What is network access control?
Network access control, or NAC, is the set of tools, processes and protocols that govern access to network-connected resources. It is a multifaceted discipline that involves access control solutions for different types of resources, including conventional PCs and servers, and also network routers, IoT devices and more.
NAC also applies to data that travels over the network, and the resources it helps to secure may be physical (as in the case of hardware routers or servers) or software-defined, virtual resources (such as a software firewall or a virtual machine).
In addition, NAC extends beyond access control narrowly defined to include device identification, threat monitoring and policy-based management of access control for networked resources. It also addresses the security requirements of both wired and wireless networks, although, as we discuss below, NAC considerations sometimes vary between these two contexts.
When/why do you need network access control?
Whether you have a small network with just a handful of devices or a sprawling enterprise network that includes thousands of devices, you need NAC for IoT security. Why? NAC is a critical component of your overall security strategy, and for several reasons.
It’s easy to add devices to a network, but not always so easy to track them. As a result, organizations run a high risk of having unauthorized devices on their networks.
Employees may bring personal computers or phones to work and connect them to the network without properly registering them under the terms of your company’s BYOD policy, for example. Or, an IT team might set up devices for testing purposes and then forget about them, even though they are still running. Resources like these become “shadow” IoT devices that are connected to your network but not properly managed.
NAC helps to prevent unauthorized devices from being joined to your network in the first place, while also identifying those that exist so that you can take them offline or make sure they are secured properly.
Large organizations regularly work with contractors, partners and third-party suppliers, and must sometimes grant these external stakeholders access to their network. Without an effective NAC strategy, it’s very difficult to guarantee that these outside devices are properly secured and don’t become a vector for attack into your network. It’s also difficult to ensure that the devices are disconnected when they are no longer needed.
Data privacy laws
Government agencies and industry groups have introduced increasingly strict regulations and data privacy laws that govern which types of data are collected and stored by an organization. Without NAC, companies lack visibility into the types of resources that exist on their network and whether special compliance rules may apply to them.
For these reasons and more, organizations seeking to stay ahead of security challenges and regulatory issues must develop an effective NAC strategy.
NAC capabilities and limitations
NAC is a powerful component within a broader cybersecurity strategy. However, NAC is not a panacea. It’s important to understand which security risks NAC can and cannot address.
NAC excels at addressing several traditional types of security needs:
Conventional network visibility: NAC can help identify which devices exist on your network, who has access to them and how they can share resources with each other.
Endpoint security technology: NAC helps ensure that network endpoints—meaning physical or virtual resources that can send or receive data over the network—are secured against known vulnerabilities.
Authentication: NAC policies ensure that users and devices authenticate properly before they are allowed to use a network by, for example, preventing a computer from joining a wireless network unless its user enters the right passphrase.
Network security enforcement: NAC can identify instances where devices are not compliant with authentication or security policies.
Despite these strengths when it comes to managing authentication for users and known devices, NAC is subject to several limitations in other respects.
Low visibility into IoT and unmanaged devices
One of the major limitations of NAC is that it is effective in managing security risks only for known devices, and devices that are associated with human users (like a PC or server). A device that is joined to the network and has no specific user or group of users associated with it, such as an IoT sensor, is more difficult to manage via NAC. These devices may not support traditional authentication protocols or security certificates due to hardware capacity limitations or a lack of user input.
As a result, organizations often default to trusting these devices blindly and excepting them from standard NAC rules.
Network access control for wired networks
While access to wireless networks is typically secured using protocols like WPA, wired networks often have no such controls in place. They often assign an IP address via DHCP and give full connectivity to any device that is plugged in (and even if they don’t assign an IP address automatically, the device or user can configure one manually).
This approach is convenient because it eliminates the need to manage access credentials for wired devices and users. Organizations sometimes assume that the security risks are low because only users with physical access to their infrastructure can plug in devices. The reality, however, is that unsecured wired networks are prime vectors for shadow devices to enter an organization’s infrastructure.
Monitoring for threats post-access
Because NAC focuses on controlling access to networks, it is effective only for protecting against threats that are external to a network. It doesn’t detect breaches after they occur, or protect against “insider” threats that originate on an already-authenticated device.
Ability to establish policies for devices
Unmanaged, non-user devices, such as IoT hardware, often rely on special communications protocols that are not supported by standard NAC authentication policies or tools. Faced with this challenge, organizations end up choosing between granting these devices an exception from NAC rules, or building very complex policies to accommodate them. Both approaches are far from ideal.