A common security concern in many organizations is that users can easily connect infected or compromised machines into the network and cause widespread damage. Network Access Control (NAC) solutions were born to address this concern and ensure the health of the machines that connect to the network.

Network Access Control is essentially a mechanism that allows access to network resources only to devices that are compliant with a specific security policy. This policy can include the patching level of the system, the protection level of anti-virus/anti-spyware protection and other items such as the presence of an active firewall. This type of solution is known as “pre-admission NAC”, because the security policy is enforced before the device is granted access to the network. When the security policy is applied after the user has been granted access (usually based on user actions) it’s known as “post-admission NAC”.

There are many NAC solutions on the market and a lack of standards means that each solution can have its own unique approach. There are some key areas where the solutions tend to differ that could affect your design decisions, including:

Use of agents: Information on systems can be gathered by using a software agent or using remote scanning techniques. There is some debate as to what technique provides the best results, but ultimately you need to make sure that whatever method you choose provides all the information you need to properly evaluate the system.
Inline or out-of-band solutions: Inline solutions typically consist of an appliance or server placed between the end-user systems and the network switches. This approach has the advantage of being easy to deploy and can provide some advanced capabilities. The downside is that they can be difficult to troubleshoot, especially those that manipulate the network protocols in ways that normally wouldn’t happen (altering ARP tables for example). Out-of-band solutions on the other hand, typically rely on agents that report to a central service that can then control the network switches to perform policy enforcement. Their advantage lies in that can be deployed over multiple locations with a single installation. Their disadvantage is that it may require an additional investment on compatible network switches that allow on-the-fly changes to their configuration.
System remediation: NAC solutions have to provide a way for legitimate non-compliant devices to remediate the issues that negate them access to the network. One solution could be to redirect the user to a remediation portal that includes instructions or tools on how to update the device. Another approach is to redirect the computer to a “quarantine” network that has limited access to certain sites or applications that can help in resolving the issues.

The solutions can also differ on their overall philosophy based on the vendors’ particular strengths or focus. Some products have a greater focus on the endpoints whereas others might be stronger on networking. This diversity can make deciding on a solution that can do the job you need and that integrates well in your environment a very challenging endeavor.

Potential benefits

Among the benefits of a NAC solution is that the endpoints can be kept up to date continuously. However, it is important that the mechanisms for updating are either automated or very easy to use by an untrained user. This will prevent user resistance to the system because otherwise it could be seen as a burden or as overly intrusive.

Another oft-cited benefit is the detection of an infected endpoint before it can join the network and affect other machines. This is not always the case, as it is possible that an infected machine can pass all the compliance tests and be allowed on the network. Additional controls are needed and some products provide additional network checks to detect malicious traffic such as command and control communications or attempts to infect other systems.

It’s hard to deny that a NAC implementation can be challenging, but when used correctly, it’s a very effective tool in any security-in-depth strategy.