
A NAC can also be used to onboard guests – when a new device is detected, the server checks for an existing profile or user. Once identified as a Guest device, it will go through the health check similar to the one detailed above. After it has passed the health-check, the NAC server will work with the network switch or AP to put it on the correct Guest VLAN. The Guest VLAN will have appropriate access lists in place to make sure the device has restricted access
Concluding from above, we see the importance of network security in securing data centers and corporate data from the point of entry into an organizations infrastructure. Implementing a modern simple NAC solution like Aerohive’s A3 will help keep security a high priority in your organization.