Benefits of NAC System
A network access control system allows organizations to restrict access to resources on their network. Traditionally used by financial institutions, corporations with high security requirements and some universities, NAC systems’ usage is now increasing rapidly, thanks to the exponential increase in bring your own device policies and internet of things devices on the network, and the integration of NAC technology into mobile device management, SIEM, next-generation firewalls and threat detection products.
The primary group showing increased demand for NAC is large organizations. This is due to the unique demands enterprises have regarding number of employees and granting access to contractors, visitors and third-party suppliers. As the risk of breaches associated with these groups becomes a board-level issue, so too does the demand for NAC to help mitigate the risk. Most NAC system vendors are also reporting an increase in demand in the small and medium-sized business (SMB) market. This has largely been propagated by media reports of breaches and the potential reputational damage they cause.
However, NAC is an expensive investment, particularly for SMBs, so organizations must consider whether it will provide a tangible security benefit before deciding to purchase network access control products. It is especially important to assess the risk to the organization from BYOD, the internet of things (IoT), weak access permissions and advanced persistent threats (APT).
There are three general approaches to NAC technology: software installed on the endpoint; hardware that ties in directly with the network infrastructure; and appliances that companies drop onto the LAN. Appliances are the cheapest and simplest option for getting some of the benefits of NAC, but they are also the least robust and don’t offer as many features.
Essentially, NAC systems scan computers as they log onto a network to make sure they are up to date with antivirus software and patches. If a computer is not compliant with security policies, the user may be told how to remediate the system; this can be as simple as being told how to reach a member of the IT staff, though many systems can also direct users to Web sites where they can download and install the latest patches themselves.
Based on a computer’s credentials and the software installed on it, a NAC system may give it full access to the LAN, deny it any access, or give it partial access — such as only to certain sites or to a page where the user must log in or take some other action.
Let’s have a look at a few benefits it can provide:
Ability to control machine access to a network
One of the most common benefits of NAC is the ability to control guest machine access to a network. About 58% of companies that have NAC installed or are planning its deployment list guest access as a significant driver, according to a NAC survey by BT INS, an SI in Santa Clara, Calif. Restricting guest access can be especially important for complying with regulations like PCI-DSS or HIPAA, said Paul Vinciguerra, co-founder of Vinci Consulting Corp. in Long Beach, N.Y. Those regulations may require companies to restrict access to customer data for unauthorized computers, and they can also require that all clients on the network be fully patched and secure, so that they cannot be used as an entry point for hackers.
BYOD and IoT threats
BYOD and IoT have become key to increasing demand in NAC technology mainly because securely handling mobile devices is a key concern for CIOs tasked with providing secure network access with minimal disruption to end users. There are hundreds of combinations of device type, model and operating system versions out there today. And mobile devices especially can be configured in innumerable ways with a vast selection of installed apps. Personal devices, meanwhile, generally do not have enterprise-level mobile device management (MDM) and antivirus products installed. Users quite commonly disable basic security settings or install apps that appear to be genuine but may actually perform actions that compromise the security of the device. This, worryingly, could lead to APT or ransomware infections spreading from the personal device to the corporate network.
NAC systems can play a vital role in automatically identifying devices as they connect to the network and providing access that does not potentially compromise security.
Up to Date endpoints
Among the benefits of a NAC solution is that the endpoints can be kept up to date continuously. However, it is important that the mechanisms for updating are either automated or very easy to use by an untrained user. This will prevent user resistance to the system because otherwise it could be seen as a burden or as overly intrusive.
Delivering role-based network access
While NAC is generally thought of as a security technology that either allows or denies access to the network, one of the major advantages of it is the ability to deliver network access on a granular basis. This can be integrated with Active Directory controls to provide network access only to areas of the network that allow the particular owner of the device to perform their job role. Weak controls on network shares are often a key vulnerability that IT comes across during the network penetration tests. Having NAC products in such circumstances would go a long way toward solving this problem.
Reduce the risk from APTs
Although NAC does not provide functions that directly detect and thwart APTs, it can stop the source of the threat from connecting to the network. Some NAC systems even integrate with APT detection products, such as FireEye, and automatically isolate affected systems before attackers can further access the network. Using an NAC system would have made it possible to automatically restrict access to the Target network by the HVAC vendor, thereby restricting access that the APT had to corporate data and resources. This would have made it much more difficult for the attack to have the same level of impact it had, saving Target a lot of money and both the retail behemoth and its customers a ton of hassle.