Network Access Control (NAC) is a network security technology that prevents unauthorized users and devices from entering private networks and accessing sensitive resources. NAC, also known as Network Admission Control, first gained a foothold in enterprises in the mid-to-late 2000s as a way to manage endpoints through basic scanning and blocking techniques.
As knowledge workers become increasingly mobile and as BYOD initiatives spread across organizations, Network Access Control solutions evolve to not only authenticate users but also manage endpoints and enforce policies.
Working Principle
Network Access Control tools detect and provide visibility into all devices on the network. Network Access Control software prevents unauthorized users from entering the network and enforces policies on endpoints to ensure devices comply with network security policies.
Non-compliant devices may be blocked from the network, quarantined, or granted limited access.
Network Access Control works in two phases. The first phase, authentication, identifies the user and verifies their credentials. Most tools support multiple authentication methods, including passwords, one-time passwords, and biometrics.
In the second phase, Network Access Control enforces a number of policy factors, including device health, location, and user roles. Most appliances also have the ability to limit access by role, allowing users to access only the resources they need to do their jobs.
If a user or device fails the authentication or authorization phase, Network Access Control tools block or quarantine the device and/or user.
What are the different types of Network Access Control methods?
Network Access Control methods can vary in many ways, but two common differences involve when a device is checked and how the system collects information from the network.
Pre-admission and post-admission: There are two ways to authorize access to terminal devices. In a pre-admission design, devices are inspected and policies are enforced before they are granted access to the network. This method is best suited for use cases where the device may not have the latest antivirus and anti-malware software.
Alternatively, post-admission design focuses less on device posture and more on the user, enforcing policies based on behavior. This approach works well for use cases like guest access, where online activity is often limited to uses like web browsing and checking email.
Many NAC products offer a combination of these methods, which may vary by location, device type, or user group.
Agent-based vs. agentless design: Another architectural difference is agent-based vs. agentless information collection. Some Network Access Control vendors require users to download agent software on their client devices. The agent then reports the device characteristics back to the NAC system.
Alternatively, agentless Network Access Control solutions continuously scan the network and inventory of devices, relying on device and user behavior to trigger execution decisions.
Core capabilities of NAC system
Network Access Control protects the network through multiple core functions. These include:
Authentication and authorization: Manage user and device access to resources.
Centralized policy lifecycle management: Enforce policies for all users and devices while managing policy changes across the organization.
Discovery, Visibility, and Profiles: Find devices on your network, identify them, and place them into groups with specific profiles while blocking unauthorized users and non-compliant devices.
Guest network access: Manage guests and provide them with temporary and often limited access through a customizable self-service portal.
Security posture check: Evaluate compliance with security policies by user type, device type, location, operating system version, and other organization-defined security criteria.
Incident response: Automatically block suspicious activity, quarantine non-compliant devices, and update devices to make them compliant when possible—all without IT intervention.
Bi-directional integration: Integrate NAC with other security tools and network solutions through open/RESTful APIs, enabling it to share contextual information (IP and MAC addresses, user IDs, user roles, location, etc.)
Network Access Control and Zero Trust
Although NAC is a nearly 20-year-old technology, its adoption has mostly been limited to mid- to large-sized enterprises. However, as the network edge continues to spread beyond physical enterprise boundaries, and as the COVID-19 pandemic accelerates the acceptance of home, mobile and hybrid work environments, NAC has become an enabling technology for a zero-trust security approach.
As networks become more distributed and complex, cybersecurity teams must find ways to maintain visibility into devices connected to the furthest reaches of an organization’s network. Network Access Control provides this capability through detection and visibility of all devices entering the network, centralized access control, and policy enforcement across all devices.
Main use cases
Increased employee mobility, an increase in the number of BYOD devices, and the need to support hybrid work environments due to the pandemic are driving the need for stronger network access controls. Common use cases for Network Access Control include:
Guest and Partner Access: Network Access Control solutions allow organizations to provide temporary, restricted access to guests, partners, and contractors. Network Access Control solutions probe guest devices to ensure they comply with the organization’s security policies.
BYOD and work from anywhere: As knowledge workers become increasingly mobile, Network Access Control is used to authenticate users who may be on unknown devices and in unknown locations, while also enforcing policies against those users and devices. If an employee takes a company device home, Network Access Control ensures that no external malware infiltrates the network when the device re-enters the organization’s network.
The work-from-home and anywhere-anywhere hybrid work environments that have emerged during the COVID-19 pandemic have followed a similar pattern, with Network Access Control solutions authenticating users, ensuring devices are compliant with policies, and restricting access to resources based on: location and user Role.
IoT: Network Access Control’s ability to provide visibility, device analytics, policy enforcement, and access management helps reduce the risks associated with IoT devices entering corporate networks. Network Access Control tools can inventory and tag each device as it enters the network, classify IoT devices into groups with limited permissions, and continuously monitor the behavior of IoT devices. Network Access Control will automatically enforce rules to ensure devices comply with business, security, and compliance-related policies.
Medical devices: For IoT devices in highly regulated healthcare environments, Network Access Control can not only detect and block unauthorized access to devices and medical records, but also enforce policies that ensure devices in the healthcare network comply with regulations such as HIPAA . Network Access Control can also enforce policies when medical professionals access the network remotely.
Incident response: After deploying a NAC system, organizations can use it to share information, such as user ID, device type, and contextual information with third-party security point products. This enables automated incident response, where the NAC system automatically responds to network security alerts by blocking and/or quarantining potentially compromised devices without the need for IT intervention.
Network Access Control and compliance
Regulatory compliance has become a driver of Network Access Control adoption as more and more industries regulate how businesses handle consumer data and protect privacy. NAC systems can help organizations maintain compliance with a range of regulations, including but not limited to HIPPA, PCI-DSS, GLBA, SOX, GDRP, and CCPA.
These privacy requirements typically focus on understanding the who, what, when, and where of users and devices on the network, while limiting access to sensitive data to only those with legitimate needs. Demonstrating that you have accomplished all of this through repeatable and auditable processes is also critical for compliance.
Network Access Control can address a variety of regulatory requirements with access control, policy enforcement across users and devices, network visibility, and audit trails. Additionally, many Network Access Control vendors have built-in functionality to help organizations automate compliance with common regulations such as HIPPA, PCI-DSS, and SOX.