The Hardening of the Core (Part 2) - Network Access Control

by [Published on 12 Feb. 2014 / Last Updated on 12 Feb. 2014]

Computing devices have become ubiquitous; people are using multiple devices and connect to networks for access to resources. The most recent strategy is, loosening the perimeter but hardening the core critical services. This article will focus on Network Access Control and the use of this mature technology to enable secure remote working.

If you would like to be notified of when Ricky & Monique Magalhaes release the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the first part in this article series please go to The Hardening of the Core (Part 1) - Security information and event management.

The history of NAC

Network Access Control (NAC) has been around for some time, nearly a decade, evaluating devices connecting to networks, and restricting the availability of the network resources to only the devices that comply with clearly defined security policies.

Mobile devices are on the increase and more companies moving toward BYOD strategies, organisations now require solutions that are balanced, contextual, mature and scalable, and one that takes security and compliance into account and is capable of handling the dynamic environment in today’s diverse businesses.

It makes sense to allow users to have secure access to the network resources to perform their roles, both on site and remotely, whilst critical business systems and processes remain secure and isolated from exploitation and compromise. NAC usage is definitely on the increase, it had a slow start when entering the market in 2004, and Gartner had expectations for it to jump by 63% in the market in 2013 whilst in reality the take-up has been somewhat half this in Europe.

Today’s diverse environments demand dynamic balanced yet secure Network Access Control. Organisations want the benefits provided by NAC at a network level, but also require additional contextual security strategies such a Mobile Device Management (MDM) at a device level. A combined security solution of the traditional NAC capabilities complimented by the capabilities of mobile security, endpoint compliance and threat management is necessary for a secure mobile age. This will ensure a defence in-depth approach, but the final barrier is still the culture, and the user’s acceptance of such an approach.

Key Functions of a NAC solution

  • Performs authentication and authorisation, pre the access to the protected environment.
  • Protection, organisations are guarded against security threats as well as attacks from viruses and worms through anti-threat measures ( firewalls, antivirus solutions and spyware) compliance and comparison to the security benchmark is possible before allowing access to the guarded environment.
  • Prevents adverse usage of network resources.
  • Enforces communication policies and regulates and restricts the tasks users can undertake once connected to the network allowing for efficient business process.
  • Ensures a security layer between systems that have been away from the network for a period of time, whilst checking for security posture to ensure systems comply with common and current security baseline.

Important aspects to achieving an effective NAC solution

  • The NAC solution must be deployable in an open architecture that is adaptable to the organisations requirements.
  • The solution must be able to support multiple device types running multiple types of operating systems as the environments of today are diverse. A solution that is only suited to certain end systems leaves the network and services vulnerable to attack from systems not included in the security posture.
  • The NAC solution must be flexible enough to all for integration of multiple assessment technology types. By doing this the NAC solution is able to cover any endpoint device, mobile or system connecting to the network.
  • Devices should be assessed before connection is allowed as well as post connection.
  • The NAC solution must be able to address end devices/systems connected to varying types of network switches.
  • All access must be logged.
  • The NAC solution should adhere to standards-based authentication and policy enforcement technologies.
  • Ensure that the NAC solution includes all end devices/systems. With the consciousness of converged networks in business today, networks are coming into contact with a range of devices/systems from the desktops, laptops and printers through to the growing mobile devices (Tablets and phones) to name a few.
  • Should not have security specific to certain device types, operating systems or software. Security should be focusing on covering the wide range of end systems out there-the list is endless.
  • The solution should be capable of assessing authenticating and authorising varying end devices using varying operating systems and running differing applications.
  • The NAC solution should consider a multiple of attributes before allowing a device access to the network. These attributes should include, over and above the authorisation of the device, device type, location, time, user credentials, machine credentials, and the function of the device within business. Through proper assessment effective access or redirection can be applied. The more information gained during authorisation will lead to a more effective and secure solution.
  • Accurate policy enforcement is a significant facet of the NAC solution. Through enforcing policies at the network connection point of the device you can ensure that the network usage is secure, efficient and being utilised as it should. Policies should be such that they can be enforced throughout the network to achieve ultimate control. Policies should include those for devices as well as network usage.
  • Include a policy to quarantine devices that are not meant to connect to the network until such time that the device complies with network policy. By doing this the entire network is not placed at risk or compromised. The user should be notified (web browser, instant messaging or email) that their device has been quarantined and given the appropriate information required to rectify the issue.
  • Compliance reporting is essential for a well-run NAC solution. The network access control solution should be able to collect information on devices, users and communications. This data can be utilised for compliance reporting for both historical and real time events.

Network Access Control for mobile devices

Excessive growth in the use of mobile devices in business has led to the acknowledgment that greater visibility and extensive network based control is required for solving endpoint concerns. To achieve this, the NAC solution should not be based purely on device authentication as per its initial function but rather altered such that it offers more flexibility over the control of the network. NAC can no longer be ‘black’ or ‘white’, ‘allowed’ or ‘not allowed’, modern environments demand and require flexibility if mobile remote access is to be effective and efficient.

Initially NAC solutions were extremely restrictive, devices were getting blocked continuously and a lot of the time wasted unnecessarily for non-conformance, there was no room for compromise. This causes disruption and frustration within organisations. The move to a more mature and flexible solution allows for the exception, for compromise when it comes to allowing devices onto the network. Security has to be balanced or it will not be accepted and eventually bypassed or it will become counterproductive.

A combination of NAC, Mobile Device Management (MDM) and Mobile Application Management (MAM) can provide a substantial business framework for securing the network and enabling secure remote working via mobile devices. By using a combination of these solutions the NAC can be adjusted for access of mobile devices while still receiving effective security measures and adhering to regulatory requirements.

Through NAC solutions interfacing directly with other security strategies, compliance reports produced show a complete and accurate image of end systems/devices connected to the network. This is very important considering the vast amounts of mobile devices, most personal devices, connecting to the work network on a daily bases.

Capabilities of a combined NAC/MDM/MAM solution

  • Automatic identification and control of devices connecting to the network.
  • All types of devices or end systems can be identified
  • Detection of jail broken or rooted devices
  • Continuous device monitoring on the network
  • Detection of malware, spyware and viruses
  • Compliance: real time monitoring is covered which is a requirement for regulatory standards to ensure good security management process and risk prevention
  • Full audit trail of access to the resources
  • Baseline comparison and security posture assessment.
  • Easier implementation of the solution. Plug and play, virtual or cloud solution are available
  • A more mature and flexible solution

Conclusion

Network Access Control is an essential element to a complete network security design to protect the privacy, integrity and accessibility of business information assets. It also has an important role in network assessment, authorisation, policy enforcement, security posture assessment and remediation.

The NAC solution is quickly transforming to meet today’s mobile device explosion, and in a remote working age morphing into a solution offering a complement of tools that provides businesses with additional security and flexibility, to meet business demands of a mobile work force.

The combined NAC and MDM solution offers best of both worlds, ensuring a balanced secure network as well as a secure managed device or endpoint.

The downside to the solution being the cost, if implemented correctly the solution is not an economical one, however organisations need to way up the cost against the benefits, as mobile devices and remote working are here to stay.

If you would like to be notified of when Ricky & Monique Magalhaes release the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the first part in this article series please go to The Hardening of the Core (Part 1) - Security information and event management.

The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.

Latest Contributions

Advertisement

Featured Links