
George WilkesNovember 15, 2017
Why Network Access Control Risk is Failing Security Professionals
Most organizations still rely on old network technologies
Current best practices recommend a laundry list of security technologies: VPNs, VLANs, NAC, Next Generation Firewalls, Privileged Access Management (PAM) solutions, and so on.
But too much technology results in ‘spend in depth’, and not necessarily improved security. And if you’re still using the same principles you were using ten or twenty years ago, you might have the strongest network perimeter in the world, but no ability to respond to internal threats.
Today, let’s consider network access control (NAC).
NAC Defined
Network access control (NAC) is a method of bolstering network security by restricting the availability of network resources to endpoint devices that comply with a defined security policy. A traditional network access control server performs authentication and authorization functions for potential users by verifying client device profiles (such as the presence of antivirus software and spyware-detection programs) before permitting access to the network.
Through a combination of client agents and network server components, NAC systems enforce policies about which network segments users can access. NAC (which often follows the 802.1X protocol), uses client profile and authentication information to make these policy decisions. Based on these policy decisions, the NAC permits access to network segments or VLANs. NAC systems may also require or perform remedy actions on non-compliant devices (such as enabling a client firewall).
NACs do incorporate some (limited) client profile information to make network access decisions, and can (in some ways) remediate non-compliant clients. And they integrate into existing network infrastructure components such as VLANs.
Why NAC Solutions Fall Short
Ultimately though, NAC solutions fall short for several reasons:
- Most importantly, they cannot provide fine-grained control of which network resource users can access. They rely on existing (and separately managed) network segments, firewalls, or VLANs.
- Due to the management issues around adding devices and firewall rules, enterprises have expressed doubt about the practicality of NAC deployment in networks with large numbers of diverse users and devices, the nature of which constantly change.
- They typically have limited ability to make access decisions based on user context.
- NACs do not provide secure, encrypted communications between clients and services.
- NAC customers must use another solution (such as a VPN), which adds more cost, complexity, and management effort.
Learn about an alternative to legacy NAC solutions, called the Software-Defined Perimeter.