Jason GarbisNovember 3, 2017
What’s Better: NAC or Software-Defined Perimeter
Network security solutions that most organizations are deploying are clearly falling short.
We see far too many breaches and successful attacks, and those of us who have experienced it know just how disruptive and expensive it can be. A lot of this has to do with traditional Network Access Control (NAC) solutions not meeting today’s business, security, technical and compliance requirements.
Historically, network security solutions accepted the myth of the trusted user. Companies would build a perimeter around their internal network, verify that a user was who they said they were, and once in the door, that user received full access to the network or at least a large portion of the network. Perhaps our latest Nobel Prize winner would agree, “The times they are a changin’.
Don’t Trust Anyone Says Forrester
According to Forrester, there is a movement to redesign network security:
Perimeter-based network security models fail to protect against today’s threats. The trust model is broken; there are four critical pitfalls with today’s approach to network security: It’s impossible to identify trusted interfaces, the mantra “trust but verify” is inadequate, malicious insiders are often in positions of trust, and trust doesn’t apply to packets.
In another complementary Forrester report, the firm says that “Vendors didn’t design existing enterprise security controls to thwart the types of threats common today. Current attacks are multistage, multi-OS, and multi-application, and enterprise security teams struggle to adapt to morphing attack patterns… A Zero Trust (ZT) network abolishes the idea of a trusted network inside the corporate perimeter. The entire network is untrusted. Instead, security teams create microperimeters of granular control around an enterprise’s sensitive data assets that also provides visibility into how the firm uses this data across its entire business ecosystem.”
In spite of this warning from Forrester many security professionals have stuck with traditional NAC solutions that are failing them. Here’s why.
Network Access Control Technology Overview
Network access control, or NAC, is a pretty mature technology. However, based on the IEEE Standard for port-based Network Access Control (PNAC), 802.1X, the market is growing relatively slowly.
With NAC, there are several components. There is the client piece of software that runs on the device, a supplicant, that when plugged into the network, negotiates with the network access control point, a piece of network hardware that runs on the network. Through this access point, authentication is performed using a user name and password and/or multi-factor authentication. This access point then connects with a radius server that validates the user’s credentials. If the user passes this credential test and passes the appropriate device checkers, then the access point will allow the user to gain access to one or more of the virtual LANs or VLANs. The VLAN defines a group of servers on the network in a way that’s enforced at the network infrastructure level, but allows you to logically group together servers based on risk or business function.
A NAC solution allows you to look at a certain set of attributes on the client device, validate credentials and provide access to the VLAN. But VLANs introduce complexity:
- VLANs need to be defined ahead of time – they’re static and in some cases require network configuration changes to alter.
- When a user is allowed access to a VLAN (i.e. the perimeter) they get full and complete access to everything on the VLAN. A network switch either allows or disallows access to the VLAN, but nothing beyond that. What's important is that most organizations have a relatively small number of VLANs – two, three, maybe four – a guest VLAN, a regular employee VLAN and a higher risk production VLAN.
- NAC solutions do not extend to resources that are running in the cloud.
- NAC solutions struggle with remote users and yet remote users are the norm. Most organizations then add remote access solutions like VPNs to the mix, creating another set of policies to be managed.
The result? If organizations are using cloud-based resources, they need an alternative or additional solution to NAC to manage user access.
And that’s the biggest thing that's changing today – perimeter based solutions just don't work.
Rather than attempting to improve traditional NAC solution deployments, many organizations are considering replacing them with a Software-Defined Perimeter solution that offers an individualized, dynamically adjusted network segment – a segment of one to:
- Secure enterprise networks with fine-grained control
- Reduce operational costs
- Enable secure adoption of the cloud
- Easily meet compliance requirements
This individualized network segment approach dynamically adjusts based on user and network attributes. It takes the principle of least privilege and enforces it allowing users, through a set of policies, to gain access to only the resources on the network that they need.
Key Facts about a Software-Defined Perimeter solution
Software-Defined Perimeter solutions overcome the challenges of NAC.