What Is Network Access Control (NAC)?
The NAC solution implements security control so that only authorized users and secure terminals can access the network. It isolates unauthorized and insecure users and terminals, or allows them only to access limited resources. This approach significantly improves the security protection capability of the entire network.
What Is the Importance of NAC?
The traditional approach to security on enterprise networks focuses on how to defend against external attacks, for example, by deploying firewalls. However, if an enterprise allows users to use terminals such as mobile phones and computers to remotely access its network, allows employees to use personal office devices to access the network, or classifies resources accessible to employees, it needs to implement access control measures for internal users of the enterprise network. Any terminal on an enterprise network may affect the security of the entire network. For example, an enterprise's internal users may unknowingly download malicious software when browsing external websites and spread it on the intranet, causing security risks. In addition, too many unauthorized users accessing an enterprise network may result in damage to the service system or disclosure of key information assets.
To address such issues, the NAC solution effectively manages network access rights, updates system patches, and upgrades the antivirus database promptly. This allows administrators to quickly locate and isolate insecure terminals and to handle the security risks these terminals introduce, thereby meeting intranet security requirements of enterprise networks.
What Are the Capabilities of NAC?
The NAC solution provides the identity authentication, access control, terminal security check and control, and system repair and upgrade capabilities.
Identity Authentication
- After a user with a secure terminal provides the correct user name and password, the user can access the network.
- A user with an insecure terminal cannot access the network and is granted access to only the network isolation zone.
- Unauthorized users are not allowed access to the network.
Access Control
The NAC solution divides a network into several types of zones, and precisely matches against users based on 5W1H (described later) to control the resources available to users before and after the authentication. The following explains 5W1H:
- Who attempts to access the network (employees or guests)?
- Whose devices (enterprise devices or BYOD devices)?
- What devices (PCs or mobile phones) are used?
- When is the access initiated (during working hours or non-working hours)?
- Where is the access initiated (in the R&D zone, in a non-R&D zone, or at home)?
- How do devices access the network (in wired or wireless mode)?
Terminal Security Check and Control
- Scans terminals to obtain their security status before granting them network access. For example, it checks whether antivirus software is installed, whether patches are updated, and whether the password strength meets requirements.
- Allows a NAC device to block the terminals that do not pass security check. This prevents such terminals from damaging the service system.
- Denies network access of terminals whose security issues cannot be repaired in a timely manner, thereby ensuring network security.
System Repair and Upgrade
The NAC solution provides automatic and manual system repair and upgrade functions. It can automatically download and upgrade system patches, trigger antivirus database updates, and enforce security measures such as killing illegal or violating processes.
What Are the Types of Network Access Control?
A network is divided into the following types of domain in NAC:
- User domain: includes all terminals that access the enterprise intranet like desktops and laptops as well as remote access users, branch office users, and partners who access the intranet over the Internet.
- Network domain: includes network devices for traffic forwarding, carries service traffic, and interconnects networks. Network access devices, such as switches and routers, are deployed in this domain.
- Pre-authentication domain: refers to the domain that terminals can access before authentication. This domain is designed to grant unauthorized users some basic network access rights, such as downloading an 802.1X client and updating the antivirus database.
- Post-authentication domain: refers to the domain where the core resources of an enterprise are located. Terminals can access the domain corresponding to their permissions only after being authenticated and authorized.
How Does NAC Work?
The NAC solution consists of three key components: user terminal, NAC device, and server system.
Components of the NAC solution
- User terminal: is a terminal that accesses the enterprise intranet, for example, a desktop computer, laptop, dumb terminal, or wireless terminal. User terminals belong to the user domain.
- NAC device: enforces security policies, that is, allowing, rejecting, isolating, or restricting the access of users based on the security policies customized for customers' networks. A NAC device belongs to the network domain.
The Huawei NAC solution supports multiple authentication modes, including 802.1X authentication, MAC address authentication, and Portal authentication. In these authentication modes, the NAC device assists authentication between a user terminal and NAC server. The NAC device can be a switch, router, access point (AP), or other security device. It authenticates access users, rejects the access of unauthorized users, and isolates insecure terminals to provide network services only for authorized users and secure terminals.
- Server system: consists of the NAC server, antivirus, patch, and software servers, and service servers.
The NAC server is deployed in the pre-authentication domain and is the core of the NAC solution. Users can access the NAC server before the authentication and security check. The NAC server authenticates users, performs security audits on users, enforces security policies on users, and works with the NAC device to deliver user rights.
Typically, a user accesses the antivirus, patch, and software servers to automatically update the antivirus database on the terminal and install and update any operating system and application software patches before passing identity authentication. This is done to meet the terminal security check requirements. The patch, antivirus, and software servers are deployed in the pre-authentication domain.
Service servers are deployed in the post-authentication domain for enterprise service management. Only authenticated and authorized users can access these servers.
Use Cases for NAC
The NAC solution can be applied to many network scenarios, such as enterprise network, bring your own device (BYOD), Internet of Things (IoT), and public Wi-Fi network scenarios.
Enterprise Network
The NAC solution strictly differentiates network access rights of employees and non-employees based on user roles on an enterprise network. For example, the NAC solution classifies users on a network into employees, partners, and guests. It allows customizing network access and permission control rules for different user roles to improve the security of enterprises.
- Employees: refer to those who have fixed office locations and long-term work contracts. Employees typically use company devices as office devices. After passing authentication, employees have sufficient access rights to access the enterprise network.
- Partners: refer to those who frequently move and are under few enterprise constraints. These personnel are connected to the enterprise network for a certain period of time and access some servers on the network. However, partners' permissions must be strictly controlled due to low security.
- Visitors: refer to those who are connected to enterprise networks temporarily. Typically, visitors are wirelessly connected to an enterprise network and can only access the Internet through the enterprise network. Visitors are strictly isolated from employees and partners to prevent the leakage of enterprise information assets.
BYOD
To address employees' desires for new technologies and personalization and improve their work efficiency, many enterprises are considering whether to allow employees to connect to the intranet using their own smart devices (such as mobile phones, tablets, and laptops). This is called BYOD. Because no security terminal is typically installed on such devices, accessing the enterprise intranet through these devices may bring security risks. The NAC solution uses the terminal type identification technology to automatically identify the types of devices that employees use to connect to the enterprise intranet. This implements authentication and authorization based on user information, device type, and device operating environment.
IoT
Most IoT devices do not support traditional authentication protocols or security certificates. The NAC solution automatically identifies IoT devices based on their electronic identity information, including the device version, vendor information, version number, product name, and terminal type. It then completes network access authentication for them based on the configured security policies.
Public Wi-Fi Network
Public Wi-Fi networks are widely deployed, including in almost all cafes, shops, airports, hotels, and other public places. However, a completely open public Wi-Fi network has low security, because anyone can connect to the network without identity authentication. Therefore, it is essential to exercise caution when connecting to such a network. The NAC solution provides SMS authentication. When a user accesses a public Wi-Fi network, the user can enter a mobile number on the web portal page to access the network using the real name.
- Author: Dou Cuicui
- Updated on: 2024-08-09
- Views: 25246
- Average rating: